New Queensland Privacy and RTI bill is here
19 October 2023
On 30 November 2023, the Queensland Parliament passed the Information Privacy and Other Legislation Amendment Bill 2023 (Qld) (Bill) that will implement long awaited privacy reforms to the Information Privacy Act 2009 (Qld) (IP Act) and the Right to Information Act 2009 (Qld) (RTI Act) in Queensland.
The Bill follows a number of reports recommending changes to the IP Act and the RTI Act, followed by a month-long consultation on the proposed reforms earlier this year.
Personal information has been adjusted to align with the Privacy Act 1988 (Cth) (Federal Privacy Act). Importantly, this sees the removal of the concept that a person's identity is 'apparent, or can be reasonably ascertained' in favour of 'an identified individual or an individual who is reasonably identifiable'.
The Information Privacy Principles and National Privacy Principles have been replaced by a single set of Queensland Privacy Principles (QPPs) (predominantly aligning with the principles under the Federal Privacy Act). This sees the removal of the historical distinction between health agencies and all other agencies.
Under the QPPs, agencies will now need to implement a publicly accessible privacy policy.
QPP codes will also be released providing guidance on the application of QPPs or imposing additional requirements.
There will be a special set of situations to allow for handling personal information differently (such as, permitted health situations, and threats to life and safety).
The Bill introduces a mandatory data breach (MDB) scheme in Queensland. The scheme is largely consistent with the Commonwealth scheme.
Eligible data breaches are categorised as the:
a) unauthorised access to, or unauthorised disclosure of, personal information; or
b) the loss of personal information, where unauthorised access or unauthorised disclosure of that personal information is likely to occur, and
c) it is likely to result in serious harm to an individual to whom the personal information relates.
Interestingly, the Queensland MDB scheme does not require the conclusion of a reasonable person that serious harm is likely to occur (as in the Commonwealth scheme), rather that serious harm is likely to occur.
Any breach must be:
The Queensland MDB scheme assessment sets a higher bar than the Commonwealth scheme, requiring notification to the Queensland Information Commissioner if the assessment of the breach will exceed 30 days, and for how long. The Queensland Information Commissioner may ask the impacted agency to provide further information or updates about the progress of this assessment.
An agency must also publish a policy on how it will respond to any data breach (including suspected eligible data breaches). This must be on an accessible agency website. An agency must also keep a register of eligible data breaches of the agency.
The Queensland Information Commissioner has been granted a new investigatory power, on their own motion, which may be exercised where the Commissioner is satisfied on reasonable grounds that an act or practice of an agency may be a breach of the privacy principles or other privacy obligations. This approach brings the IP Act more in line with the Federal Privacy Act. For example, the Commissioner's officers will have the power to enter an agency's place of business with consent or without consent (after following proper notice procedures) to observe its data handling systems and practices that relate to compliance with the MDB scheme. These powers may also be exercised by audio visual link.
The Commissioner's performance monitoring and support functions have also been expanded to allow a review of acts or practices of agencies in relation to compliance with the MDB scheme, including data handling systems and practices, to identify data breach related issues of a systemic nature (section 135). This appears to be targeted at identifying inherent and pervasive issues.
The Bill does not introduce significant increases in penalties, like we have seen with the changes to the Federal Privacy Act last year. The Bill introduces the following new penalties under the Commissioner's new investigatory powers:
The maximum penalty for each of these offences is 100 penalty units (current total value of $15,480).
It is not uncommon for agencies to outsource functions to external service providers, which is the origin for the contracted service provider requirement. This is to be expanded to require contracted service providers to also comply with any QPP codes.
In a bid to clarify some of the cross-over and uncertainty that exists with personal information access rights under the IP Act and the RTI Act, the Bill removes Chapter 3 (Disclosure and amendment by application) of the IP Act, with access or amendments to documents containing an individual's personal information now to be covered by the RTI Act. Generally, the new RTI Act provisions reflect the existing IP Act provisions.
Interestingly, the requirement under the IP Act that an application be in an approved form has been relaxed. While the application itself must still contain all the required information, it may (but need not be) in the approved form. Agencies may notice this change on the ground with the form of access applications received.
Relevantly, the circumstances for extending processing periods for access or amendment applications has been modified. This includes extensions where consultation is required prior to a refusal to deal with an application, where the applicant provides only a postal address, where an extension is requested by and agreed with the agency or where a charges estimate is provided.
There are also refreshed requirements for agencies to publish a scheme on its website setting out the agency's structure and functions, how that affects members of the public, arrangements for the public to engage with the agency's functions, types of information it holds and makes publicly available, procedures for asking for information and anything else specified in regulations. This is quite a change from the previous requirements in section 21 of the RTI Act. There is an exception for an agency not to have to publish information where such information is exempt or contrary to public interest.
At the Commissioner's level, there are various new rights and clarifications included concerning review applications, including when a deemed decision occurs and how relevant decisions should be set aside. The Commissioner may also now declare a person is a vexatious applicant in respect of both access and amendment applications.
It may be of interest to agencies to see that there is a new right for the Commissioner to give a relevant third party (where the document may be of concern to that third party) access to a document that is the subject of external review. The purpose of providing such access is to obtain the third party's views about whether the document is one to which the RTI Act does not apply, the information is exempt information or its disclosure is contrary to the public interest information.
The Bill acknowledges that there will be various transitional arrangements that apply, such as for access applications made prior to the amendments to the RTI Act coming into force.
While the Bill has passed through Parliament, the privacy reforms are only expected to commence on 1 July 2025 (and the MDB scheme as it applies to local Governments is expected to commence on 1 July 2026). Therefore, now is the time to prepare for the upcoming changes. Some things your agency can do to get ready are:
Authors: Amanda Ludlow, Partner; Clare Doneley, Counsel; and Felicity Dunstone, Senior Associate.
This material is current as at 19 October 2023 but does not take into account any developments to the law after that date. It is not intended to be a comprehensive review of all developments in the law and in practice, or to cover all aspects of those referred to, and does not constitute legal advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent legal advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.