Get your free info pack:

HERE

Connect with us:

Linkedin Envelope

1300 862 667

Login

LATEST NEWS

New Information Privacy Framework in Queensland

  • time-clock-circle
  • Privacy
newinfoprivframewqld istock 1365847213

This article applies to Queensland agencies (including public authorities) that deal with personal information, including health information.

Information Privacy and Other Legislation Amendment Bill 2023 (Qld)

On 29 November 2023, the Information Privacy and Other Legislation Amendment Bill 2023 (Qld) (the Bill) passed Queensland Parliament and was assented to on 4 December 2023. Parts 1, 1A, 6 and Schedule 1, Part 1 commenced on the date of assent whilst Parts 2-5 and Schedule 1, Part 2 will commence on a day to be proclaimed.

Overview

The Bill will primarily amend the Information Privacy Act 2009 (Qld) (the IP Act).

The key objectives of the Bill are to make changes to Queensland’s information privacy framework to better protect personal information and provide appropriate remedies for data breaches and misuse of personal information by agencies whilst improving the operation of the State’s information privacy and right to information framework.

Mandatory notification of data breaches

The Bill introduces new requirements for agencies (including public authorities) in relation to eligible data breaches under Chapter 3A of the IP Act.

An eligible data breach of an agency is a data breach of the agency that occurs in relation to personal information held by the agency if:

  • both of the following apply:
    • the data breach involves unauthorised access to, or unauthorised disclosure of, the personal information;
    • the access or disclosure is likely to result in serious harm to an individual (an affected individual) to whom the personal information relates, having regard to the matters stated in section 47(2) of the Bill; or
  • the data breach involves the personal information being lost in circumstances where:
    • unauthorised access to, or unauthorised disclosure of, the personal information is likely to occur; and
    • if the unauthorised access to or unauthorised disclosure of the personal information were to occur, it would be likely to result in serious harm to an individual (also an affected individual) to whom the personal information relates, having regard to the matters stated in section 47(2) of the Bill.

Under the new section 48 of the IP Act, if an agency knows, or reasonably suspects, that there is a data breach which is an eligible data breach of the agency, the agency will have a requirement to:

  • immediately take all reasonable steps to contain the data breach; and
  • if the agency does not know whether the data breach is an eligible data breach of the agency – assess whether there are reasonable grounds to believe the data breach is an eligible data breach of the agency:
    • within 30 days after the suspicion of an eligible data breach was formed; or
    • if the period mentioned in the above dot point is extended under section 49 of the IP Act – the extended period.

Additionally, after becoming aware or forming the reasonable suspicion of the eligible data breach, including during an assessment of the data breach the agency will have to :

  • take, or continue to take all reasonable steps to contain the data breach, and take all reasonable steps to mitigate the harm caused by the data breach; and
  • if the agency is aware the data breach may affect another agency – give a written notice to the other agency of the data breach that includes:
    • a description of the data breach; and
    • a description of the kind of personal information the subject of the data breach, without including any personal information in the description.

The Bill also introduces further requirements for agencies to give statements about eligible data breaches to the Information Commissioner whilst requiring agencies to notify individuals if their information has been accessed, disclosed or lost due to an eligible data breach. These obligations are outlined in full under Chapter 3A, Part 3 of the Bill. 

New Queensland Privacy Principles

The Bill will also amend Schedules 3 and 4 of the IP Act by removing and replacing the current National Privacy Principles (NPPs), that apply to health agencies, and the Information Privacy Principles (IPPs), that apply to all other agencies, with a single set of privacy principles called the Queensland Privacy Principles (QPPs). The QPPs will apply to agencies, other than APP entities.

The new QPPs are based on the Australian Privacy Principles outlined in the Privacy Act 1988 (Cth); however, they have been adapted in a manner more appropriate for Queensland agencies.

The new QPPs introduce a variety of new obligations for agencies (including public authorities) to ensure that personal information is protected in a more efficient manner. Relevantly, they will require agencies to:

  • manage personal information in an open and transparent way;
  • give individuals the option to remain anonymous, or use a pseudonym, when dealing with an agency in relation to a particular matter;
  • only collect personal information if the information is reasonably necessary for, or directly related to, 1 or more of the agency’s functions or activities;
  • destroy unsolicited personal information that could not have been collected or is contained in a public record;
  • notify individuals when their personal information has been collected;
  • use personal information of individuals for the primary purpose unless consent is given to use it for a secondary purpose;
  • ensure that the personal information that is collected is accurate, up to date and complete;
  • protect the information from misuse, interference, loss, unauthorised access, modification or disclosure;
  • give individuals access to their personal information upon request; and
  • take reasonable steps to correct information that is inaccurate, out of date, incomplete, irrelevant or misleading.

Other requirements for agencies

Under the new section 72 of the IP Act, an agency will be required to keep a register of eligible data breaches, that includes stated information such as a description of the eligible data breach, the individuals notified of the breach and the date and method used to notify them and details of the steps taken to contain the eligible data breach and mitigate the harm caused by the breach.

Additionally, the new section 73 of the IP Act will require an agency to prepare and publish a policy on its website about how it will respond to a data breach, including a suspected eligible data breach.

Please click here to access the full Bill.

How Law Compliance can help:

Want to find out more about what we do and how we can make legal compliance easy for your organisation? Contact us or request a free info pack today. 

Free Info Pack
What We Offer
Sectors
About Us
FAQs
Linkedin-in Envelope Phone-alt

Sign up to our newsletter

Latest News

Related Posts

law compliance logo light

Regulatory compliance products to simplify meeting your legal obligations. Ensure your organisation compliance is up to date.

SIGN UP TO OUR NEWSLETTER:

INFORMATION

QUICK LINKS

CONTACT

FREE INFO PACK

© Law Compliance 2024 All Rights Reserved | Website Design by Kitsune Creative Co

top