By Susan Shanley and Jacky Zeng

Queensland government agencies will be subject to new Privacy Principles as state parliament passes privacy reform.

Key points up front

• The Information Privacy and Other Legislation Amendment Act 2023 was passed on 29 November 2023.

• The information privacy reforms include:

  • consolidation of the existing Information Privacy Principles (IPPs) and National Privacy Principles (NPPs) into a single set of privacy principles: Queensland Privacy Principles (QPPs),

  • introduction of a mandatory data breach notification (MDBN) scheme, and

  • enhanced powers for the Information Commissioner to respond to privacy breaches including an own-motion power to investigate an act or practice without receiving a complaint.

• The amendments commence on a day to be fixed by proclamation.

• It is currently expected the reforms to the Information Privacy Act 2009 (IP Act) including the new QPPs, will begin on 1 July 2025. This means all agencies, including local government, would transition to the new QPPs on 1 July 2025. The MDBN scheme will likewise commence for all agencies except local government at that time.

• A phased commencement of the MDBN scheme includes an additional 12-month delay for local government only to 1 July 2026.

Queensland Privacy Principles

The reforms to the IP Act include adopting a single set of privacy principles based on the Australian Privacy Principles (APPs) in the Privacy Act 1988 (Cth) (Privacy Act) referred to as the QPPs, replacing the NPPs for health agencies and the IPPs for all other agencies.

The new Schedule 3 in the IP Act sets out the QPPs which generally align with the APPs in the Privacy Act. There are some adaptations for Queensland agencies. Furthermore, some APPs and specific APP provisions which are not relevant to the Queensland government context have not been adopted in the QPPs.

IIS has undertaken a detailed comparative analysis of the IPPs/NPPs and the new and/or changed requirements under the QPPs, including what steps agencies and contractors can take now to prepare for the changes when they commence.

A snapshot of IIS’s comparative analysis is provided by reference to five questions and answers on the QPPs:

Question 1:

If a bound contracted service provider has an existing contract with a Queensland agency, does the contractor need to comply with the new QPPs once they commence?

Answer 1:

No, the QPPs do not apply to existing contracts and will only apply to new contracts entered into after commencement, unless there is agreement to a variation. This means the IPPs or NPPs will continue to apply to existing contracts.

The QPPs do not extend to subcontractors. However, contracted service providers should take steps to ensure any subcontractors supporting them in relation to Queensland government contracts have sufficient ability to manage privacy obligations. 

While the QPPs will not apply to existing contracts, IIS strongly recommends all businesses contracted to, or intending to, provide services to Queensland government agencies start the process of familiarising themselves with the revised requirements under the QPPs. 

This is particularly important given small businesses are currently largely exempt from the operation of the Privacy Act and unlikely to be familiar with the APPs and, therefore, the QPPs – which are largely modelled on the APPs – may be a mystery to them. Small business (and other contractors) will need to update their existing privacy arrangements for any new contracts entered into after commencement. 

Unlike the Privacy Act, the QPPs of the IP Act will apply to all bound contracted service providers and there is no exemption for small business providers.

Question 2:

There doesn’t appear to be a QPP equivalent of APP 8 – cross-border disclosure of personal information. What requirements apply to agencies and bound contracted service providers disclosing personal information outside Australia?

Answer 2:

While the Privacy Act includes a privacy principle about cross-border disclosure of personal information (APP 8) there is no equivalent QPP.

Under the Privacy Act, APP 8 and section 16C generally require an APP entity to ensure that an overseas recipient will handle an individual’s personal information in accordance with the APPs and makes the APP entity accountable if the overseas recipient mishandles the information (see Chapter 8: APP 8 Cross-border disclosure of personal information).

Section 33 of the IP Act is retained as the preferred method for regulating overseas disclosures of personal information rather than adopting an equivalent QPP 8. The term ‘transfer’ has been replaced with ‘disclosure’ in section 33 of the IP Act.

This means agencies (and contracted services providers where relevant) will continue to comply with section 33 of the IP Act. 

There is a note at QPP 8 which states ‘there is no equivalent QPP for APP 8.’

Question 3:

There is no detail provided under QPP 7, QPP 8 and QPP 9. What does this mean? How does an agency comply with these QPPs?

Answer 3:

The QPPs generally align with the APPs in the Privacy Act, with some adaptations for Queensland agencies. Some APPs that apply to organisations, specific Commonwealth agencies and Commonwealth functions have not been adopted.

APPs 7, 8 and 9 have not been adopted in the QPPs as they are not relevant to the handling of information by Queensland public sector agencies. APP 7 regulates direct marketing, APP 8 regulates cross-border disclosure of personal information (see previous question and answer) and APP 9 regulates the adoption, use or disclosure of government related identifiers (for example, Medicare numbers and driver licence numbers).

This doesn’t mean that there are no requirements for Queensland agencies in those areas above. For example, the disclosure requirements in QPP 6 are applicable for the use of personal information in direct marketing, and as noted, section 33 of the IP Act provides provisions for cross-border disclosures.

Where an APP (or a provision of an APP) has not been adopted in the QPPs, the QPPs include a note referring to the relevant APP or provision. For example:

The Editors note to QPP 7 – direct marketing states:

The Privacy Act 1988 (Cwlth), schedule 1 includes a privacy principle prohibiting direct marketing by certain private sector entities (see APP 7).

There is no equivalent QPP for APP 7.

Note—QPP 6 is relevant to the use or disclosure of personal information for the purpose of direct marketing.

Question 4:

What is a QPP code and how is this different to the QPPs? Do agencies bound by a QPP have to comply with it?

Answer 4:

A QPP code is a written code of practice about information privacy, approved by regulation, which states how one or more of the QPPs are to be applied or complied with by agencies that are bound by it. 

A QPP code may also impose additional requirements to those imposed by a QPP, to the extent that they are not inconsistent with a QPP. 

The purpose of the QPP code is to provide individuals with transparency about how their information will be handled. 

Once the amendments commence, agencies bound by a QPP code will be required to comply with the code and must not do an act or engage in a practice that contravenes a QPP code.

An example of a Code can be found under the Privacy Act. An APP Code is in force which sets out specific requirements and key practical steps Australian Government agencies must take as part of complying with APP 1.2. This includes requirements such as:

• having a privacy management plan,

• appointing a Privacy Officer, or Privacy Officers, and ensuring that particular Privacy Officer functions are undertaken,

• appointing a senior official as a Privacy Champion to provide cultural leadership and promote the value of personal information and ensure Privacy Champion functions are undertaken, and

• undertaking a written PIA for all ‘high privacy risk’ projects or initiatives involving new or changed ways of handling personal information.

Question 5:

Do the QPPs impose requirements on agencies to have a privacy policy?

Answer 5:

Yes, QPP 1.3 requires an agency to have a clearly expressed and up-to-date privacy policy about the management of personal information by the agency.

Other requirements placed on agencies under QPP 1 regarding privacy policies include:

• ensuring the privacy policy contains the required information, and

• taking reasonable steps to make its privacy policy available to the public free of charge and in an appropriate form. For example, an agency may do this by publishing its privacy policy on the agency’s website. 

IIS strongly recommends all agencies have a clearly expressed and up-to-date privacy policy in the interest of best privacy practice and openness and transparency about the handling of personal information.

Need assistance?

The above snapshot represents only a small sample of the changes Queensland agencies (and the businesses that support them) will need to make to ensure they are compliant with the QPPs once they commence.

It is important to be ready for the coming changes! As a leading Australian privacy consultancy, and a trusted service provider to the Queensland government, IIS can help. We can assist with your readiness assessment and we offer comprehensive privacy training, governance support, MDBN scheme preparedness and many other services to support your agency in addressing these important reforms.

Please contact IIS to find out more.

By Jacky Zeng

The Information Privacy and Other Legislation Amendment Bill 2023 (the Bill) was introduced into Queensland Parliament on 12 October 2023.

The Bill has been referred to the Education, Employment and Training Committee for consideration.  IIS Partners will be submitting our thoughts on the Bill, with written submissions closing on 3 November 2023.

Key points up front

• A proposed Bill amending Queensland’s privacy legislative framework in the Information Privacy Act 2009 (Qld) (IP Act) has been introduced into the Queensland Parliament.

• The Bill would implement long awaited reforms to strengthen Queensland’s privacy legislative framework and require Queensland agencies to comply with additional privacy obligations.

• Key amendments include introduction of a mandatory notification of data breaches scheme, a consolidated set of Queensland privacy principles (QPPs) and a revised definition of personal information to align with the definition in the Privacy Act 1988 (Cth) (Privacy Act).

Context of privacy law reform in Queensland

The Bill is the culmination of a long review process and recommendations for legislative changes from several reports and reviews. Recommendations for legislative reform can be first traced back to the Report on the Review of the Right to Information Act 2009 and Information Privacy Act 2009 (October 2017).

The Bill additionally addresses a number of recommendations from the Crime and Corruption Commission’s Operation Impala: Report on misuse of confidential information in the Queensland public sector (February 2020) which highlighted the serious impacts on individuals of public officers within government having unauthorised levels of access to systems and information (including personal information). Both the Operation Impala Report and the later Coaldrake Report into culture and accountability of the Queensland Government (June 2022) recommended that mandatory notification of data breaches be introduced as a requirement for Queensland government agencies.

The Queensland Government consulted the public on proposed reforms to Queensland’s Information Privacy and Right to Information frameworks, through release of the consultation paper Proposed changes to Queensland’s Information privacy and right to information framework in June 2022.

IIS notes that the timing of the Bill coincides with significant legislative reforms in privacy at the Commonwealth level. In September 2023, the Australian Government released the Government response to the Privacy Act Review. For a detailed discussion on this topic, see IIS’s first reaction and the interview given to SBS News by IIS Partner Nicole Stephensen.

Some key features of the Bill

Mandatory notification of data breaches

The Bill introduces a scheme that would make it mandatory to notify the Office of the Information Commissioner of Queensland (OIC) and affected individuals of ‘eligible’ data breaches (i.e., unauthorised access, disclosure or loss of personal information). The scheme would apply to Queensland agencies (i.e., those to which the IP Act applies) and largely mirrors the scheme in the Privacy Act.

QPPs

The Bill introduces a new unified set of QPPs which align closely with the Australian Privacy Principles (APPs) in the Privacy Act. This consolidates the IP Act’s existing two-pronged approach, where National Privacy Principles (NPPs) apply to Queensland Health agencies and the Information Privacy Principles (IPPs) apply to all other Queensland agencies, including local government, statutory bodies and public universities.

Definition of personal information

The Bill provides a revised definition of ‘personal information’ which is presently defined as ‘information or an opinion about an identifiable individual, or an individual who is reasonably identifiable from the information or opinion: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not’. The intention of the revision is to ensure alignment with the same definition in the Privacy Act.

IIS notes that the definition for ‘personal information’ in the Privacy Act has not yet been settled, which may – depending on outcomes of the Commonwealth privacy law reform process – necessitate an additional review and revision of the Queensland definition to ensure ongoing alignment.

Enhancing the powers of the Queensland OIC

The Bill provides for enhanced powers and functions for the OIC including:

• A power to conduct own motion investigation of an act, failure to act or practice of an agency which may be in breach of the privacy principles or other obligations under the IP Act, and

• Additional powers in relation to mandatory notification of data breaches, including a power of entry to an agency’s place of business (once notice procedures have been complied with) to observe its data handling practices and the power to direct an agency to give a statement and make recommendations, including a description of the data breach and steps an affected individual should take in response to the data breach.

Under the proposed changes Queensland agencies will be required to publish their data breach policy on their website and keep a register of eligible data breaches of the agency.

What’s next?

It is important for Queensland agencies to stay up to date with these proposed legislative reforms and ensure they follow them once adopted by the Queensland Government.

Some measures Queensland agencies can take now in preparation for these reforms:

• Conduct a privacy maturity assessment and/or review specific information and privacy practices: Agencies should conduct a thorough review of their ability to comply with (current and) proposed privacy regulation in Queensland. Some relevant areas of information and privacy practice are: data collection, storage and sharing.

• Implement privacy by design (PbD): PbD is a best practice approach that involves building privacy protections and safeguards into products and services from the outset, with a focus on prevention (rather than remediation). Agencies should consider implementing this approach to support compliance with the new regulations.

• Establish and publish a data breach policy: The Bill will require agencies to prepare and publish a data breach policy on an accessible agency website. A data breach policy is a document that outlines how an agency will respond to a data breach, including a suspected eligible data breach. It may outline the responsibilities and procedures in place for the agency to investigate, assess, and notify the OIC and individuals (where required). Agencies should implement and regularly test their data breach policy to ensure they are able to meet proposed breach notification requirements, and effectively respond to data breach events.

• Train employees on privacy best practices: Employees play a critical role in an agency’s privacy outcomes. Agencies should provide regular training to employees on privacy rules and best practices to ensure they are aware of their responsibilities and how to handle personal information.

• Consult a privacy professional: Organisations can partner with a privacy professional to provide the above services leveraging years of expertise and relevant public sector experience. This is particularly helpful when privacy resources in the agency are stretched. Contact IIS to discuss how we can help you stay on top of these Queensland privacy reforms.