Data breach obligations at forefront of Queensland’s privacy reforms

After some anticipation, the Queensland Government last week introduced legislation to strengthen Queensland’s privacy regime and increase transparency and accountability in how Queensland government agencies collect, hold, use and otherwise deal with personal information.

The Information Privacy and Other Legislation Amendment Bill 2023 (Qld) (Bill) proposes various amendments to the Information Privacy Act 2009 (Qld) (Queensland Privacy Act), including:

• the introduction of a unified set of ‘Queensland Privacy Principles’ (QPPs) that align much more closely with the Australian Privacy Principles under the Privacy Act 1988 (Cth) (Commonwealth Privacy Act). The QPPs will replace the existing ‘Information Privacy Principles’ and ‘National Privacy Principles’ under the Queensland Privacy Act;
• specific provisions for ‘sensitive information’, which previously was not a concept under the Queensland Privacy Act. The closest comparison is ‘health information’ under the existing ‘National Privacy Principles’, which only apply to health agencies (such as hospital and health services); and
• crucially, the introduction of a mandatory data breach notification scheme.

If enacted as proposed, Queensland will be the second state to introduce a mandatory data breach notification scheme (with New South Wales currently the only other state requiring mandatory notification where a state government entity suspects a data breach has occurred).

The introduction of a mandatory data breach scheme under Queensland’s privacy regime has been anticipated for some time and is intended to align both with the Commonwealth Privacy Act, as well as mounting community expectations around how government entities manage their personal information. By requiring Queensland government agencies to notify the Queensland Office of the Information Commissioner and affected individuals of a suspected data breach, the scheme will allow affected individuals to better protect their personal and sensitive information and mitigate risks that may arise from a data breach.

It had been anticipated that these reforms would be delayed until the reforms of the Commonwealth Privacy Act had been finalised. However, the Queensland Government states that the introduction of the QPPs, and the underlying alignment of the Queensland Privacy Act with the Commonwealth Privacy Act more generally, is intended to lay the groundwork for future reform.

It is not clear at this stage when the Bill will be finalised as the Bill’s first reading was only on Thursday 12 October. However, if enacted as proposed, these reforms will mean substantial changes for all Queensland government agencies.

How can we help?

We will continue to monitor these reforms as the Bill progresses and if enacted, can assist all Queensland government agencies with:

• updating their existing privacy policies and privacy collection statements;
• preparing data breach response plans; and
• otherwise reviewing their existing data management practices to ensure alignment with the updated Queensland Privacy Act.

If you would like any further information, please contact our Digital and Intellectual Property Team.