In June last year, the Queensland Consultation Paper proposed significant changes to Queensland's Information Privacy and Right to Information Framework. Importantly, the Queensland Consultation Paper addressed the need for the Information Privacy Act 2009 (Qld) (IP Act), including the National Privacy Principles and Information Privacy Principles, and the Right to Information Act 2009 (Qld) to be more closely aligned with the Commonwealth regime that is set out in the Privacy Act 1988 (Cth) and includes the Australian Privacy Principles (APPs).
In February this year, the Commonwealth Privacy Act Review 2022 (Commonwealth Report) was released, with public consultation regarding the proposed reforms closing on 31 March 2023.
With the Queensland Office of the Information Commissioner advocating for better alignment between the Australian jurisdictions and the European General Data Protection Regulation (GDPR), we consider that some of the proposals that are set out in the Commonwealth Report are likely to guide the Queensland privacy framework reform, particularly in respect to the definition of personal information and the enactment of a notifiable data breach scheme.
This article examines some of the key reform proposals from the Commonwealth Report that we consider may influence the Queensland information privacy reforms.
A more flexible definition of "personal information"?
The Commonwealth Report proposes to amend the definition of "personal information" to make it clearer that technical and inferred information can be deemed as "personal information". For example, IP addresses, device identifiers, location data, and any other online identifiers that identify an individual may be captured in the definition of personal information. There is also a recommendation that a non-exhaustive list of information which may be personal information be included to assist entities to identify types of information that will fall within the definition. As well as providing greater clarity, this approach would also align the Privacy Act better with the terminology and practices of international data protection regimes (such as the GDPR), and other Commonwealth legislation.
The Queensland Consultation Paper also recommended that the definition of "personal information" in the IP Act be updated to become more flexible and technology neutral (to include a variety of technical data collected in relation to individuals), and to be more consistent with the Privacy Act. We expect reform to the IP Act will closely follow in the Privacy Act's footsteps. Queensland agencies should monitor this area and consider the potential implications, as the development and expansion to the definition of "personal information" is imminent.
Notifiable Data Breaches
In light of multiple high profile data breaches and increased scrutiny around how entities are responding to data breaches, the Commonwealth Report proposes changes to minimise the impact of data breaches and better facilitate the reporting of breaches to the Office of the Australian Information Commissioner (OAIC). It is recommended that the current Commonwealth Notifiable Data Breach scheme (NDB scheme) be amended to require entities to:
- notify the OAIC within 72 hours of becoming aware of an eligible data breach and an affected individual "as soon as practicable" (noting that further information is to be provided if it is not initially available);
- take reasonable steps to implement practices, procedures and systems to enable it to respond to a data breach; and
- provide notification statements about an eligible data breach which set out steps that are or are intended to be taken in response to the breach, including where appropriate, the steps to reduce any adverse impacts on the individuals.
Alongside these additional requirements on entities to respond to an eligible data breach, it is proposed that the Attorney-General will also be permitted to share information regarding an eligible data breach with other entities to reduce the risk of harm where appropriate.
The Queensland Consultation Paper proposes that Queensland adopt a mandatory data breach notification scheme based off the Commonwealth framework. On this basis, we expect any Queensland data breach scheme may seek to also incorporate these new amendments to the Commonwealth NDB scheme.
Single set of Privacy Principles
A key recommendation of the Queensland Consultation Paper is to move to a single set of privacy principles, the Queensland Privacy Principles (QPPs), that are based on the Commonwealth APPs under the Privacy Act. On this basis, it is relevant for Queensland agencies to take note of any proposed changes to the APPs.
The Commonwealth Report makes several recommendations regarding the APPs including, but not limited to:
- giving the Information Commissioner (IC), under the direction or approval of the Attorney-General, the power to make an APP code in the public interest where there this unlikely to be an industry developed code (currently APP codes are developed by entities on their own initiative or at the request of the IC);
- that APP5 expressly requires that collection notices be clear, up-to-date, concise and understandable and new matters to be included in collection notices are also prescribed; and
- that agencies must take reasonable steps to protect de-identified information under APP11.1.
The fair and reasonable test
A new "fair and reasonable" test is proposed by the Commonwealth Report which will underpin the collection, use and disclosure of personal information for entities. This new test would replace the current threshold that is the balancing exercise of what is "reasonably necessary". When applying the "fair and reasonable" test, the Commonwealth Reports proposes that entities should consider (among other matters):
- whether an individual would reasonably expect the personal information to be collected, used or disclosed in the circumstance;
- the kind, sensitivity and amount of personal information being collected, used or disclosed; and
- whether the impact on privacy is proportionate to the benefit.
It was identified in the Queensland Consultation Paper that the QPPs would require agencies to "take reasonable steps to protect personal information they hold from unauthorised access, use, disclosure, and from any other misuse".
It appears that the Commonwealth and Queensland considerations on the level of discretion entities must use in dealing with personal information are based on similar underlying policy drivers. Though it is unclear whether Queensland will move towards the "fair and reasonable" test in relation to the collection, use and disclosure of personal information, it can be expected that Queensland will draw from the considerations identified above.
Mandatory Privacy Impact Assessments for high-risk activities
Privacy Impact Assessments (PIA) are a tool that agencies can use to assess the privacy impacts of a new project and identify ways in which the privacy regulatory compliance requirements can be met.
The Commonwealth Report proposes that that entities would be required to undertake a PIA prior to the commencement of high-risk privacy activities and that the entity would be required to provide the PIA to the OAIC on request. A high-risk activity is one that is "likely to have a significant impact on the privacy of individuals" and may be particularly relevant if the personal information relates to children.
Although most Queensland agencies would already undertake PIA as a "best practice" measure, we consider that, going forward, there is likely to be a greater emphasis on the need for entities to undertake PIA from the outset of new projects and to take a privacy-by-design approach.