On 23 June 2022, the Queensland Government released a consultation paper setting out various proposed reforms to Queensland's privacy and right to information framework as contained in the Information Privacy Act 2009 (Qld) (IP Act) and Right to Information Act 2009 (Qld) (RTI Act). In this article, we focus on Part A of the consultation paper on proposed privacy reforms.
The proposed reforms are based on changes recommended in various reports, including the Crime and Corruption Commission's Operation Impala, and the Department of Justice and Attorney-General's Report on the review of the Right to Information Act 2009 and Information Privacy Act 2009. They are reflective of other reports making similar recommendations, including Professor Peter Coaldrake's recent Review of culture and accountability in the Queensland public sector.
The consultation paper recognises the importance of Queensland's legislation remaining contemporary and relevant given global technological developments impacting information privacy and access to information. The importance of the need for the community to have confidence and trust in government's information-handling practices is also recognised. Achieving these outcomes is crucial and there may, as always, be challenges in timing given Australia's federal privacy law is undergoing review. Further changes to the Queensland legislation may still be required in the future to achieve ongoing alignment.
The Department of Justice and Attorney-General is seeking views on whether the below significant changes should be introduced 'to enhance protection for personal information and remedies to individuals whose privacy is breached'.
Key reforms to the privacy and right to information framework
- Amending the definition of 'personal information' under the IP Act to reflect the current definition in the Privacy Act 1988 (Cth) (Privacy Act). (Note this may not be sufficiently broad to achieve consistency across jurisdictions or to address current recommendations to capture technical data collected in relation to individuals)
- Replacing the two sets of privacy principles currently operating in Queensland with a single set of Queensland Privacy Principles (QPPs) broadly based on the Australian Privacy Principles (APPs) under the Privacy Act
- Enhancing the Information Commissioner's powers to respond to privacy breaches. This would be by granting a power to conduct 'own motion' investigation into an act or practice without having received a complaint, to make declarations after such an own motion investigation, and to intervene in privacy complaint proceedings in the Queensland Civil and Administrative Tribunal (QCAT)
- Introducing a mandatory data breach notification scheme for Queensland agencies
- Clarifying the meaning of 'reasonable steps' for the protection of personal information in the IP Act
- Establishing a new criminal offence under the Criminal Code Act 1899 (Qld) (Criminal Code) for misuse of confidential information by public officers
Definition of personal information
When drafted, the definition of 'personal information' under the IP Act mirrored that contained in the federal Privacy Act. However, following its 2012 amendment, the Privacy Act definition was broadened to ensure it was 'sufficiently flexible and technology-neutral'.
Currently, section 12 of the IP Act defines personal information as '… information or an opinion … about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion'.
The proposed reforms would amend this definition of personal information so that the information is about 'an identified individual, or an individual who is reasonably identifiable'. The amendment aims to ensure consistency with the Privacy Act definition of personal information, however arguably does not clarify whether this definition captures technical data, such as IP addresses, location data or online identifiers.
Single set of Privacy Principles
The IP Act currently contains two sets of privacy principles, the Information Privacy Principles (IPPs) and the National Privacy Principles (NPPs). The latter relates to health agencies, and the former to all other agencies. These privacy principles regulate how agencies and their contracted service providers collect, store, use and disclose personal information, and provide the basis upon which an individual can make a complaint for breach of a privacy obligation.
The reforms propose the adoption of a single set of Queensland Privacy Principles, broadly based on the APPs. This aims to provide uniformity and consistency, and to reduce the compliance costs and red tape for agencies and their contracted services providers. Furthermore, simplifying these principles could enhance community understanding of individual privacy rights, and foster confidence in Queenslanders that their personal information will be subject to the same regulations, whether it is held by the Queensland government, local government, Commonwealth government or an organisation bound by the Privacy Act.
The following 11 QPPs are proposed by the reforms:
- QPP 1: Open and transparent management of personal information – an agency is required to take reasonable steps to implement practices, procedures and systems to ensure its compliance with the QPPs, and to have a clearly expressed privacy policy that is in an appropriate form and freely available
- QPP 2: Anonymity and pseudonymity – an agency must give individuals the option of dealing with them anonymously or by using a pseudonym in a particular matter
- QPP 3: Collection of solicited personal information – an agency must not collect personal information unless it is reasonably necessary for or directly related to one of its functions or activities
- QPP 4: Dealing with unsolicited personal information – there are specific steps an agency must take if it receives personal information it didn't solicit
- QPP 5: Notification of the collection of personal information – if an agency collects an individual's personal information, they must take reasonable steps to notify the individual of various matters
- QPP 6: Use or disclosure of personal information – an agency must not use or disclose personal information which was collected for a particular purpose (primary purpose) for another purpose (secondary purpose) unless the individual consents or another exception applies
- QPP 7: Cross-border disclosure of personal information – before an agency discloses personal information to an overseas party, the agency must take reasonable steps to ensure the recipient doesn't breach the QPPs (unless an exception applies) and the agency would be accountable for breach of the QPPs by the overseas recipient
- QPP 8: Quality of personal information – an agency must take reasonable steps to ensure any personal information it collects is accurate, up-to-date and complete
- QPP 9: Security of personal information – an agency must take reasonable steps to protect personal information it holds from misuse, interference, loss, unauthorised access, modification and disclosure
- QPP 10: Access to personal information – an agency that holds personal information about an individual must provide that individual with access to the information if requested
- QPP 11: Correction of personal information – an agency must take reasonable steps to correct personal information to ensure it is accurate, up-to-date, complete, relevant and not misleading
Enhancing the Information Commissioner's powers
The reforms propose three amendments to enhance the Information Commissioner's powers by the granting of:
- own motion powers
- declaration powers
- amicus curiae role.
While the IP Act does provide the Information Commissioner with the power to conduct investigations on their own initiative already, these powers are currently limited. The Commissioner can only conduct a review to identify privacy related issues of a systemic nature generally, or to identify grounds for the issue of a compliance notice, for which there is a high threshold to be met. In introducing an own motion power, the Commissioner would be to investigate, on the Information Commissioner's own initiative, an act or practice of an agency which may be a breach of the privacy principles.
Further, when an individual makes a complaint to the Information Commissioner about a breach of a privacy principle by an agency or a contracted service provider, the Commissioner is currently only able to mediate the complaint, but is unable to make a determination or decision. Complaints that cannot be mediated by the Information Commissioner are referred to QCAT, which can make appropriate orders. The Impala Report recommended that the Information Commissioner is given similar powers to that of the Australian Information Commissioner, who may make determinations following a privacy complaint or an own motion investigation. Such powers in respect of individual complaints could be considered a duplication of QCAT's determinative role, however feedback is sought whether the Information Commissioner should be granted power to make declarations following an own motion investigation.
The reform suggests providing the Information Commissioner the right to appear in QCAT in relation to a privacy complaint mediated by the OIC and referred to QCAT. This is in addition to the Information Commissioner's existing ability to appear in tribunal and court proceedings such as external review of decisions made by the Information Commissioner.
Mandatory data breach notification scheme
Currently, the IP Act does not contain a mandatory data breach notification requirement for agencies to notify the OIC and affected individuals of an 'eligible data breach'.
The Impala Report and Professor Peter Coaldrake's Review both recommended the introduction of a data breach notification framework.
The consultation paper proposes to introduce a mandatory data breach notification scheme in Queensland based on the Commonwealth data breach notification regime. An 'eligible data breach' would occur where there is unauthorised access to, unauthorised disclosure of, or loss of personal information, where a reasonable person would conclude the unauthorised access or disclosure would be likely to result in serious harm to any of the affected individuals (including physical, psychological, emotional, financial or reputational harm).
Agencies would be required to conduct reasonable and expeditious assessments of suspected eligible data breaches. The OIC would have an oversight role of the regime with functions and powers to monitor and ensure compliance.
Defining reasonable steps
Proposed QPP 9 contains a requirement that an agency takes 'reasonable steps' to protect personal information it holds from misuse, interference, loss, unauthorised access, modification and disclosure. 'Reasonable steps' is not defined, and the reforms propose that the IP Act could prescribe a non-exhaustive list of matters an agency must take into account when determining what reasonable steps to take in the context of QPP 9, which include:
- the nature of the information collected (e.g. the amount and sensitivity)
- the purpose of collection
- the nature of the agency (e.g. size, resources, business model)
- the potential harm to an individual in case of a breach
- the practicability of implementing security measures given the circumstances (e.g. time and cost).
Alternatively, the IP Act could mandate that the OIC prepare guidelines regarding what steps are considered reasonable for the purposes of QPP 9.
Criminal sanctions for misuse of personal information by public officers
The reforms propose to introduce a new criminal offence under the Criminal Code to prosecute the misuse of confidential information (including personal information). Misuse of confidential information would occur when confidential information is accessed by a public officer not in furtherance of the performance of the functions of the agency.