Contact

Queensland’s Data Breach Notification Scheme for Government Agencies

Published
01 Nov 2023
Read time
6 min read
Category
Privacy

Queensland looks to join NSW as the only other Australian state with a mandatory data breach notification scheme. The law will apply to Queensland state government and public sector agencies.

Background to QLD’s Notifiable Data Breach Scheme

The QLD Information Privacy and Other Legislation Amendment Bill 2023, introduced on October 12, contains reforms aimed at improving the accountability of government agencies and boosting privacy protections, including the introduction of mandatory data breach notification.

Attorney-General, Minister for Justice, and Minister for the Prevention of Domestic and Family Violence, Yvette D’Ath introduced the Bil, saying that the scheme will provide ‘clear, consistent requirements to notify individuals of data breaches of Queensland government agencies.’

The introduction of the scheme comes about 15 months after it was recommended to be introduced by the Coaldrake Review into the culture and accountability of the Queensland government.

Queensland’s Data Breach Notification Scheme

What’s an eligible data breach in QLD?

The notification requirements apply to an ‘eligible data breach’ which is defined in the same way as in the Commonwealth mandatory data breach notification scheme.

An ‘eligible data breach’ is a data breach that involves both of the following:

  • There has been unauthorised access, disclosure or loss of, personal information, and
  • That unauthorised access disclosure or loss is likely to result in serious harm to an individual to whom the personal information relates.

When determining whether there is likely to be serious harm, the following are relevant considerations:

  • the kind of personal information accessed, disclosed or lost; and
  • the sensitivity of the personal information; and
  • whether the personal information is protected by one or more security measures, and, if so —the likelihood that any of those security measures could be overcome; and
  • the persons, or the kinds of persons, who have obtained, or who could obtain, the personal information; and
  • the nature of the harm likely to result from the data breach; and
  • any other relevant matter.

Assessment of Suspected Data Breach

If the agency suspects that there may have been an eligible data breach, it has 30 days to assess whether there are reasonable grounds to believe the data breach is an eligible data breach. Although, it can extend the assessment period via a written notice.

What to do if there is an eligible data breach?

If a Queensland government agency has or suspects it has had an eligible data breach, it must “take all reasonable” containment steps.

Who and what to notify

The Qld Information Commissioner must be notified as soon as reasonably practicable after deciding that there is an eligible data breach.  The notification must contain the following:

  • a description of the kind of personal information the subject of the data breach, without including any personal information in the description;
  • the agency’s recommendations about the steps individuals should take in response to the data breach;
  • whether the agency is reporting on behalf of other agencies affected by the same data breach and, if so, the details of the other agencies;
  • the total number or, if it is not reasonably practicable to work out the total number, an estimate of the total number of each of the following—
    • all individuals affected or likely to be affected by the data breach;
    • either—
      • the total number of individuals notified of the data breach or that would have been notified but for an exemption; or
      • if it is not reasonably practicable to work out the total number, an estimate of the total number
    • whether the individuals notified have been advised about how to make a privacy complaint to the agency.

Affected individuals must also be notified, within the same time period. Affected individuals get much the same information as provided to the Information Commissioner, but also must be notified of:

  • the name of the agency and, if more than 1 agency was affected by the data breach, the name of each other agency;
  • the contact details of the agency or a person nominated by the agency for the individual to contact in relation to the data breach;
  • the date the data breach occurred;
  • information about how the data breach occurred;
  • if the data breach involved unauthorised access to or disclosure of personal information—the period during which the access or disclosure was available or made;
  • the steps the agency has taken or will take to contain the data breach and mitigate the harm caused to individuals by the data breach;
  • information about how an individual may make a privacy complaint to the agency.

Notify other agencies

Unlike the Federal legislation, there is also an obligation to notify other agencies, if the agency is aware the data breach may affect another agency. The notice to the other agency must include:

  • a description of the data breach; and
  • a description of the kind of personal information the subject of the data breach, without including any personal information in the description.

The obligation to notify doesn’t apply where one of the other affected agencies has undertaken to conduct the assessment in relation to the data breach.

There are also provisions allowing the sharing of information between agencies, to support an agency taking a lead position in relation to the investigation and management of the data breach.

Exemptions to notification requirements

There are also a series of exemptions, under Division 3, to issuing notifications; these include if notifying could “compromise or worsen the agency’s cyber security; or lead to further data breaches of the agency.”

Register of Eligible Data Breaches

Agencies will need to keep a “register” of eligible data breaches. The register must include the following for each eligible data breach:

  • a description of the eligible data breach;
  • the date any required notification statement is provided to the Commissioner;
  • if individuals are notified of the eligible data breach – the individuals notified and the date and method used to notify the individuals;
  • if the agency relied on an exemption —the exemption relied on;
  • details of the steps taken by the agency to—
    • contain the eligible data breach; and
    • mitigate the harm caused by the eligible data breach;
  • details of the actions taken by the agency to prevent future data breaches of a similar kind occurring.

If it is not practicable to include any or all of the information for an eligible data breach at a particular time, the agency must record the information in the register as soon as it is practicable to do so.

Data Breach Policy

Agencies must also publish a “data breach policy”. The policy must describe how the agency will respond to a data breach, including a suspected eligible data breach, of the agency.

The policy must also be published on the agency website.

Other amendments

The Bill also includes amendments regarding the release of cabinet documents, and reforms to improve alignment with the Commonwealth Privacy Act, including a single set of privacy principles aligned with the Australian Privacy Principles.

Further information:

Ready to turn insight into action?
Connect with Privacy 108.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Privacy 108 collects your name and contact details to respond to your enquiry and communicate with you about it. If you do not provide this information, we may be unable to respond. We do not disclose this information to third parties. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au.
Jodie Siganto
Privacy, security and training
Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.
Jodie Siganto
Privacy, security and training
Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.
Talk to us?
Looking to take your business to the next level? Speak with our experts today!
Contact us
Related articles
  • 1300 41 20 50
  • Level 3, 240 Queen St, Brisbane QLD 4000
  • Ground Floor Reception, 3 Spring St, Sydney NSW 2000
  • PO Box 3295, Yeronga QLD 4104
  • Follow us on LinkedIn
Services
Privacy Risk Management Privacy Impact Assessments AI Governance Privacy Legal Services Research and Policy
Company
About Privacy 108 Our Team Careers Insights Contact Us Privacy Policy Terms & Conditions
Subscribe to our newsletter
Subscribe
Privacy 108 Consulting Pty Ltd ABN 52 600 425 885 is an incorporated legal practice registered with the Queensland Law Society. Liability limited by a scheme approved under Professional Standards Legislation.
We respectfully acknowledge the Traditional Owners of the land we work on and pay our respects to their Elders past, present and future in maintaining the culture, country and their spiritual connection to the land.
© 2026 by Privacy 108 Consulting Pty Ltd. ABN 52 600 425 885
Website by DeeperLook
Subscribe to our Newsletter

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.