All Things Newz
Law \ Legal

Proposed changes to Queensland information privacy laws – Data Protection



To print this article, all you need is to be registered or login on Mondaq.com.

Queensland’s ongoing review of the Information Privacy Act
2009 (IPA) has recently achieved a
milestone, with public submissions on the Government’s June Consultation Paper having closed on 22 July
2022.

As we inch closer towards a new privacy regime, entities can
begin to prepare by familiarising themselves with the changes
proposed in the Consultation Paper.

We set out a summary of the more significant proposals to change
the IPA below.

Queensland’s information privacy framework

Queensland’s information privacy framework is articulated in
the IPA. The IPA applies privacy controls to the handling
of personal information by Queensland Government agencies and
health agencies.

Whilst outside the scope of Queensland’s review, the
Commonwealth Privacy Act 1988 (Commonwealth
Act
) also regulates the Queensland business landscape by
applying privacy controls to Commonwealth agencies and
organisations, businesses with an annual turnover of more than $3
million, private sector health service providers, credit reporting
bodies and businesses that sell or purchase personal
information.

Queensland’s privacy regime operates alongside its right to
information framework, which is also subject to various proposals
under the current review.

The significant proposed changes to the IPA

The definition of ‘personal information’

The IPA’s primary function is to regulate how ‘personal
information’ is collected, used, stored and disclosed by
Queensland agencies. The current definition of personal information
in set out in section 12 of the IPA:

“. information or an opinion, including information or an
opinion forming part of a database, whether true or not, and
whether recorded in a material form or not, about an individual
whose identity is apparent, or can reasonably be ascertained, from
the information or opinion.”

The definition has fallen out of step with the equivalent
definition included in the Commonwealth Act,
against which the drafting was initially modelled. The Commonwealth
definition of personal information has been updated to refer to
information about “an identified individual, or an individual
who is reasonably identifiable”. The discrepancy between the
two definitions means that Queenslanders’ personal information
is subject to different tests depending on whether the agency
handling that information is captured by the State or Commonwealth
legislation. The Consultation Paper has therefore called for views
on whether the ‘personal information’ definition should be
aligned with the current definition of ‘personal
information’ under the Commonwealth Privacy Act 1988.

However, the Commonwealth is presently considering in its own
review whether ‘personal information’ should include
technical data and online identifiers and may soon update its
definition of ‘personal information’ along such lines.

There is opportunity in Queensland’s review of the IPA to
consider whether technical data and online identifiers that are
about an individual (IP addresses, device identifiers or location
data, for example) should also be included in the ‘personal
information’ definition, whilst having regard to
Commonwealth’s updated privacy legislation, if and when that
becomes available.

The “QPP” – a single set of privacy principles for
Queensland

The IPA has two sets of privacy principles – one that applies to
health agencies in Queensland (the National Privacy Principles, or
NPPs), and another that applies to all other
Queensland agencies (the Information Privacy Principles, or
IPPs). The Commonwealth Act includes a third set
of principles (the Australian Privacy Principles, or
APPs). Whilst similar, the separate sets of
principles are distinct from each other and apply to different
entities.

As identified in the Consultation Paper, a potential issue with
the current approach is that compliance becomes a costly exercise,
particularly for entities subject to more than one set of
principles. It also may reduce understanding in the Queensland
community of individual privacy rights.

The Queensland Government is proposing that the NPPs and IPPs
are removed in favour of a single set of ‘Queensland Privacy
Principles’ (QPP) that are, to the extent
reasonable in light of the different jurisdictional contexts,
consistent with the APPs in the Commonwealth Act.

The proposal for mandatory data breach reporting

Mandatory data breach reporting refers to the requirement to
notify individuals (and/or a regulator) who may be affected by a
data breach. Whilst a mandatory data breach reporting scheme has
been implemented at the Commonwealth level, there is no compulsion
to report data breaches under Queensland’s IPA.

In the current review, the Government has sought feedback on a
proposal to include a mandatory data breach reporting scheme in the
IPA which is triggered by certain unauthorised disclosure of,
unauthorised access to, or loss of personal information. The scheme
would require the agency responsible for the disclosure, access or
loss to notify both the affected individual and the Office of the
Information Commissioner. This addition to the IPA would align it
with the Commonwealth Act.

The introduction of a new criminal offence

The Queensland Government is considering whether there is a need
for a new criminal offence for the misuse of confidential
information by public officers. Whilst offences in the Queensland
Criminal Code such as section 408 (computer hacking and misuse),
section 85 (disclosure of official secrets), section 87 (official
corruption), section 88 (extortion by public officers) and section
92A (misconduct in relation to public office) criminalise conduct
that may involve the misuse of confidential information by a public
officer, no existing offences overlap precisely with the conduct
sought to be criminalised by the proposed new offence.

Misuse of information provided by Queenslanders to a public
office involves a serious breach of trust and has the potential to
cause irreparable harm to the person to which the information
relates. As implied by the Queensland Government in the
Consultation Paper, a new offence has the potential to provide a
clearer message to the public about acceptable standards of
conduct. An appropriately drafted offence could assist prosecutors
by providing a more direct and effective avenue for privacy law
enforcement.

What happens next?

The Queensland Government will consider the submissions in the
context of its policies. As the Commonwealth is also reviewing its
privacy legislation, and better alignment with the Commonwealth
legislation is one intention of the review, we expect that a period
of consultation will be required between government levels to
ensure the workability of both frameworks in the Queensland
context.

In the meantime, we also anticipate that the responses to the
Consultation Paper will soon become available on the Department of
Justice and Attorney General’s website.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader’s specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.



Source link

Related posts

Can I revoke a power of attorney? – Wills/ Intestacy/ Estate Planning

Is Vietnam Really Ready For Commercialisation Of 5G? – Telecoms, Mobile & Cable Communications

The Pensions Brief: May 2022 – Employee Benefits & Compensation