Peter A Clarke

On November 29, 2023, the Attorney General, the Minister for Justice, and the Minister for the Prevention of Domestic and Family Violence announced that the Information Privacy and Other Legislation Amendment Act 2023 was passed by the Queensland Parliament, creating, among other things, a mandatory data breach notification scheme (MDBN Scheme).

The press release, found here,provides:

Queensland government agencies will be subject to new requirements for managing personal information, and a mandatory data breach scheme will be established, after the Information Privacy and Other Legislation Amendment Act 2023 was passed by parliament today. 

The information privacy reforms are currently expected to begin on 1 July 2025, with the commencement of the mandatory data breach notification scheme as it applies to local governments not commencing until 1 July 2026.

The legislation improves privacy protections available to individuals while the mandatory data breach notification scheme will strengthen and regulate the response to data breaches by government agencies.

It will require agencies to notify affected individuals and the Office of the Information Commissioner of eligible data breaches that could result in serious harm.

Queensland and New South Wales are the only Australian states to legislate such a scheme.

Notifying individuals under the new scheme means they will be empowered to take action to manage risks and mitigate harm from a data breach.

The requirement for notification will prompt agencies to consider data security issues and will make them more proactive in preventing and managing data breaches.

Other improvements include:

• • Greater consistency with the Commonwealth Privacy Act
  • Reforms to the Right to Information framework to reduce red tape and deliver efficiencies for applicants and agencies; and
  • Amendments to the Criminal Code to increase the maximum penalty for conduct relating to the misuse of restricted computers.

The Act was passed following several reviews, including two key reports of the Crime and Corruption Commission, a review of right to information and privacy legislation, and the Coaldrake review into the Queensland public sector.

Quotes attributable to Attorney-General, Minister for Justice and Minister for the Prevention of Domestic and Family Violence Yvette D’Ath:

“This legislation responds to a wide range of recommendations outlined in several key reports.

“In doing so, it implements critical reforms which go to the heart of Queensland’s integrity framework.

“We are proud to have this legislation pass through Parliament and it shows the Palaszczuk Government’s commitment to integrity and transparency.

“The mandatory data breach notification scheme is significant and will enhance public confidence in Queensland’s privacy laws.

“Everyone is aware of high-profile data breaches in recent years.

“That’s why we have progressed these reforms to ensure individuals are notified of data breaches of Queensland government agencies which are likely to result in serious harm.

“This will empower affected individuals to take action that will reduce the risk of adversity from a data breach.

The Information Privacy and other legislation Act 2023 is found here.

Under the legislation there will be obligations regarding data breaches that involve unauthorized access to, or unauthorized disclosure of, personal information, and that are likely to result in serious harm to affected individuals.The Government will need to

• assess whether there are reasonable grounds to believe that the data breach is an eligible data breach within the scope of the MDBN Scheme;
• immediately take reasonable steps to contain and mitigate the harm caused by a confirmed or suspected eligible data breach;
• notify affected individuals and the Office of the Information Commissione where appropriate ; and
• prepare a statement to the OIC with a description of the kind of personal information affected by the data breach, the steps recommended by the agency to respond to the incident, and the total number or an estimate of the individuals affected, among other things.

The MDBN Scheme does not apply, inter alia, if:

• the agency has taken mitigation steps before any harm affects individuals and, as a result, the data breach is no longer likely to cause serious harm to any individual; and
• compliance with the MDBN Scheme would:
  • be inconsistent with a provision that prohibits or regulates the use or disclosure of information;
  • create a serious risk of harm to an individual’s health or safety; or
  • compromise or worsen the agency’s cybersecurity or lead to further data breaches within the agency.

The MDBN Scheme also provide for specific obligations regarding data breaches that affect more than one Government agency.