On 29 November 2023, the Queensland Parliament passed the Information Privacy and Other Legislation Amendment Bill 2023 (Qld) (the Amendment Act). The Amendment Act contains the long-anticipated reforms to Queensland's information privacy and cyber-security regime, and proposes amendments to the:
The Amendment Act intends to strengthen and clarify Queensland's information privacy and cyber-security regime, while simultaneously bringing it into alignment with the federal regime. The Amendment Act implements changes to the Right to Information Act 2009 (Qld) (RTI Act) across the life of a RTI request. Some amendments to the RTI Act, which support the Proactive Release Scheme for Cabinet documents, commenced on 1 March 2024. Other changes are anticipated to commence in July of 2025. We summarised the key changes to the Information Privacy Act 2009 (Qld) in our previous article Privacy Reform in Queensland: It's (finally) time to prepare.
Key changes and priority actions: the changing RTI process
1. Clarification of the Application of the RTI Act
The RTI Act applies to 'agencies' which include a department, local government, public authority, government owned corporation, or subsidiary of a government owned corporation. The Amendment Act clarifies the definition of 'public authorities' (and therefore the scope of RTI agencies):
- Public authorities do not include entities established by letters patent, and
- Entities which can be declared public authorities include corporations under the Corporations Act; entities partly funded by the government; and, if the Minister considers it in the public interest to declare an entity to be a public authority.
Amendments to the RTI process of significance are:
- Single right of access,
- New definition of personal information,
- Access and Amendment applications,
- No longer required in 'approved form', and
- New evidence of identity
2. Processing a request
When receiving a request there are a number of changes agencies should keep in mind. These are largely intended to clarify processes for applicants and simplify legislative complexity for agencies. We outline the amendments briefly below.
Single right of access under the RTI Act
- Current position: Separate rights to access personal information under the IP Act and all other information under the RTI Act.
- Change: There is now a single right of access under the RTI Act for both personal information and other government documents. If the information is applicant's personal information, the current position for fees (that is information available without a charge) continue to apply.
Relevant Act for amendment applications
- Current position: Amendment applications made under the IP Act.
- Change: Amendment applications now made under the RTI Act.
Definition of 'personal information'
- Current position: Definition of 'personal information': “…information or an opinion, including information or an opinion forming part of a database, whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.”
- Change: New Definition: “…information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.”
This broadens the scope of information which is dealt with by the Act, and brings the definition into line with the current Federal Privacy Act. We note, the proposed amendments to the Federal Privacy Act include changing the definition of personal information and so inconsistency may reoccur.
Form of access applications
- Current position: Currently access applications must be in the approved form.
- Change: Access applications do not have to be in the approved form, but still must meet criteria.
Evidence of identity
- Current position: Evidence of identity – agents must provide identity evidence for the application and themselves, plus an authority to act.
- Change: Agents no longer need to provide evidence of their own identity.
Processing period
- Current position: Processing period of 25 days may be extended on request by a (further specified period).
- Change: Single definition of 'processing period' which is a period of 25 business days from the 'valid application date' (date on which the application complies with all relevant requirements) extended by specified additional periods under stated circumstances.
Decision timeframe for applications outside of scope
- Current position: Decision that application outside scope of RTI Act must be given within 10 business days.
- Change: Timeframe extended to 25 business days.
Schedules of documents
- Current position: Schedule of documents must be provided to applicant before end of processing period.
- Change: Removal of mandatory requirements to provide an applicant with a schedule of relevant documents.
Charges Estimate Notice (CEN) requirements
- Current position: CEN required to be provided to applicant even where no charges apply.
- Change: CEN not required where no charges apply.
Processing a request: Priority actions
- Check your agency's capability to identify 'personal information' within the extended definition so that it is included in responses to RTI requests.
- Update policies and procedures with new application requirements, timeframes and changes to schedules of documents and CENs.
- Consider if your agency's RTI precedents need to be updated.
- Update any information about RTI applications made available to the public by your agency.
3. Exemptions
A new exemption will be included in Schedule 3 of the RTI Act, which applies to information to which section 92 of the Ombudsman Act 2001 (Qld) applies. That information is information obtained by an Ombudsman, an officer of an agency or another person who obtains information in a preliminary inquiry or an investigation or the performance of another function of the ombudsman and is prohibited from disclosure.
4. Decision
Updates which impact on agency decisions about RTI requests, include:
- It has been clarified that when applying the public interest balancing test, factors other than those listed in Schedule 4 may be considered when deciding whether an applicant should be provided with access to a document.
- Timeframes for providing a decision, if the only contact details for the applicant are a postal address, are extended by 5 business days.
5. Reviews - changes to internal and external review processes
Removal of review rights for judicial and quasi-judicial entities
- Current position: Internal review decision of judicial and quasi-judicial entities that application outside scope reviewable by the Information Commissioner (IC).
- Change: Removal of right of internal review and external review to the IC. Right to appeal to QCAT on question of law retained.
Additional time periods for internal review
- Current position: A decision on an internal review application must be made as soon as possible, but not later than 20 business days after the internal review application is made.
- Change: Provision of additional time periods for internal review based on stated circumstances: 5 days for postal, 10 days to consult with third party or further period requested.
Internal review on the grounds of sufficiency
- Current position: An applicant can apply for a review of a decision of an agency or Minister.
- Change: Can seek review of whether all documents have been provided. On internal review, a reviewer must consider if reasonable steps were taken to identify and locate the requested documents.
Disclosure of documents to relevant third parties
- Current position: While conducting an external review of a decision, the IC must not disclose documents subject of the review to anyone.
- Change: IC will be able to disclose documents subject of a review to relevant third parties where disclosure may be reasonably expected to be of concern to that third party.
New IC decision parameters
- Current position: Currently the IC can, after conducting an external review, give a written decision as to affirm, vary or set aside and make a new decision.
- Change: The IC may make a written decision setting aside the previous decision and giving a direction to the agency or Minister to give access to subject documents.
Release of documents following informal resolution settlement
- Current position: The IC is required to identify opportunities and processes for early resolution of external review applications.
- Change: If an agency or Minister agrees to give access to a document in an external review, they are authorised to give the document and the external review will continue as if it did not apply in relation to the document.
Reviews – Priority actions
- Ensure your agency has thorough processes to identify and locate all documents which may respond to a request, as that will be a basis for applicants to seek review.
- Update relevant internal policies, procedures and provide staff trainings on the changes.
6. After the outcome
The requirements for publication schemes have changed. Your agency will now have to outline:
- The structure and functions of the agency,
- How the functions affect the public,
- Arrangements to enable public to engage with the agency’s functions,
- Types of information held,
- Types of information publicly available and how to access,
- Any fees associated with information requests,
- The publication scheme must be published on an accessible agency’s website, and
- The requirement to comply with Ministerial guidelines is removed.
Disclosure log requirements have also changed slightly. Departments and Ministers are now subject to the same obligations to publish disclosure logs as other agencies. Further, Agencies are no longer required to include the name of the application or if they have applied for an entity in the log. Annual reporting requirements have also shifted from the Minister to the IC.
After the outcome – Priority actions:
- Update your publication scheme.
- Update procedures for disclosure logs.
7. Proactive release scheme
Documents considered by Cabinet will be proactively released online within 30 business days of Cabinet consideration. For the purposes of proactive release, release of a Cabinet submission will include all attachments to the submission and the official Cabinet decision on the submission issued by the Cabinet Secretary.
The RTI Act has been amended to support the proactive release of Cabinet documents. The amendments ensure that the exempt status of redacted and other Cabinet-related documents is unaltered by this publication, provide civil liability for Ministers, and safeguard public interest liability.
The amendments commenced on 1 March 2024 and the Cabinet meeting from Monday 25 March 2024 should be the first to be subject to the scheme.
What should you do to prepare for changes to the RTI Act?
Queensland Government Agencies can prepare for these changes by prioritising the following actions
- Data audit: If your agency has not undertaken or commenced a data audit to understand what information is held where, we recommend that this be made a priority. This activity is crucial in data minimisation, reducing cyber and other data breach risk, maximising utility of stored data, and will support efficient responses to RTI requests.
- Assess changes specific to you: There are specific changes which impact types of agencies and organisations, including the internal/external review for quasi and judicial entities, and changes to definition of public authorities.
- Publication scheme requirements have changed: Consider what your agency needs to do to get compliant.
- Disclosure log requirements have changed: What changes do you need to make to your systems and processes to ensure the right information is contained in the logs?
- Training: Make sure your staff know about the changes, new policies and procedures you need to roll out
- RTI Processes and policies: There are changes to documentation requirements, timeframes reporting etc. Make sure your processes and policies are updated to align to those.
- RTI precedents: If you use internal precedents for access and amendment applications those may need to change, as with any information you provide to the public about those processes.
We anticipate that agencies will need to undertake operational and governance changes, which will take time to assess and implement. We therefore recommend agencies start preparing for the impact of these amendments now.
The team at MinterEllison can assist you in understanding your new obligations, and in preparing your agency for the Amending Act's commencement MinterEllison provides full-service IT legal and consultancy services with extensive experience in privacy, data protection and software and IT service procurement. Please contact us if you would like assistance in managing your privacy compliance.