The Queensland government is considering forcing agencies to report data breaches to affected individuals and the state’s privacy commissioner as part of proposed privacy and right to information reforms.
The Department of Justice and Attorney-General on Friday released a consultation paper calling for feedback on the proposed mandatory data breach (MDB) notification scheme, as well as a new set of privacy principles.
It follows a series reports over the last five years recommending changes to the state’s Information Privacy Act 2009 and Right to Information Act 2009, including through the introduction of a MDB notification scheme.
Such a scheme was first recommended by the Office of the Information Commissioner (OIC) in response to the government’s 2016 statutory review of the IP Act, and again by the Crime and Corruption Commission (CCC) in 2020.
The consultation paper said a MDB notification scheme would “not only be good privacy practices but would enhance and protect the privacy rights of individuals”, while also improving transparency and accountability for agencies.
“Consistency with the Commonwealth scheme would give individuals who deal with Queensland agencies the same protections as those individuals have when dealing with federal government agencies,” it said.
No state or territory has implemented a MDB notification scheme to date. The NSW government – which pledged to introduce such as scheme in March 2020 – unveiled an exposure draft of its legislation in May 2021, but is yet to introduce a bill to parliament.
The paper said that any MBD notification scheme would be “based on the Commonwealth’s... scheme”, with agencies required to notify the state’s Office of the Information Commissioner and any affected individuals of an “eligible data breach”.
An eligible data breach is where “a reasonable person would conclude the unauthorised access or disclosure would be likely to result in serious harm to the affected individuals”. Serious harm could include “serious physical, psychological, emotional, financial or reputational harm”.
However, a data breach would not be deemed eligible if, for instance, an agency accidently sent an email containing personal information to the wrong recipient, but acted quickly to confirm the data was deleted.
Queensland privacy principles
In addition to the MDB notification scheme, the paper also asks whether a single set of privacy principles should be adopted in Queensland, replacing two separate sets: the national privacy principles (NPPs) and information privacy principles (IPPs).
It said there are similarities and differences between the NPPs – which only apply to health agencies – and IPPs in the IP Act, as well as the Australian Privacy Principles in the Commonwealth Privacy Act.
“The existence of two similar but not identical sets of privacy principles in Queensland, which are not consistent with the APPs, has the potential to give rise to unjustified compliance costs,” the paper said.
The paper said that adopting a single set would “reduce ‘red tape’ and compliance costs” for entities subject to more than one set of privacy principles, and could give Queenslanders a greater understanding of their privacy rights.
Like the current IPPs and NPPs, the proposed Queensland privacy principles (QPPs) would require agencies to “take reasonable steps to protect personal information they hold from unauthorised access, use, disclosure, modernisation and form any other misuse”.
The government is calling for feedback on whether the IP Act should “prescribe a non-exhaustive list of matters that must be taken into account by an agency when determining what ‘reasonable steps’ would be”.
The paper also proposes that the definition of personal information be changed to reflect the Commonwealth Privacy Act 1988, to take into account newer defections of personal data that have emerged since the definition last amended in 2012.
“Adopting the definition of personal information in the Privacy Act would ensure consistency between the Queensland Commonwealth regulatory frameworks. It is broader and more flexible than the current definition in the IP Act,” it said.
“However, it arguably does not address the uncertainty identified by the [Australian Competition and Consumer Commission] in relation to whether this definition captures a range of technical data.”
The paper also asks whether there is a need for a new criminal offence to prosecute public officers for “inappropriately accessing or generally misusing confidential information under section 408E (Computer hacking and misuse) of the Criminal Code”.
It said that the current “use of the term ‘computer hacking’ does not make it clear to public officers that... accessing confidential information... in the performance of their duties can be a criminal offence if they do so for an improper purpose”.
Attorney-general Shannon Fentiman said that while the state’s privacy and information legislation had served it well over the last decade, there was a need to ensure it remains up to date.
“In Queensland, and indeed around the world, technological developments are impacting on information privacy and access to personal information, and it’s crucial our legislation remains contemporary and relevant,” she said in the paper's foreword.
“This consultation paper accordingly seeks view on whether significant changes should be made to Queensland’s legislation framework for information privacy to enhance protections for personal information and remedies to individuals whose privacy is breached.”
Submissions to the consultation paper close July 22.