Momentum is building for an overhaul of Queensland's privacy laws. Changes have been recommended by the 2017 review of the Information Privacy Act (Qld) and the Crime and Corruption Commission's 2020 report on misuse of confidential information in the Queensland public sector, but no legislation to give effect to the amendments has yet been introduced.
Queensland's privacy regulator, the Office of the Information Commissioner (OIC) has recently petitioned the federal government to align federal privacy laws with the General Data Protection Regulation (GDPR), and will no doubt be looking for the same changes in Queensland laws.
What is the state of Queensland's privacy laws?
The Information Privacy Act was passed in 2009 to introduce privacy obligations applicable to Queensland government departments and agencies. It reflected the Information Privacy Principles (IPPs) and National Privacy Principles (NPPs) in place under the federal Privacy Act at that time.
Since then, a number of developments have occurred.
- In 2013 and 2016-17, the Information Privacy Act was reviewed.
Recommended changes to the Act arising from both of those reviews
have not been given effect.
- In 2014, the federal Privacy Act underwent significant reform,
including the consolidation of the IPPs and NPPs into a single set
of Australian Privacy Principles (APPs).
- In 2018, a mandatory data breach notification scheme was
introduced to the federal Privacy Act, which rapidly saw a
significant rise in reported data breaches, and consistent data on
the prevalence of personal information data breaches amongst
Privacy Act-regulated entities.
- Also in 2018, the GDPR took effect in the European Union, with
extra-territorial reach to entities outside the European Union who
have an establishment in the Union, target individuals in the EU to
offer goods and services, or monitor the behaviour of individuals
in the EU.
- From at least 2018 (and probably earlier), the OIC has been
consistently advocating for a mandatory data breach notification
scheme in Australia.
- In 2020, the Crime and Corruption Commission published its
report on Operation Impala – Report on the misuse of
confidential information in the Queensland public sector –
which contains a series of recommendations for amendments to the
Information Privacy Act.
- In late 2020, a review of the federal Privacy Act was announced, with a view to recommending substantive updates to the Privacy Act so it is fit for purpose. Consultation on the Issues Paper closed in December 2020, and submissions have been published online.
Key recommendations from Operation Impala include:
- introducing a mandatory data breach notification scheme under
the Information Privacy Act;
- introducing powers for the OIC to undertake own-motion
investigations, instead of having to wait for a complaint by an
affected individual, and giving the OIC the power to make a
declaration following an investigation (akin to the position under
the federal Privacy Act);
- simplifying the IPPs and the NPPs into a single set of Privacy
Principles (with regard to the APPs);
- updating the definition of 'personal information' to
reflect the definition in the federal Privacy Act;
- introducing a statutory tort for serious invasions of privacy
by misuse of personal information;
- setting out the "reasonable steps" an entity should
take to protect personal information in more detail, like under the
- requiring agencies to have a 'privacy champion' and to incorporate privacy by design into executive decision-making processes.
No doubt at least some of these recommendations are on hold while the review of the federal Privacy Act progresses – there would be little point in aligning the Queensland laws with the current federal laws if they are likely to move in any substantive way in the next few years.
The issues being considered as part of the federal Privacy Act review are wide-ranging. Some of the issues seized on by the OIC in its submission to the review include:
- aligning the Privacy Act with the GDPR, to reduce the
compliance burden on businesses, and to promote business between
Australia and Europe;
- updating the definition of personal information to include
information 'relating' to an identifiable person, avoiding
the current contention about whether information is 'about'
- considering ethical constraints on AI, including putting limits
on automated decision-making;
- introducing a 'right to be forgotten';
- introducing notifiable data breach schemes in State and
Territory jurisdictions that are aligned with the federal
- suggesting that the federal government adopt a statutory
National Bill of Rights or Charter to enshrine the protection of
human rights, including the right to privacy; and
- support for adequate resourcing of the federal privacy regulator, to effectively regulate expanded privacy laws.
How can Queensland government agencies start preparing for changes?
Queensland government agencies (especially those managing whole-of-government contracting frameworks) should consider reviewing standard privacy terms in their template or frequently used agreements to make them referable to the then-current law. For example, instead of setting out a full definition of personal information, contracts could refer to the term as defined in the Information Privacy Act, avoiding the need to vary the contract if the definition of 'personal information' is updated.
The same tip applies to clauses imposing privacy obligations – agencies should look to building flexibility so the clause refers to then-current laws, or include an express clause giving the agency the right to incorporate new requirements if there are changes to privacy laws.
In light of the Operation Impala recommendations, it might also be prudent to brief senior executives on the principles of privacy by design, and what adopting that approach would mean for the agency.
Otherwise, we recommend keeping an eye on the federal Privacy Act review, which is likely to inform any changes to the Information Privacy Act.
What is the timeline for change?
The federal Attorney-General is expected to soon release for consultation draft legislation with amendments to the federal Privacy Act.
This will lay the groundwork for Queensland to consider what, if any, amendments at the federal level may be appropriate in Queensland context. Such changes could start being debated as early as late this year.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
|Chambers Asia Pacific Awards 2016 Winner
Client Service Award
|Employer of Choice for Gender Equality