What’s New in the Information Privacy Act 2009
Councils throughout Queensland will be familiar with the Information Privacy Act 2009 (IP Act), the Right to Information Act 2009 (RTI Act), and the importance that both Acts have on the way in which local governments deal with personal information and provide information to the public.
On 4 December 2023, the Queensland Parliament passed amendments to the IP Act and the RTI Act, as part of the Information Privacy and Other Legislation Amendment Act 2023 (the Amendment Act).
The changes introduced by the Amendment Act have not yet come into effect, and will be effective on a day that is yet to be fixed by the State Government.
The key changes, which are summarised below, will affect the way local governments deal with information and requests under these Acts, and, broadly speaking, are intended to modify “Queensland’s information privacy framework to better protect personal information and provide appropriate responses and remedies for data breaches and misuse of personal information by agencies”.
Key Changes – IP Act
The key changes to the IP Act include:
The QPPs
- The establishment of a single set of privacy principles, namely the Queensland Privacy Principles (QPPs), which will be applicable to all agencies in place of the National Privacy Principles (NPPs) and the Information Privacy Principles (IPPs).
QPP Codes
- A power on the part of the Information Commissioner and relevant agencies including local governments, to draft QPP codes for Minister endorsement. A QPP code is a written code of practice about information privacy, that states:
- how one or more of the QPPs are to be applied or complied with; and
- the agencies that are bound by the code, or a way of determining the agencies that are bound by the code.
- A QPP code may also impose additional requirements to those imposed by a QPP, to the extent the additional requirements are not inconsistent with a QPP.
Mandatory Data Breach Notification Scheme
- The development of a Mandatory Data Breach Notification Scheme (MDBN Scheme).
- An eligible data breach is defined as a data breach that:
- involves unauthorised access to, or disclosure of, personal information and such access or disclosure is likely to result in serious harm to an individual; or
- Involves personal information being lost in circumstances where:
- Unauthorised access to or unauthorised disclosure of personal information is likely to occur; and
- If the above occurred, it would be likely that serious harm to an individual to whom the personal information relates would result.
- The amendments set out particular obligations on agencies, including local governments, in respect of data breaches.
- If the agency knows, or reasonably suspects the data breach is an eligible data breach:
- Agencies must immediately take steps to contain the breach; and
- Mitigate the harm caused by the data breach.
- If the agency does not know whether the breach is an eligible data breach, the agency must, within 30 days, undertake an assessment of whether there are reasonable grounds that the breach is an eligible breach.
- Unless an exception applies, the agency must provide the Information Commissioner with a statement regarding the details of the breach and if applicable notify affected individuals.
Enhanced powers of the Information Commissioner
- The amendments enhance the powers of the Information Commissioner in relation to investigating an agency’s obligations under the IP Act, including breaches of the QPPs and compliance with the new MDBN Scheme.
- These powers include:
- Directing an agency to give a statement including details of the breach;
- Make recommendations where the Commissioner reasonably suspects that a data breach of an agency is an eligible data breach;
- Power to issue guidelines about any matter relating to the Information Commissioner’s functions;
- Make preliminary inquiries of any person for the purpose of determining whether to investigate an act or practice on the Commissioner’s own initiative or otherwise;
- Appoint an appropriately qualified person as an authorised officer who may monitor and investigate whether an occasion has arisen for the exercise of the information commissioner’s powers that relate to an agency’s compliance.
- Penalties apply when a person fails to provide reasonable help to an authorised officer.
Key Changes – RTI Act
The key changes to the RTI Act include:
- Amendments to section 4 of the RTI Act, which:
- provide that the Act is not intended to prevent other publication, access or amendment;
- has been expanded to include documents to which the privacy principle requirements do not apply;
- to allow the publication of information, giving of access to, or allowing the amendment of documents by an entity to which the privacy principle requirements do not apply.
- Amendments to publication scheme requirements. Under the amended regime, agencies are required to publish:
- details of the agency’s structure and functions,
- how the agency’s functions affect members of the public,
- arrangements that enable members of the public to engage with the agency’s functions.
- the types of information held by the agency.
- the types of information the agency makes publicly available and how it is made available,
- procedures for asking for information, including for example, any fee or charge that may be payable; and
- publishing information about the agency that is prescribed by regulation to the extent the information is held by the agency.
- The requirement for applications to be in the ‘approved form’ has been removed and replaced with ‘writing.’. This means any written requests for information will need to be treated as applications made under the RTI Act. Such applications still need to be accompanied by an application fee.
- The requirement for a schedule of relevant documents has been removed.
Summary
Local governments should ensure they are familiar with the changes to the IP Act and RTI Act and the various disclosure regimes under it, and ensure that any existing precedents and practices are adapted to the newly amended regime.
Importantly, Councils should also ensure they have appropriate processes in place to respond to the new frameworks introduced by the Amendment Act, in particular in relation to the MDBN Scheme.
Preston Law advises local governments across Queensland in relation to information and privacy matters, and legislative compliance matters generally. If you wish to discuss the above in further detail, or matters under the Information Privacy Act or the Right to Information Act generally, please contact the local government team at Preston Law.