Legislation introduced to the Queensland Parliament on Thursday will establish a mandatory data breach notification scheme for the state’s government agencies, addressing recommendations made half a decade ago.
If passed, the government’s Information Privacy and Other Legislation Amendment Bill 2023 would establish requirements for agencies to notify affected individuals and the state’s privacy watchdog of eligible data breaches that would likely result in serious harm.
A similar scheme exists at the Commonwealth level covering federal agencies and parts of the private sector, but Queensland will join New South Wales as the only state or territory government with a notifiable data breach scheme.
The absence of the schemes make government held information less secure and put citizens at more risk when breaches occur, according to privacy and security advocates.
The Queensland bill also brings the state’s privacy law more in line with national privacy principles and supports a scheme to proactively reduce Cabinet documents and lower barriers to citizens accessing government held information.
Currently, Queensland agencies are not obligated to report data breaches despite recommendations from the regulator in 2016 and a 2020 review of the state government’s management of confidential personal information also calling for a data breach notification scheme.
A damning review of the state’s public sector last year by Professor Peter Coaldrake also backed a notification scheme.
The Palaszczuk government committed to introducing the scheme last year, shortly after the Coaldrake review was published.
Queensland Attorney General Yvette D’Ath said recent high profile data breaches have underscored the harm the unauthorised access causes.
“That’s why we are establishing this scheme so there are clear, consistent requirements to notify individuals of data breaches of Queensland government agencies, so that individuals are empowered to take steps to reduce the risk of harm resulting from a data breach,” she said.
“The reforms will also ensure Queensland’s privacy laws remain contemporary and relevant given the changes to the use of technology, and to the way in which personal information is collected, used, accessed, stored and disclosed in today’s digital world.”
New South Wales passed legislation last year to set up a similar scheme in the state.
