Queensland’s Information Privacy Act review: What’s being considered?
Queensland is updating its Information Privacy and Right to Information Framework, with a consultation paper issued earlier this year for comment. In this post we cover the main proposals raised for consideration in the review plus our responses.
You can read our full response here: Information Privacy Act Review Document
Background to Information Privacy Act review
The Queensland Attorney-General is undertaking a review[1] of Queensland’s Information Privacy Act 2009 and Right to Information Act 2008 to ensure they remain contemporary and relevant.
The Review seeks to bring together developments over the last few years including several inquiry reports[2] and their recommendations relating to regulation of personal information, including whether:
- Queensland should have a mandatory data breach notification scheme,
- Queensland’s current Information Privacy and Right to Information Framework remains fit for purpose,
- Queensland’s two sets of Privacy Principles should be combined and aligned more closely to the Privacy Act 1988 (Cth), and
- A new criminal offence should be created to address the misuse of confidential information by public officers.
While reviews of this nature are crucial to ensure regulation remains fit for purpose, it is important to acknowledge that there is currently a review of the Privacy Act underway which is likely to result in very significant reforms to the Privacy Act. In particular, the potential for:
- an updated definition of ‘personal information’ which will specifically include technical data and online identifiers;
- stricter requirements for when and how consent is obtained;
- the acknowledgement of an over-arching ‘fair and reasonable’ data processing approach;
- a shift from a purely principles-based regime to more prescriptive measures for certain key protections; and
- enhancement of the OAIC’s enforcement powers and further rights for individuals.
It is important that any amendments made to the IP Act should take into consideration changes to the Privacy Act. This means that changes to the IP Act should be delayed until those amendments are known and implemented.
What’s being considered as part of the Information Privacy Act review?
Definition of Personal Information
As noted, the Privacy Act is currently under review, with the definition of Personal Information likely to be updated to extend more specifically to include technical data and online identifiers.
There is merit in amending the definition of personal information in the IP Act but so that it conforms with the definition which will be included in the updated Privacy Act.
A single set of Privacy Principles for Queensland Agencies
Maintaining different sets of principles, as exists in the IP Act, is overly burdensome and unnecessary. It also has the effect of requiring contracted service providers to comply with different principles and places an undue compliance burden on businesses that work with State and Federal government agencies.
We endorse the objective of a single set of privacy principles, subject to consistency in approach between Queensland and the Commonwealth.
Criminal Sanctions for misuse of personal information by public officers
We agree with the proposal to implement criminal sanctions for misuse of personal information by public officers.
While there are misconduct and criminal corruption criminal offences in the Criminal Code that could be used to punish misuse of personal information, these offences are generic and not well suited to prosecution of data processing crime.
Given some of the misuses of personal information that have been revealed, it is important that strong disincentives are established to ensure that individuals’ personal information is appropriately protected.
Mandatory Data Breach Notification Scheme
The introduction of a mandatory data breach notification scheme would enhance the existing security obligations of Agencies in the protection of personal information and ensure that agencies are well prepared to respond to a data breach, and enable individuals to take steps to mitigate any risk associated with a data breach.
We note that recent amendments to the Security of Critical Infrastructure Act 2018 (Cth) implements a broader range of data breach notification requirements that will impact on some Queensland Government agencies. It is important that consideration is given to inter-agency cooperation to implement a single point of notification and a uniform approach to response.
What’s Next?
The consultation closed on 22 July 2022. We expect that the Attorney-General will take some to consider the submissions made in response to the two consultation papers. Keep an eye on our website for developments in the space.
You can read Privacy108’s submission here: Information Privacy Act Review Document
[1] Consultation Paper – Proposed changes to Queensland’s Information Privacy and Right to Information Framework June 2022
[2] the Review of the Right to Information Act 2009 and Information Privacy Act 2009 Review Report tabled in the Legislative Assembly on 12 October 2017, the Crime and Corruption Commission (CCC)’s report, Operation Impala, A report on misuse of confidential information in the Queensland public sector tabled in the Legislative Assembly on 21 February 2020, the CCC’s report, Culture and Corruption Risks in Local Government: Lessons from an investigation into Ipswich City Council Report tabled in the Legislative Assembly on 14 August 2018, and the Strategic Review of the Office of the Information Commissioner Report, tabled in the Legislative Assembly on 11 May 2017.