Queensland Government releases consultation Paper for reform of Information Privacy legislation

July 14, 2022 |

The Queensland Government has issued a consultation paper on proposed reforms to the privacy and right to information legislation.

The announcement relevantly states:

The Queensland Government is seeking your views about proposed reforms to Queensland’s Information privacy and right to information framework.

Queensland’s Information Privacy Act 2009 (IP Act) protects individuals’ privacy by regulating how their personal information is collected and managed by Queensland agencies. The IP Act also provides a right of access to, and amendment of, personal information held by Queensland agencies and ministers.

Queensland’s Right to Information Act 2009 (RTI Act) provides a right of access to information held by Queensland agencies and ministers unless, on balance, it is contrary to the public interest to release the information.

A number of reports have recommended changes to the IP Act and RTI Act. These include the:

Most of the reforms being considered were recommended in these reports.

Reforms being considered include whether:

    • Queensland should have a mandatory data breach notification scheme
    • Queensland’s 2 sets of privacy principles should be replaced with a single set of principles: the Queensland Privacy Principles.

Only focusing on the privacy reforms the proposals can best be described as modest.  To a large extent it hopes to bring the legislation in line with the Commonwealth and other state laws. 

The timing of this paper is curious.  The consultation specifically notes that the Commonwealth is reviewing its Privacy Act 1988 and the Commonwealth Attorney General has suggested the amendments will be significant.  The net result may be that Queensland will amend its legislation to bring it in line with current Commonwealth legislation which will be amended because that legislation is currently inadequate.  In effect the Queensland legislation may be again out of sync with the Commonwealth legislation but more importantly will be definitively inadequate. It is an unusual way to conduct public policy.

The main proposed reforms are:

  • amending the definition of ‘personal information’ to bring it into line with the definition in the Privacy Act 1988 (Cth).
  • consolidating the privacy principles from two sets of privacy principles  a single set principles which will be described as Queensland Privacy Principles.  They will be modelled on the Commonwealth Australian Privacy Principles.  Given the Australian Privacy Principles are less than the gold standard this a modest achievement.
  • providing the Information Commissioner with powers to respond to privacy breaches, including  a power to conduct ‘own motion’ investigation into an act or practice without having received a complaint, to make declarations after such an own motion investigation, and to intervene in privacy complaint proceedings in the Queensland Civil and Administrative Tribunal.  Again, this is modelled on the powers of the Commonwealth Information Commissioner.  That said the Queensland Commissioner’s powers are modest.  There will be no power to commence civil penalty proceedings or have any power to bring action seeking injunctive relief.  
  • legislating a mandatory data breach notification scheme.  This is necessary. 
  • legislating a clearer scope of ‘reasonable steps’ for the protection of personal information
  • legislating a criminal offence for misuse of confidential information by public officers

Personal information is defined as ‘… information or an opinion … about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion’. The proposed reforms would define the information as being about ‘an identified individual, or an individual who is reasonably identifiable’. The amendment will bring the definition in line with the Privacy Act but does not address the problems created by the Federal Court decision in the Ben Grubb decision regarding technical information, such as IP addresses, location data or online identifiers.  So the proposed definition will be inadequate as far as considering the potential of digital data being capable of identifying an individual.

Having  a single set of Queensland Privacy Principles, based on the APPs is uncontroversial.

The following 11 QPPs are similar to the APPs :

  1. QPP 1: Open and transparent management of personal information.
  2. QPP 2: Anonymity and pseudonymity.
  3. QPP 3: Collection of solicited personal information; an agency must not collect personal information unless it is reasonably necessary for or directly related to one of its functions or activities.
  4. QPP 4: Dealing with unsolicited personal information .
  5. QPP 5: Notification of the collection of personal information; take reasonable steps to notify the individual of various matters
  6. QPP 6: Use or disclosure of personal information; not use or disclose personal information which was collected for a particular purpose (primary purpose) for another purpose (secondary purpose) unless the individual consents or another exception applies
  7. QPP 7: Cross-border disclosure of personal information.
  8. QPP 8: Quality of personal information;take reasonable steps to ensure any personal information it collects is accurate, up-to-date and complete
  9. QPP 9: Security of personal information; reasonable steps to protect personal information it holds from misuse, interference, loss, unauthorised access, modification and disclosure
  10. QPP 10: Access to personal information; provide that individual with access to the information if requested
  11. QPP 11: Correction of personal information; take reasonable steps to correct personal information to ensure it is accurate, up-to-date, complete, relevant and not misleading

At the moment the Queensland Commissioner, like the Victorian Commissioner, can mediate a complaint, but cannot make a determination or decision. Complaints that cannot be mediated or successfully mediation by the Information Commissioner are referred to the Queensland Administrative Tribunal, much like in Victoria where the complaints are sent to the Victorian Civil and Administrative Tribunal.  The Impala Report recommended that the Information Commissioner is given  powers to make determinations such as the Australian Information Commissioner.  Given poor track record of the Tribunal in handling complaints this is a better option.  That said the Queensland Tribunal’s decisions are far superior to the dreadful record of VCAT in considering and determining complaints.  The complaints mechanism in both the Victorian and Queensland Acts are bureaucratic and process driven and as a result quite ineffective.  The net effect is that complainants have a very difficult task to get a satisfactory hearing let alone result. It would be better if the State courts had jurisdiction to hear claims. 

The proposed reform to permit the Information Commissioner the right to appear in QCAT in relation to a privacy complaint referred to QCAT is a good idea but likely to be a rarely used.

Legislating a mandatory data breach notification scheme in Queensland is a good reform.  Basing it on the Commonwealth data breach notification regime is much less welcome.  The Commonwealth regime is poorly drafted and is likely to ensure that too many breaches are not reported. 

It is notable and disappointing that the consultation paper explicitly stated that it will not address:

A statutory tort for invasion of privacy
This was a recommendation made in a number of reports, including the Impala Report.  It is understood that as part of the review of the Privacy Act, the Commonwealth Government is considering whether there should be a similar statutory tort in Australia. Consideration at the Commonwealth level would arguably lead to greater consistency and uniformity in approach.
 A new statutory scheme for civil surveillance
This was recommended by the Queensland Law Reform Commission (QLRC) in its report, Review of Queensland’s Laws relating to civil surveillance and the protection of privacy in the context of current and emerging technologies.  While the RTI and IP Acts relate to the handling of personal information by government, the QLRC Report has a much broader scope, focused on privacy of location and space in the broader community as impacted by both the actions of government and private individuals and organisations. Queensland’s current legislation, the Invasion of Privacy Act 1971, reflects the current regulatory response in this space but is currently limited in its application to listening devices.

The rationale for not considering a statutory tort for invasion of privacy is without merit.  It is the same rationale the Victorian Government used over a decade ago.  There is no impediment to legislating such a tort.  There is no guarantee that there will be a statutory tort.  It has been recommended by State and Commonwealth reviews.  It is difficult to see how a state based statutory tort could vary significantly from a Commonwealth based statutory tort.  And to the extent that they do the State based tort can be amended.  Reforming at a State level where the Commonwealth Government won’t or can’t, should be welcome.  It is a common way reform is achieved in the United States of America.  It is an abrogation of responsibility.


Leave a Reply

Verified by MonsterInsights