Queensland has become only the second state to legislate a mandatory data breach notification scheme for public sector entities, as an almost identical scheme comes into effect in New South Wales.
The Information Privacy and Other Legislation Amendment Bill 2023 passed through the Queensland state Parliament on Wednesday, less than two months after the bill was first introduced.
The new scheme will require state and local government entities to notify affected individuals and the state’s privacy watchdog of eligible data breaches that would likely result in serious harm.
A similar scheme exists at the Commonwealth level through the mandatory Notifiable Data Breaches Scheme, but it does not extend to state agencies, state-owned corporations, or local councils, only federal agencies and parts of the private sector.
The Queensland scheme will come into effect for state government entities at the beginning of July 2025, while local governments have been given until July 2026 to prepare for the changes.
The Office of the Information Commissioner Queensland has been calling for such a scheme for the best part of a decade, while the Crime and Corruption Commission joined the push in 2016 after uncovering corruption risks around confidential information.
The Palaszczuk government committed to introducing the scheme last year, shortly after a damning review of the state’s public sector by Professor Peter Coaldrake – which also backed mandatory notification – was published.
New South Wales is the only other state or territory to have introduced a mandatory data breach notification scheme, passing legislation for the scheme in November last year.
The New South Wales scheme — which similarly applies to public sector agencies, state-owned corporations and local councils, as well as some universities — came into effect on Tuesday after a year-long grace period.
Under the scheme passed by the Queensland Parliament on Wednesday, agencies will have 30 days after a data breach to identify whether notification is required, with an extension allowed where it is reasonably required.
A previous version of the bill allowed agencies to “extend the 30 days’ time period unilaterally, for an indefinite period of time”, which the government amended before the bill was passed. A committee inquiry into the bill recommended the changes last week.
The bill also aligns state privacy law more closely with national privacy principles and reforms the Right to Information framework to reduce barriers to citizens accessing government held information.
Penalties for “conduct relating to the misuse of restricted computers” have similarly been increased following a spate of incidences where public officers have misused confidential information, an offence known in the state as “computer hacking”.
In a statement on Wednesday, Attorney-General Yvette D’Ath described the scheme as “significant” step forward, one that will “enhance public confidence in Queensland’s privacy laws” after a series of high-profile data breaches.
“Everyone is aware of high-profile data breaches in recent years. That’s why we have progressed these reforms to ensure individuals are notified of data breaches of Queensland government agencies which are likely to result in serious harm.”
“This will empower affected individuals to take action that will reduce the risk of adversity from a data breach.”
Ms D’Ath also foreshadowed future reforms arising from the review of the Commonwealth Privacy Act, with the federal government agreeing to 106 of proposals in full or in principle in September.
“I understand that the Commonwealth government currently plans to introduce legislation sometime in 2024,” she told state Parliament on Wednesday.
“Proceeding with Queensland’s privacy reforms now ahead of any changes to the Commonwealth Privacy Act will provide an uplift of the privacy protections for Queenslanders, moving towards the Commonwealth framework.”
Do you know more? Contact James Riley via Email.