New Queensland Privacy and RTI bill is here
pIndustry SectorsppMegatrendsppServicesppAll Legal ServicesppppppppppTrending TopicsppThought leadershipppPodcastsppOur PeopleppOur LocationsppAfricappAsia PacificppAustraliappEuropeppLatin AmericappMiddle EastppNorth AmericappAbout usppMedia CentreppAll Legal Servicespppppppppp
Trending Topics
pp
Thought leadership
pp
Podcasts
pp
Our People
pp
Our Locations
pp
Africa
pp
Asia Pacific
pp
Australia
pp
Europe
pp
Latin America
pp
Middle East
pp
North America
pp
Business Insight
pp
19 October 2023
ppOn 30 November 2023 the Queensland Parliament passed the Information Privacy and Other Legislation Amendment Bill 2023 Qld Bill that will implement long awaited privacy reforms to the Information Privacy Act 2009 Qld IP Act and the Right to Information Act 2009 Qld RTI Act in QueenslandppThe Bill follows a number of reports recommending changes to the IP Act and the RTI Act followed by a monthlong consultation on the proposed reforms earlier this yearppPersonal information has been adjusted to align with the Privacy Act 1988 Cth Federal Privacy Act Importantly this sees the removal of the concept that a persons identity is apparent or can be reasonably ascertained in favour of an identified individual or an individual who is reasonably identifiableppThe Information Privacy Principles and National Privacy Principles have been replaced by a single set of Queensland Privacy Principles QPPs predominantly aligning with the principles under the Federal Privacy Act This sees the removal of the historical distinction between health agencies and all other agenciesppUnder the QPPs agencies will now need to implement a publicly accessible privacy policyppQPP codes will also be released providing guidance on the application of QPPs or imposing additional requirementsppThere will be a special set of situations to allow for handling personal information differently such as permitted health situations and threats to life and safetyppThe Bill introduces a mandatory data breach MDB scheme in Queensland The scheme is largely consistent with the Commonwealth schemeppEligible data breaches are categorised as theppa unauthorised access to or unauthorised disclosure of personal information orppb the loss of personal information where unauthorised access or unauthorised disclosure of that personal information is likely to occur andppc it is likely to result in serious harm to an individual to whom the personal information relatesppInterestingly the Queensland MDB scheme does not require the conclusion of a reasonable person that serious harm is likely to occur as in the Commonwealth scheme rather that serious harm is likely to occurppAny breach must beppThe Queensland MDB scheme assessment sets a higher bar than the Commonwealth scheme requiring notification to the Queensland Information Commissioner if the assessment of the breach will exceed 30 days and for how long The Queensland Information Commissioner may ask the impacted agency to provide further information or updates about the progress of this assessmentppAn agency must also publish a policy on how it will respond to any data breach including suspected eligible data breaches This must be on an accessible agency website An agency must also keep a register of eligible data breaches of the agencyppThe Queensland Information Commissioner has been granted a new investigatory power on their own motion which may be exercised where the Commissioner is satisfied on reasonable grounds that an act or practice of an agency may be a breach of the privacy principles or other privacy obligations This approach brings the IP Act more in line with the Federal Privacy Act For example the Commissioners officers will have the power to enter an agencys place of business with consent or without consent after following proper notice procedures to observe its data handling systems and practices that relate to compliance with the MDB scheme These powers may also be exercised by audio visual link ppThe Commissioners performance monitoring and support functions have also been expanded to allow a review of acts or practices of agencies in relation to compliance with the MDB scheme including data handling systems and practices to identify data breach related issues of a systemic nature section 135 This appears to be targeted at identifying inherent and pervasive issuesppThe Bill does not introduce significant increases in penalties like we have seen with the changes to the Federal Privacy Act last year The Bill introduces the following new penalties under the Commissioners new investigatory powersppThe maximum penalty for each of these offences is 100 penalty units current total value of 15480ppIt is not uncommon for agencies to outsource functions to external service providers which is the origin for the contracted service provider requirement This is to be expanded to require contracted service providers to also comply with any QPP codesppIn a bid to clarify some of the crossover and uncertainty that exists with personal information access rights under the IP Act and the RTI Act the Bill removes Chapter 3 Disclosure and amendment by application of the IP Act with access or amendments to documents containing an individuals personal information now to be covered by the RTI Act Generally the new RTI Act provisions reflect the existing IP Act provisions ppInterestingly the requirement under the IP Act that an application be in an approved form has been relaxed While the application itself must still contain all the required information it may but need not be in the approved form Agencies may notice this change on the ground with the form of access applications receivedppRelevantly the circumstances for extending processing periods for access or amendment applications has been modified This includes extensions where consultation is required prior to a refusal to deal with an application where the applicant provides only a postal address where an extension is requested by and agreed with the agency or where a charges estimate is providedppThere are also refreshed requirements for agencies to publish a scheme on its website setting out the agencys structure and functions how that affects members of the public arrangements for the public to engage with the agencys functions types of information it holds and makes publicly available procedures for asking for information and anything else specified in regulations This is quite a change from the previous requirements in section 21 of the RTI Act There is an exception for an agency not to have to publish information where such information is exempt or contrary to public interestppAt the Commissioners level there are various new rights and clarifications included concerning review applications including when a deemed decision occurs and how relevant decisions should be set aside The Commissioner may also now declare a person is a vexatious applicant in respect of both access and amendment applicationsppIt may be of interest to agencies to see that there is a new right for the Commissioner to give a relevant third party where the document may be of concern to that third party access to a document that is the subject of external review The purpose of providing such access is to obtain the third partys views about whether the document is one to which the RTI Act does not apply the information is exempt information or its disclosure is contrary to the public interest informationppThe Bill acknowledges that there will be various transitional arrangements that apply such as for access applications made prior to the amendments to the RTI Act coming into forceppWhile the Bill has passed through Parliament the privacy reforms are only expected to commence on 1 July 2025 and the MDB scheme as it applies to local Governments is expected to commence on 1 July 2026 Therefore now is the time to prepare for the upcoming changes Some things your agency can do to get ready are ppAuthors Amanda Ludlow Partner Clare Doneley Counsel and Felicity Dunstone Senior Associate ppThis publication is a joint publication from Ashurst LLP and Ashurst Risk Advisory LLP which are part of the Ashurst GroupppThe Ashurst Group comprises Ashurst LLP Ashurst Australia and their respective affiliates including independent local partnerships companies or other entities which are authorised to use the name Ashurst or describe themselves as being affiliated with Ashurst Some members of the Ashurst Group are limited liability entitiesppAshurst Risk Advisory LLP is a limited liability partnership registered in England and Wales under number OC442883 and is part of the Ashurst Group Ashurst Risk Advisory LLP services do not constitute legal services or legal advice and are not provided by qualified legal practitioners acting in that capacity Ashurst Risk Advisory LLP is not regulated by the Solicitors Regulation Authority of England and Wales The laws and regulations which govern the provision of legal services in other jurisdictions do not apply to the provision of risk advisory services
For more information about the Ashurst Group which Ashurst Group entity operates in a particular country and the services offered please visit wwwashurstcomppThis material is current as at 19 October 2023 but does not take into account any developments to the law after that date It is not intended to be a comprehensive review of all developments in the law and in practice or to cover all aspects of those referred to and does not constitute legal advice The information provided is general in nature and does not take into account and is not intended to apply to any specific issues or circumstances Readers should take independent legal advice No part of this publication may be reproduced by any process without prior written permission from Ashurst While we use reasonable skill and care in the preparation of this material we accept no liability for use of and reliance upon it by any personppThe information provided is not intended to be a comprehensive review of all developments in the law and practice or to cover all aspects of those referred toReaders should take legal advice before applying it to specific issues or transactionspp
Partner
pp
London
pp
Partner
pp
Sydney
pp
Partner
pp
Brisbane
p
Trending Topics
pp
Thought leadership
pp
Podcasts
pp
Our People
pp
Our Locations
pp
Africa
pp
Asia Pacific
pp
Australia
pp
Europe
pp
Latin America
pp
Middle East
pp
North America
pp
Business Insight
pp
19 October 2023
ppOn 30 November 2023 the Queensland Parliament passed the Information Privacy and Other Legislation Amendment Bill 2023 Qld Bill that will implement long awaited privacy reforms to the Information Privacy Act 2009 Qld IP Act and the Right to Information Act 2009 Qld RTI Act in QueenslandppThe Bill follows a number of reports recommending changes to the IP Act and the RTI Act followed by a monthlong consultation on the proposed reforms earlier this yearppPersonal information has been adjusted to align with the Privacy Act 1988 Cth Federal Privacy Act Importantly this sees the removal of the concept that a persons identity is apparent or can be reasonably ascertained in favour of an identified individual or an individual who is reasonably identifiableppThe Information Privacy Principles and National Privacy Principles have been replaced by a single set of Queensland Privacy Principles QPPs predominantly aligning with the principles under the Federal Privacy Act This sees the removal of the historical distinction between health agencies and all other agenciesppUnder the QPPs agencies will now need to implement a publicly accessible privacy policyppQPP codes will also be released providing guidance on the application of QPPs or imposing additional requirementsppThere will be a special set of situations to allow for handling personal information differently such as permitted health situations and threats to life and safetyppThe Bill introduces a mandatory data breach MDB scheme in Queensland The scheme is largely consistent with the Commonwealth schemeppEligible data breaches are categorised as theppa unauthorised access to or unauthorised disclosure of personal information orppb the loss of personal information where unauthorised access or unauthorised disclosure of that personal information is likely to occur andppc it is likely to result in serious harm to an individual to whom the personal information relatesppInterestingly the Queensland MDB scheme does not require the conclusion of a reasonable person that serious harm is likely to occur as in the Commonwealth scheme rather that serious harm is likely to occurppAny breach must beppThe Queensland MDB scheme assessment sets a higher bar than the Commonwealth scheme requiring notification to the Queensland Information Commissioner if the assessment of the breach will exceed 30 days and for how long The Queensland Information Commissioner may ask the impacted agency to provide further information or updates about the progress of this assessmentppAn agency must also publish a policy on how it will respond to any data breach including suspected eligible data breaches This must be on an accessible agency website An agency must also keep a register of eligible data breaches of the agencyppThe Queensland Information Commissioner has been granted a new investigatory power on their own motion which may be exercised where the Commissioner is satisfied on reasonable grounds that an act or practice of an agency may be a breach of the privacy principles or other privacy obligations This approach brings the IP Act more in line with the Federal Privacy Act For example the Commissioners officers will have the power to enter an agencys place of business with consent or without consent after following proper notice procedures to observe its data handling systems and practices that relate to compliance with the MDB scheme These powers may also be exercised by audio visual link ppThe Commissioners performance monitoring and support functions have also been expanded to allow a review of acts or practices of agencies in relation to compliance with the MDB scheme including data handling systems and practices to identify data breach related issues of a systemic nature section 135 This appears to be targeted at identifying inherent and pervasive issuesppThe Bill does not introduce significant increases in penalties like we have seen with the changes to the Federal Privacy Act last year The Bill introduces the following new penalties under the Commissioners new investigatory powersppThe maximum penalty for each of these offences is 100 penalty units current total value of 15480ppIt is not uncommon for agencies to outsource functions to external service providers which is the origin for the contracted service provider requirement This is to be expanded to require contracted service providers to also comply with any QPP codesppIn a bid to clarify some of the crossover and uncertainty that exists with personal information access rights under the IP Act and the RTI Act the Bill removes Chapter 3 Disclosure and amendment by application of the IP Act with access or amendments to documents containing an individuals personal information now to be covered by the RTI Act Generally the new RTI Act provisions reflect the existing IP Act provisions ppInterestingly the requirement under the IP Act that an application be in an approved form has been relaxed While the application itself must still contain all the required information it may but need not be in the approved form Agencies may notice this change on the ground with the form of access applications receivedppRelevantly the circumstances for extending processing periods for access or amendment applications has been modified This includes extensions where consultation is required prior to a refusal to deal with an application where the applicant provides only a postal address where an extension is requested by and agreed with the agency or where a charges estimate is providedppThere are also refreshed requirements for agencies to publish a scheme on its website setting out the agencys structure and functions how that affects members of the public arrangements for the public to engage with the agencys functions types of information it holds and makes publicly available procedures for asking for information and anything else specified in regulations This is quite a change from the previous requirements in section 21 of the RTI Act There is an exception for an agency not to have to publish information where such information is exempt or contrary to public interestppAt the Commissioners level there are various new rights and clarifications included concerning review applications including when a deemed decision occurs and how relevant decisions should be set aside The Commissioner may also now declare a person is a vexatious applicant in respect of both access and amendment applicationsppIt may be of interest to agencies to see that there is a new right for the Commissioner to give a relevant third party where the document may be of concern to that third party access to a document that is the subject of external review The purpose of providing such access is to obtain the third partys views about whether the document is one to which the RTI Act does not apply the information is exempt information or its disclosure is contrary to the public interest informationppThe Bill acknowledges that there will be various transitional arrangements that apply such as for access applications made prior to the amendments to the RTI Act coming into forceppWhile the Bill has passed through Parliament the privacy reforms are only expected to commence on 1 July 2025 and the MDB scheme as it applies to local Governments is expected to commence on 1 July 2026 Therefore now is the time to prepare for the upcoming changes Some things your agency can do to get ready are ppAuthors Amanda Ludlow Partner Clare Doneley Counsel and Felicity Dunstone Senior Associate ppThis publication is a joint publication from Ashurst LLP and Ashurst Risk Advisory LLP which are part of the Ashurst GroupppThe Ashurst Group comprises Ashurst LLP Ashurst Australia and their respective affiliates including independent local partnerships companies or other entities which are authorised to use the name Ashurst or describe themselves as being affiliated with Ashurst Some members of the Ashurst Group are limited liability entitiesppAshurst Risk Advisory LLP is a limited liability partnership registered in England and Wales under number OC442883 and is part of the Ashurst Group Ashurst Risk Advisory LLP services do not constitute legal services or legal advice and are not provided by qualified legal practitioners acting in that capacity Ashurst Risk Advisory LLP is not regulated by the Solicitors Regulation Authority of England and Wales The laws and regulations which govern the provision of legal services in other jurisdictions do not apply to the provision of risk advisory services
For more information about the Ashurst Group which Ashurst Group entity operates in a particular country and the services offered please visit wwwashurstcomppThis material is current as at 19 October 2023 but does not take into account any developments to the law after that date It is not intended to be a comprehensive review of all developments in the law and in practice or to cover all aspects of those referred to and does not constitute legal advice The information provided is general in nature and does not take into account and is not intended to apply to any specific issues or circumstances Readers should take independent legal advice No part of this publication may be reproduced by any process without prior written permission from Ashurst While we use reasonable skill and care in the preparation of this material we accept no liability for use of and reliance upon it by any personppThe information provided is not intended to be a comprehensive review of all developments in the law and practice or to cover all aspects of those referred toReaders should take legal advice before applying it to specific issues or transactionspp
Partner
pp
London
pp
Partner
pp
Sydney
pp
Partner
pp
Brisbane
p
