Queensland needs stronger laws to act on data breaches and cyber hacking, privacy commissioner says

Mr Green said his office wanted changes made to the Information Privacy Act 2009, including a mandatory reporting requirement of privacy breaches.

"The Crime and Corruption Commission in Queensland recommended in its Operation Impala that we should have that sort of a law because it helps drive good privacy practices, and also people can learn from the mistakes as well."

A spokesperson for Queensland Attorney-General Shannon Fentiman said the minister was considering the recommendation.

The current laws that require mandatory reporting of breaches only cover public sector agencies, and Commonwealth legislation is only applicable to businesses with a turnover of more than $3 million.

Mr Green cited the recent cyber-attack on UnitingCare Queensland as evidence that serious attacks were prevalent in the community, and companies must be vigilant.

"The UnitingCare [incident] is not going to be unique, and other hospitals and healthcare systems have to be vigilant to it happening to their services," Mr Green said.

As it stands, Victoria is the only Australian jurisdiction to have a code of practice for reporting of data breaches.

"Worldwide, these sorts of laws are coming into place," Mr Green said.

"Quite a few jurisdictions in the US, Canada has adopted it, the UK, all through Europe, Japan and New Zealand — have already got those laws in place.

"If we did it tomorrow, we would be the first state to legislate for it, and I would like to see [that happen] because I think it sets the right sort of environment for digital service delivery."

The Office of the Information Commissioner has been calling on the Queensland government to update the Privacy Act to include mandatory reporting of breaches since 2017.