Queensland's ongoing review of the Information Privacy Act 2009 (IPA) has recently achieved a milestone, with public submissions on the Government's June Consultation Paper having closed on 22 July 2022.
As we inch closer towards a new privacy regime, entities can begin to prepare by familiarising themselves with the changes proposed in the Consultation Paper.
We set out a summary of the more significant proposals to change the IPA below.
Queensland's information privacy framework
Queensland's information privacy framework is articulated in the IPA. The IPA applies privacy controls to the handling of personal information by Queensland Government agencies and health agencies.
Whilst outside the scope of Queensland's review, the Commonwealth Privacy Act 1988 (Commonwealth Act) also regulates the Queensland business landscape by applying privacy controls to Commonwealth agencies and organisations, businesses with an annual turnover of more than $3 million, private sector health service providers, credit reporting bodies and businesses that sell or purchase personal information.
Queensland's privacy regime operates alongside its right to information framework, which is also subject to various proposals under the current review.
The significant proposed changes to the IPA
The definition of 'personal information'
The IPA's primary function is to regulate how 'personal information' is collected, used, stored and disclosed by Queensland agencies. The current definition of personal information in set out in section 12 of the IPA:
". information or an opinion, including information or an opinion forming part of a database, whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion."
The definition has fallen out of step with the equivalent definition included in the Commonwealth Act, against which the drafting was initially modelled. The Commonwealth definition of personal information has been updated to refer to information about "an identified individual, or an individual who is reasonably identifiable". The discrepancy between the two definitions means that Queenslanders' personal information is subject to different tests depending on whether the agency handling that information is captured by the State or Commonwealth legislation. The Consultation Paper has therefore called for views on whether the 'personal information' definition should be aligned with the current definition of 'personal information' under the Commonwealth Privacy Act 1988.
However, the Commonwealth is presently considering in its own review whether 'personal information' should include technical data and online identifiers and may soon update its definition of 'personal information' along such lines.
There is opportunity in Queensland's review of the IPA to consider whether technical data and online identifiers that are about an individual (IP addresses, device identifiers or location data, for example) should also be included in the 'personal information' definition, whilst having regard to Commonwealth's updated privacy legislation, if and when that becomes available.
The "QPP" - a single set of privacy principles for Queensland
The IPA has two sets of privacy principles - one that applies to health agencies in Queensland (the National Privacy Principles, or NPPs), and another that applies to all other Queensland agencies (the Information Privacy Principles, or IPPs). The Commonwealth Act includes a third set of principles (the Australian Privacy Principles, or APPs). Whilst similar, the separate sets of principles are distinct from each other and apply to different entities.
As identified in the Consultation Paper, a potential issue with the current approach is that compliance becomes a costly exercise, particularly for entities subject to more than one set of principles. It also may reduce understanding in the Queensland community of individual privacy rights.
The Queensland Government is proposing that the NPPs and IPPs are removed in favour of a single set of 'Queensland Privacy Principles' (QPP) that are, to the extent reasonable in light of the different jurisdictional contexts, consistent with the APPs in the Commonwealth Act.
The proposal for mandatory data breach reporting
Mandatory data breach reporting refers to the requirement to notify individuals (and/or a regulator) who may be affected by a data breach. Whilst a mandatory data breach reporting scheme has been implemented at the Commonwealth level, there is no compulsion to report data breaches under Queensland's IPA.
In the current review, the Government has sought feedback on a proposal to include a mandatory data breach reporting scheme in the IPA which is triggered by certain unauthorised disclosure of, unauthorised access to, or loss of personal information. The scheme would require the agency responsible for the disclosure, access or loss to notify both the affected individual and the Office of the Information Commissioner. This addition to the IPA would align it with the Commonwealth Act.
The introduction of a new criminal offence
The Queensland Government is considering whether there is a need for a new criminal offence for the misuse of confidential information by public officers. Whilst offences in the Queensland Criminal Code such as section 408 (computer hacking and misuse), section 85 (disclosure of official secrets), section 87 (official corruption), section 88 (extortion by public officers) and section 92A (misconduct in relation to public office) criminalise conduct that may involve the misuse of confidential information by a public officer, no existing offences overlap precisely with the conduct sought to be criminalised by the proposed new offence.
Misuse of information provided by Queenslanders to a public office involves a serious breach of trust and has the potential to cause irreparable harm to the person to which the information relates. As implied by the Queensland Government in the Consultation Paper, a new offence has the potential to provide a clearer message to the public about acceptable standards of conduct. An appropriately drafted offence could assist prosecutors by providing a more direct and effective avenue for privacy law enforcement.
What happens next?
The Queensland Government will consider the submissions in the context of its policies. As the Commonwealth is also reviewing its privacy legislation, and better alignment with the Commonwealth legislation is one intention of the review, we expect that a period of consultation will be required between government levels to ensure the workability of both frameworks in the Queensland context.
In the meantime, we also anticipate that the responses to the Consultation Paper will soon become available on the Department of Justice and Attorney General's website.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.