Home Insights Privacy changes: new compliance obligations for Queensland Government agencies

Privacy changes: new compliance obligations for Queensland Government agencies

Substantial amendments to the Information Privacy Act 2009 (Qld) (IP Act) were passed by the Queensland Parliament in November 2023.

The Information Privacy and Other Legislation Amendment Act 2023 (Qld) will require Queensland Government agencies to comply with enhanced obligations with respect to the collection, use, disclosure and storage of personal information. Notably, the changes will also require Queensland Government agencies to develop new policies and processes to meet the mandatory data breach notification obligations.

It is anticipated that the majority of the amendments to the IP Act will commence on 1 July 2025. The mandatory data breach notification scheme will have a delayed application to local governments, not coming into effect until a year after the Act’s commencement (i.e. 1 July 2026).

Below, we summarise some key aspects of the reform and subsequent actions Queensland Government agencies will need to take.

1. Mandatory data breach notification

Queensland will join New South Wales as the only other State Government to impose mandatory data breach obligations on government agencies. The obligations set out in the new data breach notification scheme of the IP Act are broadly consistent with the requirements of the Commonwealth Privacy Act. Whilst many Queensland agencies already notify affected individuals of data breaches as a matter of best privacy practice, the new mandatory data breach obligations represent a step change for agencies’ compliance obligations.

In summary, in the event of a data breach involving loss or unauthorised use or disclosure of personal information, agencies will be required to assess whether there are reasonable grounds to believe the data breach is an ‘eligible data breach’. This assessment must be completed within 30 days.

A data breach will be an ‘eligible data breach’ where the data breach involves ‘loss, unauthorised access to, or unauthorised disclosure of, personal information in a manner which is likely to result in serious harm to the individual to whom the information relates.’

In making this determination, agencies must consider a number of factors including the sensitivity of the personal information, the persons who have obtained the personal information and the nature of the harm likely to result from the data breach.

As soon as possible after forming the belief that an ‘eligible data breach’ has occurred, agencies must:

  • prepare and give a statement to the Information Commissioner regarding the breach; and

  • notify each individual who is affected or whose personal information has been accessed, disclosed or lost; or

  • if it is not possible to identify each individual, publish a notification on the agency’s website for at least 12 months (which will be shared by the Information Commissioner on its website).

The IP Act contains specific requirements regarding what details need to be included in the notifications to individuals including details of the breach, the steps the agency has taken to contain the breach and the agency’s recommendations about the steps individuals should take in response to the breach.

There are a number of exemptions to the mandatory data breach notification requirements, including where notification would prejudice investigations and proceedings, where the agency has taken remedial action, notification would be inconsistent with confidentiality obligations or would compromise cybersecurity.

Agencies will also be required to keep a register of eligible data breaches and publish a policy on how it will respond to eligible data breaches (including suspected breaches).

2. Queensland Privacy Principles

Currently the IP Act contains two sets of privacy principles, the National Privacy Principles (NPPs) which apply to health agencies, and the Information Privacy Principles (IPPs) which apply to all other Queensland Government agencies. The amendments to the IP Act will replace the existing NPPs and IPPs with a single set of Queensland Privacy Principles (QPPs) applying to all Queensland Government agencies. The QPPs are based on, and generally consistent with, the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

Like the current NPPs and IPPs, the QPPs still cover all aspects of the information handling life cycle including collection, use, disclosure, storage, security, access, amendment and accuracy. However, there are several new requirements under the QPPs agencies will need to comply with. These include:

  • Anonymity and pseudonymity. QPP2 addresses the issue of anonymity and pseudonymity which is currently only applicable to health agencies. QPP2 requires individuals to be given the option of remaining anonymous or using a pseudonym in their dealings with the Queensland Government agency. The relevant exceptions include where the agency is required under Australian law or court order to deal with an individual who has identified themselves or if it is impracticable for the agency to deal with the individual anonymously or using a pseudonym. QPP2 will require agencies to review and amend their information collection practices to identify the circumstances where it will be practicable to deal with individuals anonymously or using a pseudonym.
  • Sensitive information. QPP3 includes specific requirements in relation to the collection of ‘sensitive information’ which is currently only applicable to health agencies. Sensitive information is defined as a subset of Personal Information and includes information such as health information, information about an individual’s racial or ethnic origin, religious beliefs, genetic information and biometric information used for the purpose of automated verification or identification. There is a general prohibition under QPP3 against the collection of sensitive information unless the individual provides consent or one of the exceptions applies. These exceptions include where collection is required under Australian law, a permitted health situation exists (for health agencies) or in relation to law enforcement. Going forward, QPP3 will generally require agencies to implement appropriate processes to obtain an individual’s consent for the collection of sensitive information. With the increasing use of biometric information, agencies will need to be cognisant of these new requirements for their current and future use of biometric information.
  • Unsolicited personal information. QPP4 includes new requirements regarding the collection of personal information in circumstances where the agency did not solicit the information. Under the amendments, all agencies will be required to make an assessment as to whether the unsolicited personal information is reasonably necessary for, or directly related to, the agency’s functions or activities. If it is determined the information is not reasonably necessary and the information is not contained in a public record, the agency must destroy or de-identify the information.
  • Collection notices. QPP5 includes additional matters which agencies will be required to include in collection notices given to an individual. Collection notices will now be required to contain information regarding any overseas disclosure of personal information, details as to how to lodge privacy complaints and access and correction of personal information. This will require agencies to review and update their collection notices to include all of the matters now prescribed in QPP5.
  • Destruction of personal information. Whilst the prolonged retention of personal information should be avoided as a matter of best practice, QPP11 will impose a new compliance obligation on agencies to implement processes to continually assess whether personal information is required to be retained and to routinely destroy or de-identify personal information which is no longer required by the agency unless a relevant exception applies (including for example where the information is required for retention under Australian law).
  • Privacy policy. QPP1 sets out bolstered requirements for matters which will need to be included in agencies’ privacy policies. This includes how the information is collected, how complaints may be made and overseas disclosure of personal information. Agencies will need to update their privacy policies before 1 July 2025 to address the new matters under QPP5.

3. QPP Codes

The IP Act has also been amended to include a mechanism for the development of written codes of practice about information privacy (QPP Codes) that address how the QPPs are to apply or be complied with. A QPP Code can also impose additional requirements to the QPPs provided the additional requirements are consistent with the QPPs. Explanatory notes to the IP Act amendments indicate that the “focus of the QPP Codes is expected to be of a practical and operational nature”.

QPP Codes can be developed by an agency or the Information Commissioner, who must invite public submissions on draft Codes before their submission to the Minister, and QPP Codes which are endorsed by the Minister take effect by regulation. Agencies must comply with the QPP Code (and require its bound contracted service providers to comply with the QPP Code).

4. Bound contracted service providers

Under the IP Act, an agency entering into a service arrangement under which the service provider will in any way deal with personal information for the agency must take all reasonable steps to ensure the service provider complies with the IPPs or the NPPs (as applicable) in the same manner as the agency is required to comply.

From 1 July 2025, agencies will need to ensure that any new contracts with service providers require the service provider to comply with the new QPPs and any relevant QPP Codes. For existing contracts, the transitional provisions provide that bound contracted service providers will be required to comply with the requirements of the IP Act which applied before 1 July 2025 (i.e. comply with the IPPs and NPPs). However, this does not prevent agencies from seeking to vary their existing service agreements to require the contracted service provider to comply with the new requirements of the QPPs and QPP Codes.

Agencies will otherwise need to review and amend the privacy provisions in new contracts to ensure that from 1 July 2025 service providers are required to comply with the new requirements of the IP Act including the QPPs, QPP Codes and data breach notification obligations.

5. Powers of the Information Commissioner

The Information Commissioner will have increased powers and functions from 1 July 2025, including:

  • investigating an act, failure to act or practice of an agency if the Information Commissioner is satisfied that the act may breach privacy principle requirements or data breach notification requirements;

  • to appoint authorised officers to monitor and investigate compliance;

  • functions and regulatory powers in relation to mandatory data breach notification including directions for agencies to provide information about the data breach; and

  • power to enter places occupied by agencies to require demonstration of data handling systems or inspect documents.


Melissa Pratt

Special Counsel


Government Technology, Media and Telecommunications

This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.