The world of privacy legislation has been a moving feast in recent times, kicking off with the introduction of the European General Data Protection Regulation (GDPR) in 2018. The GDPR had an international impact and led to massive change and fines for major global companies. This was followed by various changes to other international regimes, and then the recent amendments to the Federal Privacy Act driven by the Medicare and Optus breaches, with more changes to come.

While all of this has occurred, the Queensland Information Privacy Act has remained largely unchanged since its original passing in 2009. Various reviews have occurred during this period, but until now, no major changes have resulted.

The Information Privacy and Other Legislation Amendment Act 2023 was passed on 29 November 2023, bringing a new regime to public sector privacy in Queensland. The most notable changes are:

  • replacement of the existing Information Privacy Principles (IPPs) and National Privacy Principles (NPPs) with a single set of Queensland Privacy Principles (QPPs), modelled on the Federal regime's Australian Privacy Principles (APPs)
  • introduction of a mandatory data breach notification scheme, again similar in nature to the scheme that was introduced at a Federal level in 2018.

The changes have yet to commence, and given the significant work government will need to undertake to comply with the new regime, it is likely to be a while before they do.

In this intervening period, agencies will need to review the new requirements and begin overhauling their privacy practices and processes to comply with the new regime – such as developing a new QPP privacy policy and publishing it on their website.

While the new QPPs are based on the APPs, there are some significant differences, so agencies cannot simply look to APP-based compliance programs. For example, APP 8, which relates to overseas disclosure, has not been included, with the retention of a separate section in the Information Privacy Act dealing with the issue. Some other APP provisions have also been excluded where they are not relevant to government, such as in relation to direct marketing. The numbering remains aligned with the APPs, but QPPs 7 through 9, relating to direct marketing, overseas disclosure and adoption of government identifiers, simply contain no requirements.

Another key task for agencies is putting in place the capability to respond to a data breach and make the relevant notifications within 30 days. This includes notifying the Information Commissioner and affected individuals. Data breach response plans will need to be developed and tested, and all personnel will need to understand the relevant processes and procedures – as a data breach can start anywhere in your organisation.

A new privacy regime is coming – and the work to ensure compliance with it should start now.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.