Business Insight

Queensland's IPOLA Guidelines – New Mandatory Notification Data Breach Scheme 

By Clare Doneley

10 April 2025

Share Share
digital work at computer
Share

    What you need to know

    • Queensland's privacy law reforms take effect 1 July 2025
    • There is a new mandatory data breach notification scheme. Agencies will need to have policies and procedures in place ready to assess and handle a breach
    • Agencies must maintain an internal register of eligible data breaches and publish a data breach policy which outlines their strategy for managing data breaches

    What you need to do

    • Using bullet points consider the practical, business or industry implications for your readers
    • Understand the new scheme
    • Plan your internal policies, procedures, register and identify key stakeholders
    • Implement a public facing data breach policy

    On 4 December 2023, the Queensland Parliament gave assent to the Information Privacy and Other Legislation Amendment Act 2023 (Qld) (Act), with privacy reforms to the Information Privacy Act 2009 (Qld) (IP Act) to commence 1 July 2025. You can read more about that here.

    In Queensland it has not been compulsory for agencies to notify the Office of the Information Commissioner Queensland (OICQ) of data breaches. The Act establishes a mandatory data breach notification (MNDB) scheme. This article summarises the Mandatory Notification of Data Breach scheme Guideline issued by the OICQ (Guideline)1, and provides practical steps to help agencies get ready to comply with the new Mandatory Notification of Data Breaches scheme.

    Key concepts

    An 'eligible data breach’ of an agency will trigger notification to the OICQ and impacted individuals if:

    1 there is unauthorised access to, or unauthorised disclosure of, personal information held by the agency; or

    2 there is a loss of personal information in circumstances where unauthorised access to, or unauthorised disclosure of the information is likely to occur;

    AND

    3 the unauthorised access to, or disclosure of the information is likely to result in serious harm to the affected individual to whom the personal information relates.

    If only (1) or (2), but not (3) applies, then this will be a "data breach". A data breach of itself does not trigger the notification obligations under the IP Act.

    The OICQ has released a flowchart which represents the process for identifying which MNDB scheme obligations apply, both initially and for assessments required under section 48 of the IP Act2. If a data breach is identified as an eligible data breach, further steps will need to be taken (see Mandatory Scheme Breach Obligations later in this article). Agencies can use these guidance materials to personalise their own assessment materials.

    What has happened to the personal information?

    The data breaches identified above cover different scenarios where personal information is handled in a way that is not permitted. The Guideline provides the following interpretation of key terminology:

    • Unauthorised access occurs when the information held by the agency is accessed by someone not authorised to do so.
    • Unauthorised disclosure occurs when an agency intentionally or unintentionally discloses the information when the agency does not have the permission to make that disclosure.

      Unauthorised access and unauthorised disclosure can occur as a result of the same breach. Unauthorised (as used in relation to access and disclosure) is not defined in the IP Act. The Guideline refers to the ordinary meaning of the word in the Macquarie Dictionary Online as 'without proper permission or licence', noting this word is used in a similar context in the Criminal Code Act 1995 (Cth).

    • Loss of information involves the agency no longer having possession or control of the information. Loss may be deliberate or accidental.

    So how do they compare?

     Comparison Table of Examples

    Unauthorised Access Examples

    Unauthorised Disclosure Examples

    Loss Examples

    • Within an agency, if an employee browses agency records relating to a family member, neighbour, or celebrity without a legitimate purpose.
    • Between agencies, if a team at one agency is provided with access to systems and data at a second agency as part of a joint project and a member of the team uses that access beyond what is required for the project.
    • Outside an agency, if information is compromised during a cyberattack and intentionally accessed by a person external to the agency. 
    • An agency software update, either conducted by the agency or a third party service provider, results in the unintended publication ofcustomer records on the agency’s website.
    • An agency intends to provide de-identified information to a researcher and accidently sends the data with personal identifiers included.
    • An agency discloses an individual’s personal information to a third party who is not the intended recipient.
    • A database hosted in a cloud environment or web facing application does not have appropriate access controls and the data set is visible and accessed by unauthorised individuals.
    •  An agency sells or disposes of a physical asset, such as a laptop or filing cabinet, that contains an individual’s personal information.
    • An agency employee accidentally leaves a device, such as a USB or external drive, containing personal information on public transport.
    • A device containing personal information is stolen (however, if the personal information is inaccessible or known to have been destroyed, a data breach is unlikely to have occurred- e.g. documents destroyed in a natural disaster, a password protected laptop is lost and handed in and no evidence of access is established).

    At this point, an agency would have its internal and external advisors (IT, cyber and legal) assist in determining whether a data breach has occurred.

    Has there been serious harm?

    There needs to be "serious harm" in order for there to be an eligible data breach.

    Serious harm to an individual includes serious physical, psychological, emotional, or financial harm to the individual, or serious harm to the individual's reputation, because of the access or disclosure. According to the Guideline, the effect on an individual must be more than mere irritation, annoyance, or inconvenience.

    Many different factors will need to be weighed when analysing whether serious harm has occurred. That will look different for each data breach – there is a list of matters in section 47(2) that must be considered to determine if the data breach is likely to result in serious harm to the individual to whom the personal information relates.

    When making the assessment, agencies must consider if serious harm is 'likely', which means 'more probable than not'. If doubt or ambiguity exists as to whether a data breach is likely to result in serious harm, agencies should err on the side of caution and assume that serious harm is likely.

    New policy requirements3

    Agencies must maintain an internal register of 'eligible data breaches', which includes the information in section 72(2) of the IP Act and publish a data breach policy on their website, which outlines the agency's overall strategy for managing all data breaches (not just 'eligible data breaches'). Implementing this will practically assist an agency in understanding how it will handle data breaches.

    Data breaches and contracted service providers4

    There may be circumstances where data breaches involve personal information in the possession of a contracted service provider. Those data breaches will be considered to be a data breach of an agency. Section 13 of the IP Act defines “held or holds” in relation to personal information as:

    Personal information is held by a relevant entity, or the entity holds personal information, if the personal information is contained in a document in the possession, or under the control, of the relevant entity.

    The words "under the control" in this definition are key. The definition has been designed to capture situations with contracted service providers where an agency may not be in physical possession of the relevant document containing personal information, but it still retains a legal entitlement to possession or a right or power to deal with the information.

    Where a data breach affects an agency's contracted service provider, an agency will need to consider whether any impacted personal information is 'held' by the agency. This will require consideration of the specific circumstances, including the agency's right to control the information, why it was collected or created, who created it and the contractual arrangements governing provision of the services.

    Mandatory Scheme Breach Obligations

    When an agency knows or reasonably suspects that a data breach is an 'eligible data breach', the following steps should be followed.

    Loading....

    Statutory tort for invasion of privacy

    Agencies should also be aware that as of 11 June 2025 there will be changes to the federal Privacy Act 1988 (Cth) (Privacy Act) that will introduce a statutory tort for serious invasions of privacy. Individuals may take civil action for intrusion upon seclusion, or misuse of personal information in circumstances where:

    • an individual had a reasonable expectation of privacy
    • invasion was intentional or reckless
    • invasion was serious and
    • public interest in plaintiff's privacy outweighs countervailing public interest.

    An action can be brought whether or not conduct is permitted under or subject to the Privacy Act, meaning that conduct under the IP Act may also be the subject of an action. This presents a new risk for potential litigation against an agency as a result of a data breach (including potential class actions if multiple individuals are the subject of a data breach). This new risk of litigation from the statutory tort emphasises the importance of early engagement with individuals and having harm reduction strategies to minimise the impact on individuals due to any invasions of privacy.

    Want to know more?

    Other authors: Alex White, Associate

    1. 'OICQ Mandatory Notification of Data Breach scheme' Guideline can be accessed here: https://www.oic.qld.gov.au/__data/assets/pdf_file/0007/64294/Guideline-MNDB-mandatory-notification-of-data-breach.pdf.
    2. Refer to OICQ flowchart here: https://www.oic.qld.gov.au/__data/assets/pdf_file/0007/67318/IPOLA-Resource-MNDB-Initial-Consideration-Flowchart.pdf.
    3. 'MNDB scheme – Data Breach Registers and Policies' Guideline outlines further guidance on documentation, registers and policies required. See Guidance here: https://www.oic.qld.gov.au/__data/assets/pdf_file/0006/64293/Guideline-MNDB-data-breach-registers-and-policies.pdf.
    4. 'MNDB scheme – Data breaches and contracted service providers' Guideline outlines further guidance on how to handle a data breach where personal information is in the possession of a contracted service provider. See Guidance here: https://www.oic.qld.gov.au/__data/assets/pdf_file/0004/67315/IPOLA-Guideline-MNDB-Data-breaches-and-contracted-service-providers.pdf.
    5. See Guidance here: https://www.oic.qld.gov.au/__data/assets/pdf_file/0003/67314/IPOLA-Guideline-MNDB-Assessing-a-data-breach.pdf.
    6. OICQ Mandatory Notification of Data Breach scheme – Exemptions Guideline

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.

    Key Contacts