Get your free info pack:

HERE

Connect with us:

Linkedin Envelope

1300 862 667

Login

LATEST NEWS

Queensland Privacy and Information Reforms Commence: Key Obligations for Agencies

  • time-clock-circle
  • Compliance
qld privacy info reforms istock 2197416615

This article applies to Queensland agencies (including public authorities).

Information Privacy and Other Legislation Amendment Act 2023 (Qld)

On 1 July 2025, Parts 3 and 5 of the Information Privacy and Other Legislation Amendment Act 2023 (Qld) (the Amendment Act) commenced. Part 3 amends the Information Privacy Act 2009 (Qld) (the IP Act), and Part 5 amends the Right to Information Act 2009 (Qld) (the RTI Act).

What’s changed?

The key changes made by the Amendment Act to the IP Act are:

  • Schedules 3 and 4 of the IP Act have been amended by removing and replacing the National Privacy Principles (NPPs) that applied to health agencies, and the Information Privacy Principles (IPPs) that applied to all other agencies, with a single set of privacy principles called the Queensland Privacy Principles (QPPs). The new QPPs will apply to agencies, other than APP entities; and
  • new Chapter 3A which introduces a mandatory notification of data breaches.

The key changes made by the Amendment Act to the RTI Act are:

  • new Chapter 3A which introduces rights to amendment of personal information.

Further Information

Amendments to the IP Act
New Queensland Privacy Principles

The new QPPs are based on the Australian Privacy Principles outlined in the Privacy Act 1988 (Cth); however, they have been adapted in a manner more appropriate for Queensland agencies.

The new QPPs introduce a variety of obligations for agencies (including public authorities) to ensure that personal information is protected in a more efficient manner. Relevantly, they will require agencies to:

  • manage personal information in an open and transparent way, including having a ‘QPP privacy policy’ about the agency’s management of personal information;
  • give individuals the option to remain anonymous, or use a pseudonym, when dealing with an agency in relation to a particular matter;
  • only collect personal or sensitive information if the information is reasonably necessary for, or directly related to, 1 or more of the agency’s functions or activities, and by lawful and fair means;
  • destroy unsolicited personal information that could not have been collected or is not contained in a public record;
  • notify individuals when their personal information has been collected;
  • use personal information of individuals for the primary purpose unless consent is given to use it for a secondary purpose;
  • ensure that the personal information that is collected is accurate, up to date and complete;
  • protect the information from misuse, interference, loss, unauthorised access, modification or disclosure;
  • give individuals access to their personal information upon request; and
  • take reasonable steps to correct information that is inaccurate, out of date, incomplete, irrelevant or misleading
New Chapter 3A – Mandatory notification of data breaches

New Chapter 3A of the IP Act applies in relation to personal information, other than personal information in a document to which the privacy principle requirements do not apply, held by an agency. It introduces new requirements for agencies (including public authorities) in relation to eligible data breaches.

An eligible data breach of an agency is a data breach of the agency that occurs in relation to personal information held by the agency if:

  • both of the following apply:
    • the data breach involves unauthorised access to, or unauthorised disclosure of, the personal information;
    • the access or disclosure is likely to result in serious harm to an individual (an affected individual) to whom the personal information relates, having regard to the matters stated in the paragraph below; or
  • the data breach involves the personal information being lost in circumstances where:
    • unauthorised access to, or unauthorised disclosure of, the personal information is likely to occur; and
    • if the unauthorised access to or unauthorised disclosure of the personal information were to occur, it would be likely to result in serious harm to an individual (also an affected individual) to whom the personal information relates, having regard to the matters stated in section 47(2) of the IP Act.

Under new section 48 of the IP Act, if an agency knows, or reasonably suspects, that there is a data breach which is an eligible data breach of the agency, the agency will be required to:

  • immediately, and continue to, take all reasonable steps to contain the data breach and mitigate any harm caused by the breach; and
  • if the agency does not know whether the data breach is an eligible data breach of the agency – assess whether there are reasonable grounds to believe the data breach is an eligible data breach of the agency within 30 days or within an extended period if applicable; and
  • notify any other affected agency in writing.

Agencies that form the belief an eligible data breach has occurred will also be required under Chapter 3A of the IP Act to:

  • provide a statement to the Information Commissioner;
  • notify affected individuals;
  • keep a register of all eligible data breaches of the agency;
  • prepare and publish a data breach policy; and
  • give reasonable help to an individual making a privacy complaint to the agency.
Amendments to the RTI Act
New Chapter 3A – Amendment of personal information

New Chapter 3A of the RTI Act allows an individual to make an application to amend a document in relation to the individual’s personal information contained in the document. Relevantly, agencies will be required to:

  • ensure the amendment application is dealt with by the agency’s principal officer;
  • if the amendment application (or part of it) is outside the scope of the RTI Act, give written notice to the applicant within 25 business days;
  • if the amendment application is non-compliant:
    • make reasonable efforts to contact and inform the applicant within 15 business days if and why the amendment application is non-compliant;
    • give the applicant reasonable opportunity to consult and make the amendment application compliant before refusal;
    • give written notice of a decision within 10 business days if the amendment application is still non-compliant after the point above; and
    • provide advice and help in making the amendment application compliant;
  • only refuse an application if:
    • the appropriate matters in section 78N of the RTI Act have been considered;
    • written notice is given to the applicant;
    • reasonable opportunity was given to consult with the applicant; and
    • the agency provided any information that would remove the ground for refusal; and
  • make a decision on the amendment application and provide written notice of the outcome to the applicant.

What you should do

Organisations should familiarise themselves with the new legislation, train relevant staff, and update policies and procedures to ensure compliance with the new updates.

How Law Compliance can help:

Want to find out more about what we do and how we can make legal compliance easy for your organisation? Contact us or request a free info pack today. 

Enjoyed this article?

Share this:

LinkedIn
Email
Free Info Pack
What We Offer
Sectors
About Us
FAQs

Want to stay informed of new articles and updates?

Follow us on:

li logo
Envelope Phone-alt

Sign up to our newsletter

Latest News

Related Posts