book a virtual meeting Search Search
brisbane

one eagle – waterfront brisbane
level 30, 1 eagle street
brisbane qld 4000
+61 7 3235 0400

dandenong

40-42 scott st,
dandenong vic 3175
+61 3 9794 2600

melbourne

level 7, 600 bourke st,
melbourne vic 3000
+61 3 8615 9900

sydney

grosvenor place
level 11, 225 george st,
sydney nsw 2000
+61 2 8298 9533

hello. we’re glad you’re
getting in touch.

Fill in form below, or simply call us on 1800 888 966

Queensland Government agencies’ obligations strengthened

03 May 2024
Jonas Schulz Mark Metzeling
Read Time 5 mins reading time

On 29 November 2023, the Queensland State Government passed new legislation to strengthen privacy laws and offer further protection to individuals’ information. The Information Privacy and Other Legislation Amendment Act 2023 (the Amendment Act) implements legislative changes recommended from many reports including the Review of the Right to Information Act 2009 and Information Privacy Act 2009, and the Let the sunshine in: Review of culture and accountability of the Queensland public sector.

Who does the amendment apply to?

While the Amendment Act and the Queensland Information Privacy Act 2009 (the Act) apply specifically to Government agencies, it is highly likely that private contractors will be required to also abide by the requirements when contracting with Government agencies.

What is the amendment?

To achieve its objectives, the Amendment Act will amend the Act to:

  • Implement the Queensland Privacy Principles (QPPs) which generally align the with Australian Privacy Principles (APPs) contained within the Privacy Act 1988 (Cth) (Federal Privacy Act).
  • Implement a mandatory data breach notification scheme.
  • Update the definition of personal information to align with the Federal Privacy Act.
  • Provide the Information Commissioner with enhanced powers and functions.

Queensland Privacy Principles

A new Schedule 3 will contain the new QPPs. As previously mentioned, the QPPs will generally align with the APPs but the QPPs are not direct copies of the APPs.

QPP 1 – open and transparent management of personal information.

QPP 2 – anonymity and pseudonymity.

QPP 3 – collection and solicited personal information.

QPP 4 – dealing with unsolicited personal information.

QPP 5 – notification of the collection of personal information.

QPP 6 – use or disclosure of personal information.

QPP 10 – quality of personal information.

QPP 11 – security of personal information.

QPP 12 – access to personal information.

QPP 13 – correction of personal information

It is evident that APP 7 (prohibition on non-consensual use of private information for direct marketing purposes), 8 (cross-border disclosure of private information), and 9 (prohibition on use of government identifiers) have not been adopted, presumably due to them targeting non-government use of private information, which is irrelevant for Queensland Government agencies.

Mandatory data breach notification scheme

Queensland Government agencies will be required to implement clear roles and responsibilities to manage data breaches or suspected data breaches along with publishing a data breach policy. The aim of the Amendment Act is to prompt Government agencies to consider data security issues and force them to be more proactive in preventing and managing data breaches.

The mandatory data breach notification scheme will require government agencies to notify all affected individuals and the Office of the Information Commissioner of any eligible data breach that could result in serious harm. The Amendment Act specifies that an “eligible data breach” occurs in relation to personal information where there is unauthorised access and such access is likely to result in serious harm to individuals to which the information relates to if it were to be disclosed. Alternatively, an “eligible data breach” could be for a breach which involves personal information being lost and such a loss of information would result in serious harm to an individual.

For reference, the new Amendment Act defines “serious harm” as:

  • Serious physical, psychological, emotional or financial harm to the individual because of the access or disclosure; or
  • Serious harm to the individual’s reputation because of the access or disclosure.

Personal Information

The definition of the personal information has been updated to be uniform with the Federal Privacy Act, being:

Personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable from the information or opinion—

(a)         whether the information or opinion is true or not; and

(b)         whether the information or opinion is recorded in a material form or not.

When do the amendments take effect?

The amendments are slated to begin on 1 July 2025, with the commencement of the mandatory data breach notification scheme slated to apply from 1 July 2026. As such, Queensland government agencies will have a transition period to prepare for the new requirements.

How can Macpherson Kelley assist?

Our privacy and cybersecurity experts can assist with:

  • Implementing or reviewing your privacy policies to ensure compliance before the implementation of the Amendment Act;
  • Implementing or reviewing your data breach policies to ensure compliance before the implementation of the Amendment Act; and
  • Reviewing your agreements with Queensland government agencies so you are aware of your obligations and if the new requirements apply to your business.

Please contact Mark Metzeling of our Privacy team for further assistance.

The information contained in this article is general in nature and cannot be relied on as legal advice nor does it create an engagement. Please contact one of our lawyers listed above for advice about your specific situation.

stay up to date with our news & insights

Queensland Government agencies’ obligations strengthened

03 May 2024
Jonas Schulz Mark Metzeling

On 29 November 2023, the Queensland State Government passed new legislation to strengthen privacy laws and offer further protection to individuals’ information. The Information Privacy and Other Legislation Amendment Act 2023 (the Amendment Act) implements legislative changes recommended from many reports including the Review of the Right to Information Act 2009 and Information Privacy Act 2009, and the Let the sunshine in: Review of culture and accountability of the Queensland public sector.

Who does the amendment apply to?

While the Amendment Act and the Queensland Information Privacy Act 2009 (the Act) apply specifically to Government agencies, it is highly likely that private contractors will be required to also abide by the requirements when contracting with Government agencies.

What is the amendment?

To achieve its objectives, the Amendment Act will amend the Act to:

  • Implement the Queensland Privacy Principles (QPPs) which generally align the with Australian Privacy Principles (APPs) contained within the Privacy Act 1988 (Cth) (Federal Privacy Act).
  • Implement a mandatory data breach notification scheme.
  • Update the definition of personal information to align with the Federal Privacy Act.
  • Provide the Information Commissioner with enhanced powers and functions.

Queensland Privacy Principles

A new Schedule 3 will contain the new QPPs. As previously mentioned, the QPPs will generally align with the APPs but the QPPs are not direct copies of the APPs.

QPP 1 – open and transparent management of personal information.

QPP 2 – anonymity and pseudonymity.

QPP 3 – collection and solicited personal information.

QPP 4 – dealing with unsolicited personal information.

QPP 5 – notification of the collection of personal information.

QPP 6 – use or disclosure of personal information.

QPP 10 – quality of personal information.

QPP 11 – security of personal information.

QPP 12 – access to personal information.

QPP 13 – correction of personal information

It is evident that APP 7 (prohibition on non-consensual use of private information for direct marketing purposes), 8 (cross-border disclosure of private information), and 9 (prohibition on use of government identifiers) have not been adopted, presumably due to them targeting non-government use of private information, which is irrelevant for Queensland Government agencies.

Mandatory data breach notification scheme

Queensland Government agencies will be required to implement clear roles and responsibilities to manage data breaches or suspected data breaches along with publishing a data breach policy. The aim of the Amendment Act is to prompt Government agencies to consider data security issues and force them to be more proactive in preventing and managing data breaches.

The mandatory data breach notification scheme will require government agencies to notify all affected individuals and the Office of the Information Commissioner of any eligible data breach that could result in serious harm. The Amendment Act specifies that an “eligible data breach” occurs in relation to personal information where there is unauthorised access and such access is likely to result in serious harm to individuals to which the information relates to if it were to be disclosed. Alternatively, an “eligible data breach” could be for a breach which involves personal information being lost and such a loss of information would result in serious harm to an individual.

For reference, the new Amendment Act defines “serious harm” as:

  • Serious physical, psychological, emotional or financial harm to the individual because of the access or disclosure; or
  • Serious harm to the individual’s reputation because of the access or disclosure.

Personal Information

The definition of the personal information has been updated to be uniform with the Federal Privacy Act, being:

Personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable from the information or opinion—

(a)         whether the information or opinion is true or not; and

(b)         whether the information or opinion is recorded in a material form or not.

When do the amendments take effect?

The amendments are slated to begin on 1 July 2025, with the commencement of the mandatory data breach notification scheme slated to apply from 1 July 2026. As such, Queensland government agencies will have a transition period to prepare for the new requirements.

How can Macpherson Kelley assist?

Our privacy and cybersecurity experts can assist with:

  • Implementing or reviewing your privacy policies to ensure compliance before the implementation of the Amendment Act;
  • Implementing or reviewing your data breach policies to ensure compliance before the implementation of the Amendment Act; and
  • Reviewing your agreements with Queensland government agencies so you are aware of your obligations and if the new requirements apply to your business.

Please contact Mark Metzeling of our Privacy team for further assistance.