In late 2017, the Queensland Department of Justice and Attorney-General released a report flagging its recommendations for changes to Queensland privacy laws.
While legislation has not yet been introduced to give effect to the recommendations, it is worth understanding the trajectory of the law to accommodate potential changes in current and future privacy practices and contracting arrangements.
The report comes almost 10 months after the government announced it was reviewing the Information Privacy Act 2009 (Qld) (IP Act) and the Right to Information Act 2009 (Qld) (RTI Act). Our publication on that review and the corresponding consultation paper is available here. The report makes 23 recommendations for amendments to the IP Act and the RTI Act.
In relation to reviewing the IP Act, the report grappled with three sets of privacy principles – the Commonwealth Australian Privacy Principles (APPs), the Queensland National Privacy Principles (NPPs) which apply to Queensland health agencies, and the Queensland Information Privacy Principles (IPPs) which apply to non-health Queensland agencies.
The report makes several recommendations in relation to the IP Act which, if passed in legislation, will change the way entities bound by the IP Act may deal with personal information. Some of those key changes are summarised as follows:
1. Subcontracted service providers
Previously, the IP Act only required Queensland agencies to ensure that their contracted service providers complied with the IP Act. The review recommends that Queensland agencies be under a similar obligation in relation to their subcontractors.
What does this mean for Queensland agencies? Queensland agencies will need to update template contracts for subcontracting arrangements to ensure that those contracts contain robust terms requiring the subcontractor to comply with the IP Act.
2. Access to personal information
Presently, an individual has rights to access personal information under both the IP Act and the RTI Act. The legislation recommends simplifying these access rights by locating them in the RTI Act only. Interestingly, this will mean that Queensland’s privacy principles would differ from the APPs, which contain access rights.
What does this mean for Queensland agencies? Queensland agencies will only have one regime for personal information requests. The agency’s RTI team will need to be across amendments to the RTI Act, which will incorporate provisions regarding personal information access and correction requests.
3. Definition of personal information
The Commonwealth and Queensland definitions of personal information deviated when the Commonwealth definition was updated, but the Queensland definition was retained. The report recommends adopting the Commonwealth definition for consistency. Queensland’s Office of the Information Commissioner (OIC) submitted that such a change would not significantly change the scope of what is considered to be personal information.
What does this mean for Queensland agencies? Agencies will need to update the definition of personal information in their privacy documentation and template contracts. If required, agencies may also be able to consult Commonwealth guidance about the scope of the definition.
Going forward, agencies may wish to define personal information in their contracts by reference to the IP Act, so that if the definition changes in that Act, the definition changes for the purposes of the contract.
4. Data ‘transfer’ and ‘disclosure’
Currently, the IP Act regulates overseas ‘transfer’ of information, whereas the Privacy Act regulates overseas ‘disclosure’. While the relevant regulators appear to adopt the view that the words have similar meanings in practice (e.g. they exclude the mere routing of information through an overseas jurisdiction), there is a risk that ‘transfer’ has a broader meaning than ‘disclosure’.
There was strong support from consultation respondents to adopt the word ‘disclosure’, particularly as that term is defined in the IP Act.
What does this mean for Queensland agencies? As well as making relevant documentation changes, Queensland agencies should be prepared to assess which of its practices are ‘disclosures’ of personal information overseas, enlivening the offshoring provisions of the IP Act.
5. Investigation by the Office of the Information Commissioner
While the review noted that that the OIC potentially already has the power to conduct ‘own motion’ investigations into agencies’ practices, it suggested that such a power should be expressly set out in the IP Act.
What does this mean for Queensland agencies? Queensland agencies should prepare for investigations conducted by the OIC in the absence of a particular privacy complaint.
Agencies should be prepared for investigation by having a detailed and up-to-date understanding of the agency’s information collection and handling practices, as well as ensuring all relevant compliance material is updated and readily available.
6. Reasonable steps to protect personal information
Currently, Queensland agencies subject to the IPPs have an absolute obligation to ensure that personal information is not lost, subjected to unauthorised access or disclosure, or misused. The report recommends adopting the equivalent NPP (and Commonwealth APP position) which requires the agency to take ‘reasonable steps’ to protect against such loss and misuse.
What does this mean for Queensland agencies? In practice, Queensland agencies must continue their practices to keep personal information secure. Such a change will mean data breach events which occur despite the agency taking reasonable steps will no longer be a breach of IPP 4.
7. Disclosure between health agencies
The report recommends that for the purpose of the IP Act, Queensland Health and the Hospital and Health Services are treated as one entity, so that disclosures between them (including through information sharing platforms) are not governed by the disclosure obligations in the NPPs.
Where to next?
It is anticipated that legislation will be introduced into Parliament to give effect to the recommended changes. Queensland agencies should be prepared to amend their privacy compliance documentation and template contracts to account for the changes (especially definition and terminology changes).
However, further changes are flagged.
The report recommends further consultation on the merits of a single set of privacy principles. It also notes that such a change (which would be a significant change for many or all agencies) would be most effective if adopted by other States and Territories.
The OIC has indicated that it is in favour of a mandatory data breach notification scheme, which would require Queensland agencies to notify affected individuals about data breaches. While it is not yet proposed to be enacted, agencies should be prepared to consider what such a regime would mean for their information management practices.
Further, the Queensland Law Reform Commission is now investigating civil surveillance and privacy laws (report due 1 July 2019) and workplace surveillance laws (report due 30 June 2020). Agencies should look for opportunities to make submissions on these laws so they can have input into any further changes that may be recommended.