The Government's Consultation Paper – Proposed changes to Queensland’s Information privacy and right to information framework outlines a broad range of proposed amendments which, if adopted, will have a significant impact on the scope, application and operation of the Information Privacy Act 2009 (Qld) (IP Act) and the Right to Information Act 2009 (RTI Act) and Queensland's information law framework.
It is therefore critical for Queensland Government agencies to understand the amendments being proposed by the Queensland Government and to consider making a submission in respect of these changes.
In this article, we discuss some of the key changes and what they may mean for Queensland public sector agencies.
Drivers for change
The RTI Act and IP Act were enacted on the back of an extensive review of Queensland’s information laws under the Solomon Review. This saw the enactment of Queensland’s first statutory based information privacy legislation in the IP Act and the implementation of a new “pro disclosure” freedom of information model in the RTI Act. Many of the significant reforms implemented under the RTI Act were adopted in FOI statutes across Australia.
Since 2009, various reviews have been undertaken which have considered the IP Act and the RTI Act and whether these frameworks are fit for purpose, particularly considering the impact of technology in these areas. Some of the reviews conducted to date include the first statutory review of the IP Act and the RTI Act which was completed in 2017 and also, notably, the Crime and Corruption Commission's 2020 Operation Impala Report on misuse of confidential information in the Queensland public sector which considered the corruption risk presented by confidential personal information and highlighted:
- the increasing breadth of personal information held by government and growing community expectations around privacy
- the serious impacts on individuals of misuse of personal information, and
- that personal data is an increasingly valuable commodity and may be sought and exploited by commercial enterprises, or even stolen or appropriated for criminal use.
Operation Impala made wide reaching recommendations for reform and change in the area of the management of personal information including a new offence and a statutory tort for the misuse of personal information.
The proposed amendments and reforms to the IP and RTI Acts which are now proposed are borne out of those reviews.
The Consultation Paper is more than 60 pages long, and the changes proposed wide ranging dealing with a broad range of issues including a proposal to include a mandatory data breach notification requirement through to amendments designed to streamline the processing of access applications. Given the wide-ranging nature and significance of some of the proposed amendments and reforms, it is essential that agencies subject to the IP and RTI Acts are aware of these changes and the effect that these changes made have on an agency.
Below is a high-level summary of the most notable proposals.
A Mandatory Data Breach Notification (MDBN) Scheme for Queensland
The implementation of an MDBN Scheme, based on the Commonwealth scheme, would aim to mitigate the risk of data breaches in Queensland by giving people an opportunity to take steps to reduce the harm. The Scheme would create a legal obligation to notify individuals (and the OIC) about an "eligible data breach" leads to the disclosure of personal information.
Agencies would need to implement systems so they can:
- assess if an "eligible data breach" has occurred (linked to an assessment whether a reasonable person would conclude that a case of unauthorised access/disclosure or loss of personal information would likely result in "serious harm");
- conduct assessments of suspected eligible data breaches within 30 days; and
- make appropriate notifications to the OIC.
The recent Coaldrake Review into culture and accountability in the Queensland public sector also recommended an MDBN Scheme for Queensland, so there is momentum for this proposal to be accepted by the Queensland Government.
An updated definition of "personal information"
The Consultation Paper proposes to adopt the Privacy Act 1988 (Cth) definition of "personal information", to mean "information or an opinion about an identifiable individual, or an individual who is reasonably identifiable": (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not”.
The updated definition, intended to be more flexible and technology neutral, would also bring the regime in line with the EU's General Data Protection Regulation (GDPR).
A new, unified set of "Queensland Privacy Principles"
Privacy principles regulate how agencies and their contracted service providers collect, store, use and disclose personal information. The IP Act currently contains two sets of privacy principles: the National Privacy Principles (NPPs), applying to health agencies, and the Information Privacy Principles (IPPs), which apply to all other agencies. The Commonwealth Privacy Act contains the Australian Privacy Principles (APPs).
Agencies are asked to consider a proposal to adopt a new unified set of Queensland Privacy Principles (QPPs). The proposed QPPs, intended to remove uncertainty and unjustified compliance costs, broadly reflect the Commonwealth APPs, modified so as to only apply to Queensland agencies.
Particular comment is sought on the proposed QPP 9, which requires agencies to take "reasonable steps" to protect personal information. Operation Impala recommended that the term "reasonable steps" be further defined to align with Article 32 of the GDPR. The Consultation Paper seeks submissions on whether a non-exhaustive list, or specific guidelines, should be used to help agencies understand what "reasonable steps" must be taken to protect personal information.
New powers for the Office of the Information Commissioner (OIC) to respond to privacy breaches
The OIC is the independent body established to promote access to, and protect, government-held information and personal information. Under the proposed changes, the OIC would be given new powers to:
- conduct an "own motion" investigation into whether there has been a breach of the privacy principles;
- after an own-motion investigation has been conducted, make declarations, based on the Commonwealth model; and
- intervene in tribunal or court proceedings, involving the IP Act.
A new criminal offence for misuse of confidential information by public officers
The CCC's concerns around public sector misuse of confidential information culminated in a recommendation for a new Queensland Criminal Code offence. Under the new provision, it would be an offence (with a maximum penalty of 5 or 10 years in aggravated cases) to access confidential information, regardless of its source, in a way that is not in furtherance of the performance of an agency's function. Agencies are asked for comment as to whether this new criminal offence is required, or if existing provisions in the Criminal Code and other legislation adequate.
Changes to receiving, processing, and deciding access applications
Part B of the Consultation Paper proposes a raft of proposed changes to the operation of the IP and RTI Acts. The changes are intended to clarify and improve the operation of the framework. We anticipate that this will be the case for many agencies, but in some cases, it may be possible that things will become more difficult.
These changes therefore warrant careful review, but include:
- providing clearer criteria around when prescribed entities controlled by local governments and the State are subject to the RTI Act – by providing clearer criteria around whether entities are caught;
- creating a single right of access under the RTI Act, regardless of whether the information requested is an applicant's personal information;
- de-formalising requirements for making an application (for example, removing the requirement to be in the approved form and the need for agents to provide evidence of identity in all cases);
- simplifying the timeframes for processing applications and making review decisions (including extending the timeframe for a decision that a document/entity is outside the scope of the Act);
- making the inclusion of a schedule of documents discretionary rather than mandatory;
- walking back disclosure log requirements and changing the requirements for publication schemes;
- clarifications around the public interest balancing test (including clarifying that factors other than those listed in schedule 4 may be considered as part of the test, aligning with the other States);
- creating a new exemption from disclosure when disclosure of the information could reasonably be expected to cause damage to relations between Queensland and other governments;
- clarifications regarding the application of the RTI and IP Acts to courts and tribunals;
- clarifications around procedures for settling external reviews;
- extending privacy obligations in the IP Act to contracted service providers; and
- broadening the provisions regarding lodging and dealing with privacy complaints.