The Information Privacy and Other Legislation Amendment Act 2023 (Qld) was passed on 29 November 2023. It introduces substantive reforms to the Information Privacy Act 2009 (Qld) (Information Privacy Act), including introducing a single set of “Queensland Privacy Principles” which align with the Australian Privacy Principles under the Federal Privacy Act. The other significant reform is to introduce a mandatory data breach notification scheme for the first time for Queensland agencies, including local government, together with enhanced enforcement powers for the Queensland Information Commissioner.
While these reforms are not expected to commence until mid-2025, there are steps all Queensland agencies should take now to prepare. For suppliers to Queensland Government, its agencies and local government, the reforms are also likely to impact information handling and incident response practices and procedures. This is the case even if the supplier is otherwise exempt from the Federal Privacy Act as a small business.
5 key reforms
- New definition of personal information: The definition of personal information has been amended to align with the definition under the Privacy Act 1988 (Cth) (Privacy Act). The definition of personal information under the Privacy Act is separately under review, with the Federal Government agreeing-in-principle to amend the definition to replace “about” with “relates to”, which would broaden the definition (and therefore the application of the Privacy Act). We suspect there may be consequential amendments to the definition under the Information Privacy Act, once the reforms to the Privacy Act are made. This is not expected before (at the earliest) mid 2024. However, it is worth Queensland agencies keeping this potential reform in mind as it reviews and up-lifts its existing privacy management framework.
- Queensland Privacy Principles: The introduction of a consolidated set of Queensland Privacy Principles (QPPs). These will replace the Information Privacy Principles (IPPs) and the National Privacy Principles (NPPs). The QPPs introduce a number of significant changes for Queensland agencies, including clear requirements with respect to privacy policies and collection notices, data security and retention and other principles not previously articulated under the IPPs and NPPs. The QPPs substantially align with the Australian Privacy Principles (APPs) under the Privacy Act (there are relatively minor differences in the drafting to account for the functions of Queensland agencies and there are some APPs that are not included in the QPPs as they are not relevant to Queensland agencies, for example, there is no specific QPP for direct marketing. There is also no QPP for overseas transfers as this is separately already provided under s33 of the Information Privacy Act).
- Mandatory notification of data breaches scheme for Queensland agencies: The introduction of a mandatory data breach scheme in Queensland. This scheme is similar to the Notifiable Data Breaches (NDB) scheme under the Privacy Act and was intentionally drafted to reflect the NDB scheme, however, there are some additional express requirements under the Queensland scheme (see underlined sections below). Once the mandatory data breach notification scheme under the Information Privacy Act commences (expected to be from 1 July 2025, other than for local government which will have a further 1 year transition period), a QPP entity must, unless an exemption applies:
- immediately contain the data breach and take reasonable steps to mitigate harm caused;
- assess a suspected data breach within 30 days of forming a suspicion;
- notify the Information Commissioner if an assessment of a suspected breach takes longer than 30 days;
- if the agency becomes aware data breach affects another agency, notify that other agency in writing with prescribed details (only one affected agency needs to notify and undertake the assessment);
- notify the Information Commissioner and affected individuals as soon as reasonably practicable after forming a belief that an eligible data breach has occurred. There are prescribed contents for the statement; and
- publish its data breach policy (how the agency will respond to a data breach) on the agency’s website.
- Enhanced powers for the Information Commissioner: The Information Commissioner will have enhanced powers, including to issue compliance notices and commence own-motion investigations, without the need for there to be an initiating individual complaint. This accords with the Federal Information Commissioner’s powers.
- Contracted service providers: The existing provisions with respect to contracted service providers remain, save that the obligation on the agency to take reasonable steps to bind the contracted service provider to the IPPs (or as applicable, the NPPs) is now to the QPPs. This obligation applies to new contracts entered into or renewed after the commencement of the QPPs (there is no retrospective operation of this provision and there is no legislative requirement to attempt to “re-paper” existing service provider contracts). The existing requirement to take reasonable steps to bind contracted service providers to the agency’s obligations with respect to overseas transfers (amended to replace “transfers” with “disclosures”) of personal information continues to apply.
Impacts for Queensland agencies and steps to take
The amendments to the Information Privacy Act require Queensland agencies to better protect personal information and introduce a number of requirements which will likely necessitate an uplift in the information handling practices and privacy management framework of Queensland agencies. While the amendments are not expected to commence until mid-2025, there are steps all Queensland agencies should take now to prepare. In particular, reviewing existing data breach and cyber incident response plans (or developing these documents) to ensure they will enable the agency to meet their obligations under the NDB scheme. The agency will also need to develop a data breach policy that can be published on its website.
Impacts for contracted service providers
Agencies will be required to take reasonable steps to bind its contracted service providers to the QPPs and any applicable QPP code, as if they were an agency under the Information Privacy Act, once the reforms commence. Once bound, the contracted service provider will need to ensure it has practices, procedures and systems that ensure it complies with the QPPs. This may have a significant impact on service providers to Queensland agencies, especially small businesses who are otherwise exempt from the Privacy Act and do not have an existing privacy management plan or are otherwise not compliant with the APPs (on which the QPPs are based).
Businesses who regularly engage with Queensland agencies, or intend to tender in the future, should prioritise reviewing their existing information handling practices and start work now on any uplift that may be required to ensure they are able to comply with the QPPs and any mandatory notification obligation that may be flowed-down to the business by the contracting agency. If we can assist in reviewing existing practices and preparing for these reforms, please get in touch.
For more information, please contact Sophie Bradshaw.