Lays out obligations and exemptions.
- The Queensland government has introduced a bill to amend the Information Privacy Act 2009 to require entities to notify the privacy commissioner and affected individuals of data breaches that are likely to result in serious harm.
- The bill also aims to align Queensland’s privacy framework with the federal Notifiable Data Breaches scheme and other jurisdictions, as well as to enhance the powers and functions of the privacy commissioner.
- It defines a data breach as an unauthorised access, disclosure, or loss of personal information, and serious harm as physical, psychological, emotional, reputational, or financial harm.
- Whilst stipulating criteria for mandatory breach notifications, the bill provides exceptions for data breaches that are notified under other laws, such as the federal Privacy Act 1988, or that are unlikely to result in serious harm after remedial action is taken.
- This new legislation is expected to improve the protection of personal information and the accountability of entities that handle such information in Queensland.
- It follows a series of reports over the last five years recommending changes to the state’s Information Privacy Act 2009 and Right to Information Act 2009, including through the introduction of a MDB notification scheme.
- The bill is based on the Commonwealth’s Notifiable Data Breaches scheme, which has been in operation since February 2018 and applies to federal government agencies and certain private sector organisations.