TL;DR

The Queensland Government has released on consultation paper on a series of proposed reforms to Queensland’s privacy and right to information laws (Consultation Paper). The Consultation Paper seeks to address a number of changes to the Information Privacy Act 2009 (Qld) (IP Act) and Right to Information Act 2009 (Qld) (RTI Act) that have been recommended by various reports and reviews into these laws.

The consultation comes at a time of widespread reform to privacy and cybersecurity laws across State and Federal jurisdictions. There will be significant implications for Queensland Government agencies and public sector vendors if the proposed reforms become law.

The Consultation Paper in context

In the Consultation Paper foreword, Attorney-General Fentiman said that a series of consistent themes from recent reports were critical in informing the contents of the Consultation Paper.

The Report on the Review of the Right to Information Act 2009 and Information Privacy Act 2009 (Review Report) found that while Queensland’s framework for right to information and information privacy was working well overall, there were opportunities for improvement. Likewise, the Crime and Corruption Commission’s Operation Impala: Report on misuse of confidential information in the Queensland public sector (Impala Report) demonstrated the serious impacts on individuals as a result of a misuse of personal information by public sector agencies, and the subsequent trust issues that arise by such misuse.

The Consultation Paper considers recommendations for change from these reports (and others) in two parts—Part A and Part B—as summarised below.

The consultation on Queensland’s information privacy laws also comes at a time of significant legislative reform in the area on the Commonwealth and State level. The Privacy Act 1988 (Cth) (Privacy Act) is currently undergoing an end-to-end review which will likely have widespread impacts on Australia privacy regulation (you can read our latest update here). The Consultation Paper expressly carves out one of the key Privacy Act reforms from its purview, being the proposal of a tort for breach of privacy, to avoid any duplication. Likewise, the Consultation Paper does not cover proposed reforms to Queensland’s surveillance laws, which are also under review by the Queensland Law Reform Commission. You can read more about those proposed reforms here.

Part A: Information Privacy Reforms

This part addresses a series of “recurring” recommendations arising from the various privacy reports and reviews into Queensland’s IP Act and RTI Act. The proposed reforms can be summarised as follows:

  • Updating the definition of ‘personal information’: The Consultation Paper is seeking feedback on whether the definition of ‘personal information’ under the IP Act should be aligned to the definition of ‘personal information’ in the Privacy Act. Not only would this improve consistency between the State and Federal laws, but the Privacy Act definition is said to be more flexible and technology neutral than the current definition under the IP Act.
  • Adopting a single set of privacy principles: The Consultation Paper proposes to consolidate two sets of privacy principles contained in the IP Act – the National Privacy Principles (NPPs), which apply to health agencies, and the Information Privacy Principles (IPPs), which apply to all other agencies. The proposed “Queensland Privacy Principles” (QPPs) are broadly consistent with the Australian Privacy Principles (APPs) under the Privacy Act but are modified for Queensland agencies. Many organisations are obliged to comply with State and Federal privacy laws. The proposed reforms will streamline compliance obligations for government agencies and their services providers.
  • Specifying the ‘reasonable’ steps obligation in the protection of personal information: The current requirements in IPP 4 and NPP 4 require agencies to take ‘reasonable steps’ to protect personal information they hold from unauthorised access, use, disclosure, modification and from any other misuse. The Impala Report recommended that the term ‘reasonable steps’ in IPP 4 and NPP 4 be more specifically defined in line with Article 32 of the EU GDPR. The Consultation Paper is seeking feedback on whether the IP Act should expressly prescribe a non-exhaustive list of matters that must be considered by an agency determining what ‘reasonable steps’ would be under the new QPP 9.
  • Enhancing the powers of the Information Commissioner (OIC): The Consultation Paper proposes that the Information Commissioner should be granted additional powers to respond to privacy breaches including:
    • an own motion power to investigate an act or practice without having received a privacy complaint;
    • a power to make declarations, based on the Commonwealth model, after an own-motion investigation has been conducted; and
    • an amicus curiae role in relation to privacy complaint proceedings in the Queensland Civil and Administrative Tribunal.
  • Introduction of a mandatory data breach notification (DBN) scheme: A new mandatory DBN scheme, based on the Commonwealth scheme under the Privacy Act has been proposed for Queensland. The mandatory DBN scheme would compel agencies to conduct an assessment of suspected eligible data breaches and take reasonable steps to complete assessments within 30 days of becoming aware. Agencies will also be obliged to notify the OIC if it has reasonable grounds to believe that there has been an eligible data breach. The proposed scheme would also grant the OIC a power to make directions and recommendations to an agency about the handling of a data breach, including:
    • directing the agency to prepare a statement about a data breach; and
    • recommending that an agency notify affected individuals.
  • A new criminal offence: The Impala Report recommended a new offence provision of misuse of confidential information by public officers. The Consultation Paper is seeking feedback on whether a new offence in the Queensland Criminal Code for offending related to misuse of confidential information is required.

Part B: Right to Information and Information Privacy Reforms

Part B discusses proposals for implementing the recommendations considered in Part A and how those recommendations would clarify and improve the operation of the privacy and right to information framework.

The proposals include (among others):

  • A single right of access for making applications: The Consultation Paper proposes to introduce a single right of access under the RTI Act, regardless of whether the information requested is the applicant’s personal information. In addition, individuals should apply to amend their own personal information under the RTI Act, rather than the IP Act. It is also proposes to remove the requirement for applications to be in the approved form and, in some cases, the evidentiary requirements for proving identity when making an application.
  • Requirements for processing applications: A series of changes to the processing requirements of applications have been proposed, including (among others) an extension of the processing times for agencies to process requests.
  • New exemptions: There is a proposal to create a new exemption for matters affecting relations with other governments, namely, where a disclosure of the information could reasonably be expected to cause damage to relations between Queensland and another government, or divulge information communicated in confidence by or for another government.
  • Internal and External reviews: A series of changes to the process for internal and external reviews under the RTI have been proposed, including removing the right of internal review and external review to the OIC of a decision by a judicial or quasi-judicial entity that an application is outside the scope of the Act.
  • Application of the IP Act for subcontractors: Arguably one of the more significant reforms proposed is an amendment to extend privacy obligations in the IP Act to subcontractors. Contracted service providers would be required to take all reasonable steps to ensure their subcontracted service provider are contractually bound to comply with the QPPs. The contracted service provider will remain liable for any privacy breaches committed by the subcontractor if they do not take reasonable steps to bind that subcontractor.
  • Application of the RTI Act: Amendments are proposed to the RTI Act to provide clearer criteria for prescribing entities as public authorities which should be bound by the RTI Act. The proposed amendment is intended to reflect the broad range of entities controlled by councils and the State, providing a targeted mechanism by which entities can be subject to additional transparency and oversight, on a case-by case basis, without instituting a blanket and inflexible approach.
  • Proposals to address privacy issues: A series of changes relating to privacy issues have been proposed, including the introduction of a requirement to lodge a privacy compliant direct with an agency before complaining to the OIC.

What next?

The discussion paper seeks public comment on 15 questions (see page 9 of the Consultation Paper). Written submissions on the Consultation Paper are open until Friday, 22 July 2022. Details on how to make a submission can be found here.

Public submissions will inform the Queensland Government on which of the reforms to Queensland’s Information privacy and right to information framework should be progressed.