Momentum is building for an overhaul of Queensland’s privacy laws.
Changes have been recommended by the 2017 review of the Information Privacy Act 2009 (Qld) (Information Privacy Act) and the Crime and Corruption Commission’s 2020 report on misuse of confidential information in the Queensland public sector, but no legislation to give effect to the amendments has yet been introduced.
Queensland’s privacy regulator, the Office of the Information Commissioner (OIC) has recently petitioned the federal government to align federal privacy laws with the General Data Protection Regulation (GDPR), and will no doubt be looking for the same changes in Queensland laws.
What is the state of Queensland’s privacy laws?
The Information Privacy Act was passed in 2009 to introduce privacy obligations applicable to Queensland Government departments and agencies. It reflected the Information Privacy Principles (IPPs) and National Privacy Principles (NPPs) in place under the federal Privacy Act at that time.
Since then, a number of developments have occurred.
- In 2013 and 2016-17, the Information Privacy Act was reviewed. Recommended changes to the Act arising from both of those reviews have not been given effect.
- In 2014, the federal Privacy Act 1988 (Cth) (Privacy Act) underwent significant reform, including the consolidation of the IPPs and NPPs into a single set of Australian Privacy Principles (APPs).
- In 2018, a mandatory data breach notification scheme was introduced to the federal Privacy Act, which rapidly saw a significant rise in reported data breaches, and consistent data on the prevalence of personal information data breaches amongst Privacy Act-regulated entities.
- Also in 2018, the GDPR took effect in the European Union, with extra-territorial reach to entities outside the European Union who have an establishment in the Union, target individuals in the EU to offer goods and services, or monitor the behaviour of individuals in the EU.
- From at least 2018 (and probably earlier), the OIC has been consistently advocating for a mandatory data breach notification scheme in Australia.
- In 2020, the Crime and Corruption Commission published its report on Operation Impala – Report on the misuse of confidential information in the Queensland public sector – which contains a series of recommendations for amendments to the Information Privacy Act.
- In late 2020, a review of the federal Privacy Act was announced, with a view to recommending substantive updates to the Privacy Act so it is fit for purpose. Consultation on the issues paper closed in December 2020, and submissions have been published online.
Key recommendations from Operation Impala include:
- introducing a mandatory data breach notification scheme under the Information Privacy Act
- introducing powers for the OIC to undertake own-motion investigations, instead of having to wait for a complaint by an affected individual, and giving the OIC the power to make a declaration following an investigation (akin to the position under the federal Privacy Act)
- simplifying the IPPs and the NPPs into a single set of Privacy Principles (with regard to the APPs)
- updating the definition of ‘personal information’ to reflect the definition in the federal Privacy Act
- introducing a statutory tort for serious invasions of privacy by misuse of personal information
- setting out the “reasonable steps” an entity should take to protect personal information in more detail, like under the GDPR, and
- requiring agencies to have a ‘privacy champion’ and to incorporate privacy by design into executive decision-making processes.
No doubt at least some of these recommendations are on hold while the review of the federal Privacy Act progresses – there would be little point in aligning the Queensland laws with the current federal laws if they are likely to move in any substantive way in the next few years.
The issues being considered as part of the federal Privacy Act review are wide-ranging. Some of the issues seized on by the OIC in its submission to the review include:
- aligning the Privacy Act with the GDPR, to reduce the compliance burden on businesses, and to promote business between Australia and Europe
- updating the definition of personal information to include information ‘relating’ to an identifiable person, avoiding the current contention about whether information is ‘about’ a person
- considering ethical constraints on AI, including putting limits on automated decision-making
- introducing a ‘right to be forgotten’
- introducing notifiable data breach schemes in state and territory jurisdictions that are aligned with the federal scheme
- suggesting that the Federal Government adopt a statutory National Bill of Rights or Charter to enshrine the protection of human rights, including the right to privacy, and
- support for adequate resourcing of the federal privacy regulator, to effectively regulate expanded privacy laws.
Government agencies sharing personal information
It is also notable that the while federal legislation has been introduced to Parliament that provides for a regulatory regime for data sharing by Commonwealth Government agencies,1 there is no equivalent Queensland legislation yet (however there are government policies on open data).
Where Queensland Government agencies and health agencies are considering sharing data which includes personal information, they must comply with the IPPs and NPPs (respectively). The OIC has recently issued guidance on how agencies can share personal information between them,2 and how health agencies can share personal information.3
How can Queensland Government agencies start preparing for changes?
Queensland Government agencies (especially those managing whole-of-government contracting frameworks) should consider reviewing standard privacy terms in their template or frequently used agreements to make them referable to the then-current law. For example, instead of setting out a full definition of personal information, contracts could refer to the term as defined in the Information Privacy Act, avoiding the need to vary the contract if the definition of ‘personal information’ is updated.
The same tip applies to clauses imposing privacy obligations – agencies should look to building flexibility so the clause refers to then-current laws, or include an express clause giving the agency the right to incorporate new requirements if there are changes to privacy laws.
In light of the Operation Impala recommendations, it might also be prudent to brief senior executives on the principles of privacy by design, and what adopting that approach would mean for the agency.
Otherwise, we recommend keeping an eye on the federal Privacy Act review, which is likely to inform any changes to the Information Privacy Act.
What is the timeline for change?
The federal Attorney-General is expected to soon release for consultation draft legislation with amendments to the federal Privacy Act.
This will lay the groundwork for Queensland to consider what, if any, amendments at the federal level may be appropriate in Queensland context. Such changes could start being debated as early as late this year.
This article appears courtesy of Corrs Chambers Westgarth. Helen Clarke is a Partner and Viva Swords is a Senior Associate at Corrs Chambers Westgarth. This article was first published by Corrs Chambers Westgarth on 8 June.
1 Data Availability and Transparency Bill 2020 (Cth). See our article at corrs.com.au/insights/streamlining-the-responsible-sharing-of-public-sector-data.