Queensland’s Data Breach Notification Scheme for Government Agencies
Queensland looks to join NSW as the only other Australian state with a mandatory data breach notification scheme. The law will apply to Queensland state government and public sector agencies.
Background to QLD’s Notifiable Data Breach Scheme
The QLD Information Privacy and Other Legislation Amendment Bill 2023, introduced on October 12, contains reforms aimed at improving the accountability of government agencies and boosting privacy protections, including the introduction of mandatory data breach notification.
Attorney-General, Minister for Justice, and Minister for the Prevention of Domestic and Family Violence, Yvette D’Ath introduced the Bil, saying that the scheme will provide ‘clear, consistent requirements to notify individuals of data breaches of Queensland government agencies.’
The introduction of the scheme comes about 15 months after it was recommended to be introduced by the Coaldrake Review into the culture and accountability of the Queensland government.
Queensland’s Data Breach Notification Scheme
What’s an eligible data breach in QLD?
The notification requirements apply to an ‘eligible data breach’ which is defined in the same way as in the Commonwealth mandatory data breach notification scheme.
An ‘eligible data breach’ is a data breach that involves both of the following:
- There has been unauthorised access, disclosure or loss of, personal information, and
- That unauthorised access disclosure or loss is likely to result in serious harm to an individual to whom the personal information relates.
When determining whether there is likely to be serious harm, the following are relevant considerations:
- the kind of personal information accessed, disclosed or lost; and
- the sensitivity of the personal information; and
- whether the personal information is protected by one or more security measures, and, if so —the likelihood that any of those security measures could be overcome; and
- the persons, or the kinds of persons, who have obtained, or who could obtain, the personal information; and
- the nature of the harm likely to result from the data breach; and
- any other relevant matter.
Assessment of Suspected Data Breach
If the agency suspects that there may have been an eligible data breach, it has 30 days to assess whether there are reasonable grounds to believe the data breach is an eligible data breach. Although, it can extend the assessment period via a written notice.
What to do if there is an eligible data breach?
If a Queensland government agency has or suspects it has had an eligible data breach, it must “take all reasonable” containment steps.
Who and what to notify
The Qld Information Commissioner must be notified as soon as reasonably practicable after deciding that there is an eligible data breach. The notification must contain the following:
- a description of the kind of personal information the subject of the data breach, without including any personal information in the description;
- the agency’s recommendations about the steps individuals should take in response to the data breach;
- whether the agency is reporting on behalf of other agencies affected by the same data breach and, if so, the details of the other agencies;
- the total number or, if it is not reasonably practicable to work out the total number, an estimate of the total number of each of the following—
- all individuals affected or likely to be affected by the data breach;
- the total number of individuals notified of the data breach or that would have been notified but for an exemption; or
- if it is not reasonably practicable to work out the total number, an estimate of the total number
- whether the individuals notified have been advised about how to make a privacy complaint to the agency.
Affected individuals must also be notified, within the same time period. Affected individuals get much the same information as provided to the Information Commissioner, but also must be notified of:
- the name of the agency and, if more than 1 agency was affected by the data breach, the name of each other agency;
- the contact details of the agency or a person nominated by the agency for the individual to contact in relation to the data breach;
- the date the data breach occurred;
- information about how the data breach occurred;
- if the data breach involved unauthorised access to or disclosure of personal information—the period during which the access or disclosure was available or made;
- the steps the agency has taken or will take to contain the data breach and mitigate the harm caused to individuals by the data breach;
- information about how an individual may make a privacy complaint to the agency.
Notify other agencies
Unlike the Federal legislation, there is also an obligation to notify other agencies, if the agency is aware the data breach may affect another agency. The notice to the other agency must include:
- a description of the data breach; and
- a description of the kind of personal information the subject of the data breach, without including any personal information in the description.
The obligation to notify doesn’t apply where one of the other affected agencies has undertaken to conduct the assessment in relation to the data breach.
There are also provisions allowing the sharing of information between agencies, to support an agency taking a lead position in relation to the investigation and management of the data breach.
Exemptions to notification requirements
There are also a series of exemptions, under Division 3, to issuing notifications; these include if notifying could “compromise or worsen the agency’s cyber security; or lead to further data breaches of the agency.”
Register of Eligible Data Breaches
Agencies will need to keep a “register” of eligible data breaches. The register must include the following for each eligible data breach:
- a description of the eligible data breach;
- the date any required notification statement is provided to the Commissioner;
- if individuals are notified of the eligible data breach – the individuals notified and the date and method used to notify the individuals;
- if the agency relied on an exemption —the exemption relied on;
- details of the steps taken by the agency to—
- contain the eligible data breach; and
- mitigate the harm caused by the eligible data breach;
- details of the actions taken by the agency to prevent future data breaches of a similar kind occurring.
If it is not practicable to include any or all of the information for an eligible data breach at a particular time, the agency must record the information in the register as soon as it is practicable to do so.
Data Breach Policy
Agencies must also publish a “data breach policy”. The policy must describe how the agency will respond to a data breach, including a suspected eligible data breach, of the agency.
The policy must also be published on the agency website.
The Bill also includes amendments regarding the release of cabinet documents, and reforms to improve alignment with the Commonwealth Privacy Act, including a single set of privacy principles aligned with the Australian Privacy Principles.
- Information Privacy and Other Legislation Amendment Bill 2023
- Qld OIC Data Breach Notification Guidelines – Privacy breach management
- OAIC Data Breach Notification – Notifiable data breaches | OAIC