Business Insight

New Queensland Privacy and RTI bill is here

Insight Hero Image

    On 30 November 2023, the Queensland Parliament passed the Information Privacy and Other Legislation Amendment Bill 2023 (Qld) (Bill) that will implement long awaited privacy reforms to the Information Privacy Act 2009 (Qld) (IP Act) and the Right to Information Act 2009 (Qld) (RTI Act) in Queensland.

    The Bill follows a number of reports recommending changes to the IP Act and the RTI Act, followed by a month-long consultation on the proposed reforms earlier this year.

    Top 5 Privacy Changes

    1. Personal information

    Personal information has been adjusted to align with the Privacy Act 1988 (Cth) (Federal Privacy Act). Importantly, this sees the removal of the concept that a person's identity is 'apparent, or can be reasonably ascertained' in favour of 'an identified individual or an individual who is reasonably identifiable'.

    2. Consolidated privacy principles

    The Information Privacy Principles and National Privacy Principles have been replaced by a single set of Queensland Privacy Principles (QPPs) (predominantly aligning with the principles under the Federal Privacy Act). This sees the removal of the historical distinction between health agencies and all other agencies.

    Under the QPPs, agencies will now need to implement a publicly accessible privacy policy.

    QPP codes will also be released providing guidance on the application of QPPs or imposing additional requirements.

    There will be a special set of situations to allow for handling personal information differently (such as, permitted health situations, and threats to life and safety).

    3. Mandatory data breach regime

    The Bill introduces a mandatory data breach (MDB) scheme in Queensland. The scheme is largely consistent with the Commonwealth scheme.

    Eligible data breaches are categorised as the:

    a) unauthorised access to, or unauthorised disclosure of, personal information; or

    b) the loss of personal information, where unauthorised access or unauthorised disclosure of that personal information is likely to occur, and

    c) it is likely to result in serious harm to an individual to whom the personal information relates.

    Interestingly, the Queensland MDB scheme does not require the conclusion of a reasonable person that serious harm is likely to occur (as in the Commonwealth scheme), rather that serious harm is likely to occur.

    Any breach must be:

    1. Immediately CONTAINED and harm caused by the data breach MITIGATED (and the agency must continue to contain and mitigate);
    2. Promptly ASSESSED (within 30 days after suspicion of an eligible data breach is formed); and
    3. Where the breach is an 'eligible data breach', NOTIFIED to the Queensland Information Commissioner and affected individuals (ie whose personal information has been accessed, disclosed or lost), as soon as reasonably practicable. Some exemptions to notification to individuals exist, including where the agency has taken remedial action (similar to the Federal Privacy Act), or where compliance is likely to compromise or worsen the agency's cybersecurity or lead to further data breaches (but only for so long as those matters continue).

    The Queensland MDB scheme assessment sets a higher bar than the Commonwealth scheme, requiring notification to the Queensland Information Commissioner if the assessment of the breach will exceed 30 days, and for how long. The Queensland Information Commissioner may ask the impacted agency to provide further information or updates about the progress of this assessment.

    An agency must also publish a policy on how it will respond to any data breach (including suspected eligible data breaches). This must be on an accessible agency website. An agency must also keep a register of eligible data breaches of the agency.

    4. New investigatory powers of the Commissioner

    The Queensland Information Commissioner has been granted a new investigatory power, on their own motion, which may be exercised where the Commissioner is satisfied on reasonable grounds that an act or practice of an agency may be a breach of the privacy principles or other privacy obligations. This approach brings the IP Act more in line with the Federal Privacy Act. For example, the Commissioner's officers will have the power to enter an agency's place of business with consent or without consent (after following proper notice procedures) to observe its data handling systems and practices that relate to compliance with the MDB scheme. These powers may also be exercised by audio visual link. 

    The Commissioner's performance monitoring and support functions have also been expanded to allow a review of acts or practices of agencies in relation to compliance with the MDB scheme, including data handling systems and practices, to identify data breach related issues of a systemic nature (section 135).  This appears to be targeted at identifying inherent and pervasive issues.

    The Bill does not introduce significant increases in penalties, like we have seen with the changes to the Federal Privacy Act last year. The Bill introduces the following new penalties under the Commissioner's new investigatory powers:

    • an agency may be penalised if it does not take all reasonable steps to facilitate the entry of a Commissioner's authorised officer, following notice of their entry having been given (section 68); and
    • any person at the agency must assist an authorised officer of the Commissioner to exercise their powers (e.g. demonstrate a data handling system) (section 71). A person will be penalised for failure to assist, unless there is a reasonable excuse not do so.

    The maximum penalty for each of these offences is 100 penalty units (current total value of $15,480).

    5. Contracted service provider changes

    It is not uncommon for agencies to outsource functions to external service providers, which is the origin for the contracted service provider requirement. This is to be expanded to require contracted service providers to also comply with any QPP codes.

    Headline RTI Changes

    In a bid to clarify some of the cross-over and uncertainty that exists with personal information access rights under the IP Act and the RTI Act, the Bill removes Chapter 3 (Disclosure and amendment by application) of the IP Act, with access or amendments to documents containing an individual's personal information now to be covered by the RTI Act. Generally, the new RTI Act provisions reflect the existing IP Act provisions. 

    Interestingly, the requirement under the IP Act that an application be in an approved form has been relaxed. While the application itself must still contain all the required information, it may (but need not be) in the approved form. Agencies may notice this change on the ground with the form of access applications received.

    Relevantly, the circumstances for extending processing periods for access or amendment applications has been modified. This includes extensions where consultation is required prior to a refusal to deal with an application, where the applicant provides only a postal address, where an extension is requested by and agreed with the agency or where a charges estimate is provided.

    There are also refreshed requirements for agencies to publish a scheme on its website setting out the agency's structure and functions, how that affects members of the public, arrangements for the public to engage with the agency's functions, types of information it holds and makes publicly available, procedures for asking for information and anything else specified in regulations. This is quite a change from the previous requirements in section 21 of the RTI Act. There is an exception for an agency not to have to publish information where such information is exempt or contrary to public interest.

    At the Commissioner's level, there are various new rights and clarifications included concerning review applications, including when a deemed decision occurs and how relevant decisions should be set aside. The Commissioner may also now declare a person is a vexatious applicant in respect of both access and amendment applications.

    It may be of interest to agencies to see that there is a new right for the Commissioner to give a relevant third party (where the document may be of concern to that third party) access to a document that is the subject of external review. The purpose of providing such access is to obtain the third party's views about whether the document is one to which the RTI Act does not apply, the information is exempt information or its disclosure is contrary to the public interest information.

    The Bill acknowledges that there will be various transitional arrangements that apply, such as for access applications made prior to the amendments to the RTI Act coming into force.

    What's next?

    While the Bill has passed through Parliament, the privacy reforms are only expected to commence on 1 July 2025 (and the MDB scheme as it applies to local Governments is expected to commence on 1 July 2026). Therefore, now is the time to prepare for the upcoming changes. Some things your agency can do to get ready are: 

    • Understand the personal information and data your agency holds, as well as your data retention and deletion obligations.
    • Review the adequacy of your agency's privacy governance, including your policy and procedure framework and risk reporting processes.
    • Understand your data breach and notification obligations. This includes implementing a data breach policy and having clear accountability for managing the data breach response process.
    • Review and uplift your staff privacy and RTI training.
    • Review, and if needed, refresh your privacy consent notifications.
    • Conduct risk assessments for personal information management (Privacy Impact Assessments, Cyber Security Assessments and Third Party Risk Assessments).
    • Consider whether your current resourcing arrangements will be able to cope with the increased workload that compliance with the MDB scheme will bring.

    Authors: Amanda Ludlow, Partner; Clare Doneley, Counsel; and Felicity Dunstone, Senior Associate. 

    This publication is a joint publication from Ashurst LLP and Ashurst Risk Advisory LLP, which are part of the Ashurst Group.

    The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities. Ashurst Risk Advisory LLP is a limited liability partnership registered in England and Wales under number OC442883 and is part of the Ashurst Group . Ashurst Risk Advisory LLP services do not constitute legal services or legal advice, and are not provided by qualified legal practitioners acting in that capacity. Ashurst Risk Advisory LLP is not regulated by the Solicitors Regulation Authority of England and Wales. The laws and regulations which govern the provision of legal services in other jurisdictions do not apply to the provision of risk advisory services.

    For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com

    This material is current as at 19 October 2023 but does not take into account any developments to the law after that date. It is not intended to be a comprehensive review of all developments in the law and in practice, or to cover all aspects of those referred to, and does not constitute legal advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent legal advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.