Claire Doneley reports:
On 4 December 2023, the Queensland Parliament gave assent to the Information Privacy and Other Legislation Amendment Act 2023 (Qld) (Act), with privacy reforms to the Information Privacy Act 2009 (Qld) (IP Act) to commence 1 July 2025. You can read more about that here.
In Queensland it has not been compulsory for agencies to notify the Office of the Information Commissioner Queensland (OICQ) of data breaches. The Act establishes a mandatory data breach notification (MNDB) scheme. This article summarises the Mandatory Notification of Data Breach scheme Guideline issued by the OICQ (Guideline)1, and provides practical steps to help agencies get ready to comply with the new Mandatory Notification of Data Breaches scheme.
Key concepts
An ‘eligible data breach’ of an agency will trigger notification to the OICQ and impacted individuals if:
1 there is unauthorised access to, or unauthorised disclosure of, personal information held by the agency; or
2 there is a loss of personal information in circumstances where unauthorised access to, or unauthorised disclosure of the information is likely to occur;
AND
3 the unauthorised access to, or disclosure of the information is likely to result in serious harm to the affected individual to whom the personal information relates.
If only (1) or (2), but not (3) applies, then this will be a “data breach”. A data breach of itself does not trigger the notification obligations under the IP Act.
Read more at Ashurst.
1 OICQ Mandatory Notification of Data Breach scheme’ Guideline can be accessed here: https://www.oic.qld.gov.au/__data/assets/pdf_file/0007/64294/Guideline-MNDB-mandatory-notification-of-data-breach.pdf.