The Queensland state government is considering a mandatory data breach notification scheme among several privacy and information sharing reforms in the works. The scheme would force agencies to report data breaches to the regulator and affected individuals in what would be a first for a state or territory government.
Currently, Queensland agencies are not obligated to report data breaches despite recommendations from the regulator in 2016 and a 2020 review of the state government’s management of confidential personal information also calling for a data breach notification (DBN).
Queensland’s proposed DBN scheme would be based on the 2018 Commonwealth scheme and give individuals dealing with the state’s agencies the same protections as the federal scheme.
The scheme would require agencies to notify the Queensland Office of the Information Commissioner (OIC) and an affected individual of an “eligible data breach”.
According to a consultation paper released Friday, an eligible breach would be when unauthorised access or loss of personal information occurs that is “likely to result in serious harm” to the affected individuals.
Agencies would also be required to conduct “reasonable and expeditious” assessments of suspected breaches.
If a breach occurs or an agency has reasonable grounds to suspect one has, it must notify the OIC and the affected individuals “as soon as practicable”.
Failure to do so would result in the regulator being able to issue compliance notices, compel individuals to provide information, and provide reports to Parliament. Under proposed new powers for the regulator, the OIC would also be able to direct agencies to provide statements about a breach and recommend it notify individuals.
The scheme is similar to the federal Notifiable Data Breach scheme, which launched in 2018 and now receives around 1000 breach notices a year. But amid resourcing challenges, the federal regulator has struggled to meet processing targets and 1 in ten notices remain unresolved a year after being reported.
New South Wales has also opted for a model like the Commonwealth’s after its own high-profile data breaches at Service NSW. But it took several years from initial consultations to get to a bill amending the state’s privacy laws last year, which is yet to be introduced to Parliament.
On Friday, Queensland Attorney-General Shannon Fentiman released consultations for changes to the state’s information privacy and right to information legislation, which could introduce the NDB scheme alongside other proposals like more powers for the OIC, a set of privacy principles, and a single right of access to information.
“It’s critical our Information Privacy Act effectively protects individuals’ personal information and provides appropriate remedies and responses when privacy is breached,” Ms Fentiman said.
“The proposed reforms reflect a number of recommendations already made by the Crime and Corruption Commission.”
Submissions to the consultations close on July 22.
Do you know more? Contact James Riley via Email.