On 29 November 2023, the Queensland Parliament passed the Information Privacy and Other Legislation Amendment Act 2023 (Qld) (the Amending Act). The Amending Act contains the long-anticipated reforms to Queensland's information privacy regime and amends the:
The Amending Act responds to a number of reviews and recommendations made in several reports, most recently the 2022 Coaldrake Report of culture and accountability in the Queensland public sector. The primary objectives of the Amending Act include strengthening Queensland's information privacy framework to better protect personal information and improve responses and remedies for data breaches and misuse. It comes after a series of high profile data breaches, with 47% of respondents to the Australian Community Attitudes to Privacy Survey 2023 reporting that they had been informed by an organisation that their personal information was involved in a data breach in the 12 months prior to completing the survey.
The Amending Act contains four key amendments to the Information Privacy Act 2009 (Qld) (Act):
- establishing a mandatory data breach notification scheme for government agencies;
- consolidating the National Privacy Principles (NPPs) and Information Privacy Principles (IPPs) into one set of 'Queensland Privacy Principles' (QPPs) which are broadly based on the Australian Privacy Principles (APPs) in the Commonwealth Privacy Act;
- enhancing the powers and functions of the Queensland Information Commissioner;
- aligning the definition of 'personal information' with the definition which currently appears in the Commonwealth Privacy Act
The Amending Act will also amend section 408E of the Criminal Code (computer hacking and misuse) to remove the reference to 'hacking' in the title of the provision, reclassify the offence as a misdemeanour and increase the maximum penalty from 2 years to 3 years of imprisonment.
The Commonwealth Privacy Act is simultaneously undergoing review with draft legislation anticipated in 2024. This is likely to mean that Queensland's legislation will require further reform if consistency is to be maintained.
Mandatory Data Breach Notification Scheme
Currently there is no legal requirement to report or notify individuals or the Information Commissioner of data breaches under the Act, although voluntary reporting is strongly encouraged by the Commissioner. The amendments are aimed at promoting transparency, accountability and public confidence in agencies that handle personal information.
At the commencement of the amendments, Queensland will join New South Wales as the only States to have mandatory notification requirements applying to public agencies.
The amendments introduce mandatory requirements for Queensland Government agencies (Ministers, departments, local government, public authorities except for excluded agencies like government owned corporations) responding to eligible data breaches, including obligations to:
- immediately take all reasonable steps to contain the data breach;
- assess whether the data breach is an 'eligible data breach' within the specified time limits, generally 30 days; and
- where a notifiable data breach is identified, as soon as practicable, notify the affected individuals and the Queensland Information Commissioner of the breach.
The Commonwealth Mandatory Data Breach Notification Scheme has been in operation since 2018. Much has been learned by privacy professionals during that time about the effective investigation of data breaches, the assessment of a 'serious risk of harm' (i.e. the trigger for a breach being reportable), and the crafting of notifications that are useful to impacted individuals in mitigating potential harm.
The Commonwealth Information and Privacy Commissioner has recently been highly critical of organisations taking too long to investigate data breaches, and therefore exposing individuals to harm associated with the breach. Such allegations are included in the civil penalty proceedings recently commenced by the Commonwealth Commissioner in the Federal Court. To avoid similar criticism from the Queensland Commissioner, agencies will need to be prepared to promptly investigate breaches – this requires a clear understanding of what is held by the agency and where, reporting lines and responsibilities and a practiced data breach management plan.
Compliance actions:
- Undertake a data audit to understand what information is held by your agency and where;
- Review data retention policies to identify information which no longer needs to be held by the agency;
- Develop or refresh your agency's data breach management plan;
- Practice your data breach management plan;
- Develop template notification letters with prompts to ensure that required information is disclosed;
- Implement internal training to ensure staff understand what they need to do to respond to a suspected breach.
Information Commissioner's powers and functions
The Amending Act allows the Information Commissioner to give a relevant entity a compliance notice if satisfied on reasonable grounds that the entity has done an act or engaged in a practice in contravention of an obligation (including compliance with the new mandatory data breach notification scheme).
The Commissioner will have power to compel information or attendance of any person where the Information Commissioner is satisfied on reasonable grounds that the person has information relevant to matters including:
- a review into personal information handling practices;
- an investigation of an act done or practice engaged in by a relevant entity in relation to personal information;
- an audit;
- preliminary inquiries the Commissioner is making about a privacy complaint.
A maximum penalty of 100 penalty units (currently $15,480) will apply if:
- an agency does not take all reasonable steps to facilitate entry of an authorised officer; or
- a person does not provide all reasonable help to assist an authorised officer exercising their powers.
Queensland Privacy Principles
The Amending Act establishes one set of privacy principles (the QPPs) which will apply to Queensland agencies (Minister, department, local government or public authority except for excluded agencies like government owned corporations) and their bound contracted service providers, removing the distinction previously imposed by the separate National Privacy Principles (which currently apply to health agencies) and Information Privacy Principles (which currently apply to all other agencies). The QPPs are based on the Commonwealth APPs (which apply to Commonwealth agencies, all private health providers, and other organisations with an annual turnover of more than $3 million p.a.).
The QPPs and the Amending Act impose new obligations on agencies, including:
- a requirement to keep a register of eligible data breaches and publish a data breach policy;
- introduction of data retention principle so that personal information can only be retained for as long as it is needed for a valid purpose under the QPPs;
- additional safeguards and restrictions on collection and use of sensitive information (discussed in detail below); and
- requirement to publish privacy policies and collection notices containing specified information.
These amendments will necessitate policy and procedural changes for agencies.
Compliance actions:
- Undertake a review of information practices against the QPPs;
- Review and update (or develop) your agency's privacy documentation to ensure compliance with the requirements for privacy policies and collection notices;
- Develop documentation including a public data breach policy and breach register;
- Review retention periods for personal information, having regard to the newly passed Records Act 2023 (Qld).
'Personal Information' definition
The scope of information caught by the definition of 'personal information' is central to the operation of the legislative regime.
The Amending Act will amend the definition of 'personal information' in the Act to align with the definition in the Commonwealth Privacy Act. Currently, 'personal information' means information from which a person's "identity is apparent, or can be reasonably ascertained". The Amending Act removes this clause in favour of personal information being information "about an identified individual or an individual who is reasonably identifiable from the information".
In its brief to the Education, Employment and Training Committee, the Attorney-General advised that the new definition was designed to capture a broader range of information, such as online identifiers. Whether a person is reasonably identifiable will continue to be a factual question, having regard to the context in which the information is held, and may include technical and inferred information. Importantly, the scope of the amended definition may include circumstances where a person can be distinguished from all others, even if their identity is not known.
The Commonwealth Government has agreed in-principle with a recommendation that the definition be amended in the Commonwealth Privacy Act (from 'about' to 'relates to' an individual), and so we may see divergence of the State and Commonwealth definitions again in the future.
Compliance actions:
Undertake an audit of the information that your agency collects, uses and discloses to identify whether there are other categories of information that may be caught by the broader definition of 'personal information' and which will need to be dealt with in accordance with the Act from commencement of the Amending Act.
Sensitive information
Sensitive information was previously only separately dealt with as a subset of personal information in NPP 9 which applied to the collection of sensitive information by health agencies. There was no corresponding IPP. The integration of IPPs and NPPs means that the requirements of QPP 3 will apply to all agencies which are subject to the Information Privacy Act.
QPP 3.3 provides that an agency must not collect sensitive information unless:
- the individual consent and the information is reasonably necessary for, or directly related to, one or more of the agency’s functions or activities; or
- one of: i) the collection is permitted by law or a court or tribunal order; ii) a permitted general situation (e.g. it is unreasonable or impracticable to obtain the individual's consent, and the agency reasonably believes the collection is necessary to lessen or prevent a serious threat to the life, health or safety of an individual or to public health or safety) exists; iii) the agency is a health agency and a permitted health situation exists (e.g. the information is necessary to provide a health service to the individual; and either the collection is required or authorised under an Australian law or the individual would reasonably expect the health agency to collect the information for that purpose); or iv) the agency is a law enforcement agency and the agency reasonably believes that the collection of the information is reasonable necessary for, or directly related to, one or more of the agency's functions or activities.
Compliance actions
Identify whether sensitive information is collected by your agency, and if so, whether it can continue to be collected without consent of the relevant individual. This will likely be an area for particular attention by non-health agencies.
What should you do to prepare?
The Amending Act was passed by Queensland Parliament on 29 November 2023. Although there is approximately 18 months until commencement for most agencies, we anticipate that agencies will need to undertake operational and governance changes, which will take time to assess and implement. We therefore recommend agencies start preparing for the impact of these amendments now.
The team at MinterEllison can assist you in understanding your new obligations, and in preparing your agency for the Amending Act's commencement
MinterEllison provides full-service IT legal and consultancy services with extensive experience in privacy, data protection and software and IT service procurement. Please contact us if you would like assistance in managing your privacy compliance.