20 December 2023

Proposed Queensland data breach laws bring new obligations for government agencies

Authored by: Charles Sweeney and Adam Jamieson
The Queensland Parliament has introduced the Information Privacy and Other Legislation Amendment Bill, which proposes new privacy and data breach laws.

On 12 October 2023, the Queensland Parliament introduced the Information Privacy and Other Legislation Amendment Bill 2023 (Qld). If passed into legislation, the Bill will implement changes to the Information Privacy Act 2009 (Qld), including:

  • amending the definition of ‘personal information’ to align with the federal law under the Privacy Act 1988 (Cth)
  • consolidating the National Privacy Principles and Information Privacy Principles into a single set of Queensland Privacy Principles (QPPs) based on the federal Australian Privacy Principles (APPs)
  • introducing a new mandatory data breach regime
  • giving the Queensland Information Commissioner new investigatory powers.

The changes largely bring Queensland’s privacy and data breach laws into line with the federal law under the Privacy Act 1988 (Cth), imposing new obligations that government agencies in Queensland should be aware of.

Mandatory data breach regime

One of the major changes implemented by the Bill is the introduction of a mandatory data breach regime. The regime imposes obligations on agencies in relation to eligible data breaches.

Eligible data breaches will be categorised as being a data breach in relation to personal information held by the agency involving either:

  • unauthorised access to, or disclosure of, the personal information where serious harm to an affected individual is likely to result
  • loss of personal information in circumstances where unauthorised access to, or disclosure of, the personal information is likely to occur and the access or disclosure is likely to result in serious harm to an affected individual.

Where an agency knows or reasonably suspects that a data breach is an eligible data breach, it will be required to:

  • take all reasonable steps to contain the data breach and mitigate harm caused by it
  • assess whether the data breach is an eligible data breach within 30 days.

If the assessment will take longer than 30 days, the agency must notify the Information Commissioner, including providing details of how long the assessment will be extended by.

A core feature of the new regime is the mandatory data breach notification scheme, which imposes an obligation on agencies that reasonably believe that there has been an eligible data breach to notify the Information Commissioner and affected individuals and provide information including:

  • the date of the data breach
  • the category of eligible data breach
  • the type of personal information subject to the breach
  • information about how the breach occurred
  • steps the agency has taken or will take to contain the breach and mitigate the harm caused to individuals
  • recommendations about steps individuals should take in response to the data breach.

The Bill also provides for some exemptions from compliance with the notification scheme, such as where:

  • complying would prejudice a criminal investigation or legal proceedings
  • the agency has taken action to mitigate the harm caused by the breach and serious harm to an affected individual is no longer likely
  • complying would create a serious risk of harm to an individual’s health or safety.

Queensland Information Commissioner investigatory powers

The Bill gives the Information Commissioner new powers to investigate, on their own initiative, acts or practices of government agencies where the Information Commissioner is satisfied on reasonable grounds that the act or practice may contravene the requirements of the QPPs or the mandatory data breach notification scheme.

As part of these investigatory powers, authorised officers appointed by the Information Commissioner may, after the Commissioner has provided written notice, enter an agency’s place of business and inspect documents. They may also require demonstrations of data handling systems relevant to the agency’s compliance with the QPPs. The authorised officer will also have the power to require a person at the agency’s place of business to provide reasonable help in carrying out the officer’s functions.

The Bill also introduces new offences, carrying penalties of up to $15,480, for failure to:

  • take reasonable steps to facilitate the entry of an authorised officer exercising the power of entry
  • comply with the authorised officer’s request for reasonable help without a reasonable excuse.

Reasonable excuses for the latter penalty include where compliance with the requirement would result in the disclosure of information subject to legal professional privilege or where it would tend to incriminate an individual or expose them to penalty.

Next steps for government agencies in Queensland

If the Bill is passed into legislation, it will bring Queensland’s privacy laws more into line with the federal law. Government agencies in Queensland should review their privacy policies and data protection systems in preparation for upcoming changes and seek advice to properly understand their obligations.

Please contact a member of our corporate advisory team if you have any questions relating to the matters discussed in this article.

Like this article? Share it via:

This publication is for information only and is not legal advice. You should obtain advice that is specific to your circumstances and not rely on this publication as legal advice. If there are any issues you would like us to advise you on arising from this publication, please let us know.

Stay up to date with CGW

Subscribe to our interest lists to receive legal alerts, articles, event invitations and offers.

Key contacts

Charles-Sweeney-web
Charles Sweeney
Managing Partner

Areas of expertise

Read next