The Information Privacy and Other Legislation Amendment Act 2023 (Qld) (IPOLA Act), will commence on 1 July 2025 (with some obligations for local government not taking effect until 1 July 2026). The amendments will achieve greater consistency with the Commonwealth Privacy Act, and introduce a mandatory data breach notification scheme for Queensland agencies. Following on from our article: Privacy reform in Queensland: It's (finally) time to prepare, this update provides a summary of the key amendments and a checklist to help agencies prepare for the changes.

Key amendments at a glance

1. Mandatory Data Breach Notification Scheme (MNDB): Queensland government agencies will be required to undertake an assessment within 30 days of and notify affected individuals and the Information Commissioner of eligible data breaches. Local government has until 2026 to comply.

2. Queensland Privacy Principles: The existing Information Privacy Principles (IPPs) and National Privacy Principles (NPPs) will be replaced by single set of Queensland Privacy Principles (QPPs), modelled on the Australian Privacy Principles (APPs). Agencies must review and update their privacy frameworks accordingly.

3. Privacy governance requirements: Agencies will need to maintain new documentation, including:

• a publicly available QPP Privacy Policy;
• a publicly available Data Breach Policy; and
• a Data Breach Response Plan.

Requirements for collection notices will change, so agencies should review those to ensure continued compliance.

4. Enhanced Powers for the Information Commissioner: The Commissioner will have stronger powers to investigate, enforce compliance, and issue guidance. This includes the ability to initiate own-motion investigations and refer matters to other authorities.

5. Right to Information Processes: There are a number of procedural changes for access to and correction of personal and other information, which will all be handled under the RTI Act. RTI Act processes, timeframes and review requirements will change.

Is your Agency ready?

1. Have you appointed a senior officer to lead IPOLA implementation?
2. Have you updated (or drafted) your privacy policy to align with the QPPs?
3. Do you have a compliant Data Breach Policy and Data Breach Response Plan in place?
4. Have you updated your collection notices?
5. Have you updated your RTI Act processes?
6. Have you reviewed your templates?
7. Do you have any contracted service provider agreements which will need to be updated?
8. Have you conducted a data audit to identify personal and sensitive information holdings?
9. Have you undertaken a gap assessment report to ensure your agency's readiness?
10. Are Privacy Impact Assessments integrated into project lifecycles in your agency?
11. Are your staff trained on the new obligations and breach response protocols?

Our specialist privacy and regulatory team can support your organisation with:

• Policy and procedure reviews
• Staff training and awareness programs
• Data breach response planning and response
• Privacy impact assessments
• Legal advice on compliance and risk mitigation

Contact us today to ensure your agency is ready for the new privacy regime.