Qld IPOLA is Coming, So What Do You Need To Do?

If you don’t know what IPOLA refers to, this post may not be for you. However,  if you are one of the many Queensland agencies, government owned organisations and contracted service providers that are subject to the Information Privacy Act 2009 – you probably have heard of the amendments to be introduced by the Information Privacy and other Laws Amendments Act, fondly known as IPOLA.

In this post we cover some of the important changes that you should be thinking about and the impacts for your organisation.

The Office of the Information Commissioner (OIC) has been very diligently providing a swag of helpful resources for the IPOLA changes.  They can be accessed here and more links are included at the end of the post.

Background and Important Dates

Leaving aside changes to the Right to Information process (which will now be subject to a single route of access and amendment via the RTI Act, including for documents containing personal information), the main changes to be introduced by IPOLA are:

• Adjusted definition of personal information and introduction of the concept of ‘sensitive information’ and different requirements in terms of collection, use and disclosure 

• A single set of Queensland Privacy Principles (QPP) which are largely aligned to the APPs that are part of the Privacy Act 1988 (Cth)
• The application of these new QPPs introduces broader control requirements for agencies, including a QPP Privacy Policy, Data Breach Policy, and publication scheme changes 
• Reforms to the processing period for access and amendment applications 
• Increased scope for privacy complaints and introduction of a response period for agencies managing privacy complaints 
• Introduction of a Mandatory Notification of Data Breach (MNDB) scheme applicable (with delayed application)
• Enhanced powers and functions for the Queensland Information Commissioner, including: 
  • powers to investigate or act as an own motion in support of compliance with privacy principles and the MNDB scheme 
  • power to refer documents to agencies during an external review.

Keep these dates in mind:

• 1 July 2025 –Commencement of main IPOLA Act amendments 
• 1 July 2026 –Commencement of Mandatory Notification of Data Breach (MNDB) scheme in local government

So, July 2025 is fast approaching.  What are some of the things you should be considering (if IPOLA applies to your organisation).

Collection, Use and Disclosure of Sensitive Information

A new category of information – called ‘Sensitive Information” is defined in Schedule 5 IPA.  The definition is the same as in the Federal Privacy Act i.e. information or an opinion about an individual’s racial or ethnic origin, political opinions, religious beliefs, sexual orientation or practices etc.

There are specific rules around the collection (QPP 3) and the use and disclosure (QPP 6) of sensitive information, again like those in the Privacy Act (for those familiar with those requirements).

For many agencies, the way that sensitive information is collected, used and disclosed may require significant review given the more restrictive requirements to be introduced e.g. 

• Sensitive information can only be collected with consent unless one of the exemptions (QPP 3)
• Sensitive information may only be used for a directly related and reasonably expected secondary purpose (QPP 6) (or on other limited bases).

IPOLA Guidance n personal and sensitive information is available here.  And there’s also information on consent including a warning about relying on opt-out consent.

Privacy Notices 

Old IPP 2 required agencies to make individuals aware of the personal information being collected, the purpose of collection and who that information might be disclosed to.

New QPP 1.2 requires agencies to publish a privacy notice, as part of the agency transparency obligations, with more information to be included.  QPP 1.4 specifies that additional Information to be disclosed which includes:

• the kinds of personal information the agency collects and holds, including whether it collects and holds sensitive information
• how personal information is collected and held, including how the agency stores and secures personal information
• the purposes for which personal information is collected, held, used and disclosed
• how an individual can access their personal information and seek its amendment – this could include whether administrative access is available for accessing personal information and a link to the agency’s RTI page
• how an individual can complain if the agency breaches the QPPs and how the complaint will be handled – this could refer and link to a separate privacy complaint handling procedure
• if the agency is likely to disclose personal information to overseas recipients, and, if practicable, the countries in which such recipients are likely to be located.
• Agencies must take reasonable steps to make their QPP privacy notices available free of charge in an appropriate form. 

The privacy notice should be published on the agency’s website, preferably linked from the website’s footer, and locatable using the website’s search function. More information on privacy notices is here.

Collection Notices

QPP 5, like APP 5, requires agencies that collect personal information to take reasonable steps to make sure individuals are aware of the matters listed in QPP 5 at the time of collection – whether the personal information is collected directly from the individual or indirectly e.g. from  a third party.  The information to be covered in the Collection Notice is specified and includes:

• the identity and contact details of the agency
• the purposes of collection
• the main consequences (if any) for the individual if the personal information is not collected
• the agency’s usual disclosures of this kind of personal information
• information about the agency’s QPP privacy policy including how to access and amend personal information held; and
• whether the agency is likely to disclose personal information to overseas recipients, and if practicable, the countries where they are located,
• the fact and circumstances of the collection if not collected directly and the consequences if the information is not collected.

The notification does not need be via a formal QPP 5 notice and the information can be provided in other ways e.g., informally or verbally.  (More information on QPP 5 is here.)

Updating your Privacy Impact Assessments

With the move to new QPPs replacing IPPs- – your PITA and PIA assessment templates will need an overhaul.

The OIC has provided guidance on undertaking a PIA under IPOLA: here.

The OIC has made updated templates available to assist in updating your Privacy Threshold Assessment and Privacy Impact Assessments templates to match the new QPPa:

• PIA Threshold Assessment Form (PDF, 536.51 KB)
• PIA Report Template (DOCX, 1271.9 KB)

It has also published a resource on Risk Considerations in PIAs here.  For anyone who has completed a PIA, the identification of risks by reference to QPPs and across the key data lifecycle stages of collection, use and disclosure, accountability is very useful.  There is also a list of security measures for different types of security risks (physical security, technical solutions etc).

Mandatory Data Breach Notification

We covered the proposed Qld Data Breach Notification Scheme here.

You have  a little more time to get this in place but data breach response should be something that every organisation has at least thought about as part of its security controls.  Not having some sort of incident response plan in place is likely to be a fairly significant failure to maintain reasonable security measures (as required by QPP 11).

Your Action List to Prepare for IPOLA

The following advice is from the OIC – updated with some additional suggestions from our team:

• Appoint a senior stakeholder to coordinate and lead the implementation of IPOLA reforms across your agency 
• Develop an action plan – focusing on the highest risk activities.
• Undertake an audit of the information held by your agency, and identify the personal information and sensitive information held.  It may also be worthwhile recording the purpose of collection and establishing some sort of Personal Information Inventory or Register.  The GDPR requires organisations to maintain a Record of Processing Activities.  This can be a very useful tool  as a high-level overview of an organisation’s personal information holdings.  
• Doing the audit will involve engaging the business areas across your agency.  It can provide an opportunity to update those areas on the changes and also do a high level check on their privacy practices.
• Part of increased accountability expectations (under QPP 1) is the idea that agencies should understand, manage and regularly review their privacy risks. This requires cross-organisational collaboration and is essential for the targeting of limited resources to the areas of greatest need.
• Privacy impact assessments should be a key part of the organisational approach to managing privacy risk. We covered above the new templates required for assessment against the QPPs.  This might be a good opportunity to update and improve adoption and use of PIAs across the agency.
• Update policies and procedures to reflect the new QPP requirements including the new access and amendment arrangements.  In particular think about how you can introduce the new QPP 5 Notice of Collection requirement, as well as access to your updated Privacy Notice.
• And once you’ve done all of that, roll out training for all relevant staff on your updated operational practices and their IP and RTI obligations

And all before 1 July 2025…

Useful resources:

Mandatory Notification of Data Breach Scheme – Quick Guide

Definition of Personal Information – Quick Guide

Information Privacy Reforms – Quick Guide

Right to Information Amendments – Quick Guide

OIC Basic Guide to Changes