Queensland Government agencies’ obligations strengthened
5 mins reading time
On 29 November 2023, the Queensland State Government passed new legislation to strengthen privacy laws and offer further protection to individuals’ information. The Information Privacy and Other Legislation Amendment Act 2023 (the Amendment Act) implements legislative changes recommended from many reports including the Review of the Right to Information Act 2009 and Information Privacy Act 2009, and the Let the sunshine in: Review of culture and accountability of the Queensland public sector.
Who does the amendment apply to?
While the Amendment Act and the Queensland Information Privacy Act 2009 (the Act) apply specifically to Government agencies, it is highly likely that private contractors will be required to also abide by the requirements when contracting with Government agencies.
What is the amendment?
To achieve its objectives, the Amendment Act will amend the Act to:
- Implement the Queensland Privacy Principles (QPPs) which generally align the with Australian Privacy Principles (APPs) contained within the Privacy Act 1988 (Cth) (Federal Privacy Act).
- Implement a mandatory data breach notification scheme.
- Update the definition of personal information to align with the Federal Privacy Act.
- Provide the Information Commissioner with enhanced powers and functions.
Queensland Privacy Principles
A new Schedule 3 will contain the new QPPs. As previously mentioned, the QPPs will generally align with the APPs but the QPPs are not direct copies of the APPs.
QPP 1 – open and transparent management of personal information.
QPP 2 – anonymity and pseudonymity.
QPP 3 – collection and solicited personal information.
QPP 4 – dealing with unsolicited personal information.
QPP 5 – notification of the collection of personal information.
QPP 6 – use or disclosure of personal information.
QPP 10 – quality of personal information.
QPP 11 – security of personal information.
QPP 12 – access to personal information.
QPP 13 – correction of personal information
It is evident that APP 7 (prohibition on non-consensual use of private information for direct marketing purposes), 8 (cross-border disclosure of private information), and 9 (prohibition on use of government identifiers) have not been adopted, presumably due to them targeting non-government use of private information, which is irrelevant for Queensland Government agencies.
Mandatory data breach notification scheme
Queensland Government agencies will be required to implement clear roles and responsibilities to manage data breaches or suspected data breaches along with publishing a data breach policy. The aim of the Amendment Act is to prompt Government agencies to consider data security issues and force them to be more proactive in preventing and managing data breaches.
The mandatory data breach notification scheme will require government agencies to notify all affected individuals and the Office of the Information Commissioner of any eligible data breach that could result in serious harm. The Amendment Act specifies that an “eligible data breach” occurs in relation to personal information where there is unauthorised access and such access is likely to result in serious harm to individuals to which the information relates to if it were to be disclosed. Alternatively, an “eligible data breach” could be for a breach which involves personal information being lost and such a loss of information would result in serious harm to an individual.
For reference, the new Amendment Act defines “serious harm” as:
- Serious physical, psychological, emotional or financial harm to the individual because of the access or disclosure; or
- Serious harm to the individual’s reputation because of the access or disclosure.
Personal Information
The definition of the personal information has been updated to be uniform with the Federal Privacy Act, being:
Personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable from the information or opinion—
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.
When do the amendments take effect?
The amendments are slated to begin on 1 July 2025, with the commencement of the mandatory data breach notification scheme slated to apply from 1 July 2026. As such, Queensland government agencies will have a transition period to prepare for the new requirements.
How can Macpherson Kelley assist?
Our privacy and cybersecurity experts can assist with:
- Implementing or reviewing your privacy policies to ensure compliance before the implementation of the Amendment Act;
- Implementing or reviewing your data breach policies to ensure compliance before the implementation of the Amendment Act; and
- Reviewing your agreements with Queensland government agencies so you are aware of your obligations and if the new requirements apply to your business.
Please contact Mark Metzeling of our Privacy team for further assistance.
more
insights
stay up to date with our news & insights
Queensland Government agencies’ obligations strengthened
On 29 November 2023, the Queensland State Government passed new legislation to strengthen privacy laws and offer further protection to individuals’ information. The Information Privacy and Other Legislation Amendment Act 2023 (the Amendment Act) implements legislative changes recommended from many reports including the Review of the Right to Information Act 2009 and Information Privacy Act 2009, and the Let the sunshine in: Review of culture and accountability of the Queensland public sector.
Who does the amendment apply to?
While the Amendment Act and the Queensland Information Privacy Act 2009 (the Act) apply specifically to Government agencies, it is highly likely that private contractors will be required to also abide by the requirements when contracting with Government agencies.
What is the amendment?
To achieve its objectives, the Amendment Act will amend the Act to:
- Implement the Queensland Privacy Principles (QPPs) which generally align the with Australian Privacy Principles (APPs) contained within the Privacy Act 1988 (Cth) (Federal Privacy Act).
- Implement a mandatory data breach notification scheme.
- Update the definition of personal information to align with the Federal Privacy Act.
- Provide the Information Commissioner with enhanced powers and functions.
Queensland Privacy Principles
A new Schedule 3 will contain the new QPPs. As previously mentioned, the QPPs will generally align with the APPs but the QPPs are not direct copies of the APPs.
QPP 1 – open and transparent management of personal information.
QPP 2 – anonymity and pseudonymity.
QPP 3 – collection and solicited personal information.
QPP 4 – dealing with unsolicited personal information.
QPP 5 – notification of the collection of personal information.
QPP 6 – use or disclosure of personal information.
QPP 10 – quality of personal information.
QPP 11 – security of personal information.
QPP 12 – access to personal information.
QPP 13 – correction of personal information
It is evident that APP 7 (prohibition on non-consensual use of private information for direct marketing purposes), 8 (cross-border disclosure of private information), and 9 (prohibition on use of government identifiers) have not been adopted, presumably due to them targeting non-government use of private information, which is irrelevant for Queensland Government agencies.
Mandatory data breach notification scheme
Queensland Government agencies will be required to implement clear roles and responsibilities to manage data breaches or suspected data breaches along with publishing a data breach policy. The aim of the Amendment Act is to prompt Government agencies to consider data security issues and force them to be more proactive in preventing and managing data breaches.
The mandatory data breach notification scheme will require government agencies to notify all affected individuals and the Office of the Information Commissioner of any eligible data breach that could result in serious harm. The Amendment Act specifies that an “eligible data breach” occurs in relation to personal information where there is unauthorised access and such access is likely to result in serious harm to individuals to which the information relates to if it were to be disclosed. Alternatively, an “eligible data breach” could be for a breach which involves personal information being lost and such a loss of information would result in serious harm to an individual.
For reference, the new Amendment Act defines “serious harm” as:
- Serious physical, psychological, emotional or financial harm to the individual because of the access or disclosure; or
- Serious harm to the individual’s reputation because of the access or disclosure.
Personal Information
The definition of the personal information has been updated to be uniform with the Federal Privacy Act, being:
Personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable from the information or opinion—
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.
When do the amendments take effect?
The amendments are slated to begin on 1 July 2025, with the commencement of the mandatory data breach notification scheme slated to apply from 1 July 2026. As such, Queensland government agencies will have a transition period to prepare for the new requirements.
How can Macpherson Kelley assist?
Our privacy and cybersecurity experts can assist with:
- Implementing or reviewing your privacy policies to ensure compliance before the implementation of the Amendment Act;
- Implementing or reviewing your data breach policies to ensure compliance before the implementation of the Amendment Act; and
- Reviewing your agreements with Queensland government agencies so you are aware of your obligations and if the new requirements apply to your business.
Please contact Mark Metzeling of our Privacy team for further assistance.