In October 2023, Queensland Parliament introduced proposed changes to strengthen Queensland’s information privacy laws.

The proposed changes would apply to Queensland government departments and agencies, and how they handle personal information - including a new, mandatory data breach notification scheme. Through contracts, these changes may also impact businesses that service those Queensland departments and agencies. If passed, the changes will likely take effect in mid-2025.

In this alert, Head of Cyber Security and Special Counsel Steven Hunwicks outlines the proposed changes and (if passed) the likely timing for the changes to take effect.

The Information Privacy and Other Legislation Amendment Bill 2023 (Qld) (Bill) proposes to reform (among other laws) Queensland’s Information Privacy Act 2009 (Qld) (IP Act).

The proposed amendments aim to:

  • better protect personal information held by Queensland Government departments or agencies (for the purposes of this alert, we use the term entity);
  • provide appropriate responses and remedies for a data breach or a misuse of personal information by an entity; and
  • clarify and improve the operation of Queensland’s information privacy (IP) framework.

How?

If passed, the major or more impactful of the proposed changes will:

  • create a mandatory data breaches reporting scheme (DBN Scheme) applying to entities;
  • introduce new Queensland Privacy Principles (QPPs);
  • amend or insert definitions of terms such as “personal information” and “sensitive information”, to better align the Queensland information privacy framework with that in the Privacy Act 1998 (Cth) (Commonwealth Act); and
  • give to the Information Commissioner a new, “own motion” investigation power, where the Commissioner is satisfied that an act or practice of an entity may be a breach of the QPP or other privacy obligations. This includes a power to enter an entity’s place of business to observe its data handling systems and practices for complying with the DBN Scheme.

The new (old) QPPs

The QPPs would consolidate and replace the separate Information Privacy Principles (IPPs) for entitles generally, and the National Privacy Principles (NPPs) specific to Queensland Health and health-regulated entities. The QPPs are consistent with the Australian Privacy Principles under the Commonwealth Act.

In particular, the QPPs would require entities to prepare and publish:

  • a publicly accessible privacy policy, and collection notice statements; and
  • a policy on responding to a data breach (including a suspected eligible data breach).

However, where an entity signed a service contract with a contracted service provider which predates the start date of the QPPs (we will discuss that timing further below), the old IPPs and NPPs will continue to apply.

Consequently, entities (and the Office of the Queensland Information Commissioner) will need to administer three sets of privacy principles—the existing IPPs and NPPs for ‘pre-amendment’ service agreements, and the new QPPs for contracts signed after commencement. This will create complexity for the entitles and their contracted service providers. The Bill does not set a sunset date from which the QPPs would supersede the IPPs and NPPs for pre-amendment contracts.

DBN Scheme

If the Bill becomes law, Queensland will join New South Wales as the second state to mandate a data breach notification scheme for state government entities. This change is long-anticipated and would assist affected individuals to mitigate the risks they may face from a data breach involving their personal information.

In general, the DBN Scheme mirrors the Notifiable Data Breaches Scheme in the Commonwealth Act. Some of the features in common are:

  • an obligation on the entity to assess and determine whether a suspected data breach is an “eligible data breach” and do so within 30 days unless an extended period applies. The 30-day timing would mirror the federal Office of the Australian Information Commissioner’s (OAIC) guidance for an assessment under the Commonwealth Act;
  • a “risk of serious harm” threshold test, and a non-exhaustive list of factors against which the risk of harm must be assessed; and
  • for an eligible data breach, an obligation to give a statement to the Information Commissioner and to give notice to (either) all relevant individuals, or to only the affected individuals, or by general publication such as on the entity’s website.

We see two notable differences between the current Bill’s DBN Scheme and its Commonwealth Act counterpart:

  • Where an entity is satisfied that its data breach assessment cannot reasonably be completed within the mandated 30-day period, the entity would be able to notify the information commissioner that the agency has extended the assessment timeframe, and to a date of the entity’s own choosing. The Bill does not place any specific or practical limits on the length of the extended period.
  • An entity may delay giving a notice of the data breach to individuals if doing so is likely to compromise or worsen the agency’s cybersecurity, or may lead to further data breaches of the agency, but only for so long as that condition exists. We note that the same delay would not be available to an entity’s contracted service provider where giving notice might compromise or worsen the provider’s own cybersecurity or lead to a further data breach of that provider.

Data transfers outside of Australia

The Bill proposes to clarify a current issue of whether, where an agency uses an overseas recipient such as cloud storage or a cloud services provider, the giving of personal information to that overseas recipient is a use, transfer or disclosure of personal information.

Under the current provisions, an entity may “transfer” personal information outside Australia only in one of the permitted circumstances in section 33, of which the relevant circumstances are:

  1. the person has agreed to the transfer of their personal information, or
  2. the transfer is authorised or required under a law, or
  3. the agency reasonably believes that the information will be subject to privacy protections that are substantially similar to the IPPs or NPPs (as applicable).

However, the word “transfer” is undefined, and it has been difficult to determine its precise meaning. (For its part, the Commonwealth Act uses the term “disclose” which is more precise, yet still subject to interpretation.)

The Bill would replace the word “transfer” with “disclose” in section 33, and it would amend the meaning of “disclose” in section 23(2) to read:

“An entity (the first entity) discloses personal information to another entity (the second entity) if—

  1. the second entity does not know the personal information, and is not in a position to be able to find it out; and
  2. the first entity gives the second entity the personal information, or places it in a position to be able to find it out; and
  3. the first entity ceases to have control over the second entity in relation to who will know the personal information in the future.”

The upshot of this proposed change being, the Bill would helpfully clarify that where a Queensland entity puts personal information into the hands of an offshore service provider (such as a cloud hosting or service provider), that the entity’s provision of the personal information or the offshore provider’s “use” of it, is not a “disclosure”.

Were a similar clarification to be proposed in the federal Privacy Act, it would likely be welcomed by legal practitioners who presently rely on the OAIC guidance notes to understand the federal information commissioner’s interpretation and application of the Privacy Act.

Additionally, that where a disclosure (as clarified) would or occur, the Queensland entity must take steps to ensure that its overseas recipient will comply with QPP 11 (security of personal information), including to take reasonable steps to protect the information against a data breach, and must delete or destroy the information when the purpose for its collection has ended.

Progress of the Bill

On Friday 24 November 2023, the Education, Employment and Training Committee (Committee) tabled its report on the Bill to the Parliament.

The Committee recommended that the Bill be passed, and with two changes:

  1. The provision [in new section 49, to be inserted by clause 33 of the Bill] that would allow an entity to extend the data breach assessment period beyond 30 days should be changed so that any extension of time must be only for an amount of time reasonably required for the assessment to be conducted. The report noted this change (if accepted) would align with an equivalent provision in the New South Wales scheme.
  2. Queensland’s Attorney-General should clarify whether: a. the proposed amendment to the definitions of “public authority” may impact on the rights and entitlements of First Nations People and other Queenslanders in respect of their ability to access personal information and family data that may be held by institutions owned by Queensland entities established by letters patent, and on truth‐telling and treaty processes; and b. there are alternative, less restrictive and reasonably available ways to achieve the same purposes.

This definitional change (if made) would exclude letters patent entities from the definitions of “public authority” in each of the IP Act and the Right To Information Act 2009 (Qld), and therefore exclude such entities from operation of relevant provisions of those laws.

The Queensland Parliament’s last sitting days for the calendar year are 28-30 November 2023—meaning that the Bill may pass within this calendar year.

Likely timing to become law

After the Bill has passed, the amendments to the IP Act would come into effect “on a day to be fixed by proclamation”. The Bill also includes a provision for turning off the automatic commencement provisions.

The combined effect of those features means the actual start date for the changes will remain a mystery until it is published by the Queensland Government in subordinate legislation. It could be as soon as a few weeks after royal assent. However, a commonly held view is the amendments will come into force on 1 July 2025 and agencies would then have a 6-month grace period to comply. We will continue to monitor the proposed reforms as the Bill progresses.

What can Queensland Government entities or service providers do to prepare for these changes?

We can assist Queensland Government entities and the businesses who support them to prepare for these upcoming changes in the IP Act, including to:

  • prepare or review their privacy compliance documents, and incident response policies;
  • review their data governance and information management practices to align with the proposed changes in the IP Act; and
  • prepare and test their data breach incident response plans.