The Queensland government says the new legislation will beef up the state’s privacy laws.
Queensland has become the second state after NSW to introduce a mandatory data breach notification scheme.
The move comes more than a year after it was recommended by the state’s Coaldrake Review, which investigated the culture and accountability in the Queensland public sector.
The recommendation – that “Citizens’ privacy rights be protected by implementation of mandatory reporting of data breaches” was one of 14 made by Professor Peter Coaldrake, who undertook the review.
In his report, Professor Coaldrake revealed the state’s Crime and Corruption Commission had recommended the introduction of a mandatory data breach notification scheme as part of its 2019 Operation Impala report.
And in June this year, a report from the state’s information commissioner found Queensland government agencies needed to do more to prepare for the slated mandatory data breach reporting scheme.
More than 100 agencies responded to a survey assessing readiness for a mandatory reporting scheme commissioned by the Office of the Information Commissioner, accounting for around half of all agencies under the commissioner’s jurisdiction.
Just under half of the agencies surveyed said they had a “documented data breach response plan” in place, and only 27 had tested their plans with a simulated exercise or an actual data breach.
The Information Privacy and Other Legislation Amendment Bill 2023 establishes a mandatory notification scheme with requirements to notify affected individuals and the Office of the Information Commissioner of eligible data breaches that would likely result in serious harm.
Queensland Attorney-General and Minister for Justice and Minister for the Prevention of Domestic and Family Violence Yvette D’Ath said the scheme would strengthen the state’s privacy laws.
“Recent high-profile data breaches demonstrate that loss or unauthorised access or disclosure of personal information has the potential to result in serious harm to individuals,” she said.
“That’s why we are establishing this scheme so there are clear, consistent requirements to notify individuals of data breaches of Queensland government agencies, so that individuals are empowered to take steps to reduce the risk of harm resulting from a data breach.”
She said the reforms would also ensure Queensland’s privacy laws remain contemporary and relevant given the changes to the use of technology, and to the way in which personal information is collected, used, accessed, stored and disclosed in today’s digital world.
The Bill will also include:
- Amendments to support the implementation of the scheme for the proactive release of Cabinet documents.
- Reforms to improve consistency with the Commonwealth Privacy Act, including a single set of privacy principles aligned with the Australian Privacy Principles. This will provide a stepping stone for further reform following any legislation arising out of the Commonwealth Government’s review of the Privacy Act.
- Reforms to the Right to Information framework that will reduce red tape and deliver efficiencies for applicants and agencies.
