On 12 October 2023, the Government introduced the Information Privacy and Other Legislation Amendment Bill 2023 (Bill) to Queensland Parliament which, amongst other things, establishes a mandatory data breach notification scheme (MDBN Scheme) in Queensland. The Bill is consistent with the recommendations in the Coaldrake Review and is currently under consideration by the Education, Employment and Training Committee.
It is unclear when the Bill will pass, however, if enacted, the MDBN Scheme will apply to all Queensland state and local government agencies that are subject to the Information Privacy Act 2009 (Qld) (Privacy Act). Notably, the Queensland government will take a phased approach to implement the MDBN Scheme and local councils will be subject to a 12-month transition period to mitigate the resourcing impacts and costs involved to comply with the scheme.
The Bill will introduce requirements for agencies to:
- assess (within 30 days) whether a data breach is an ‘eligible data breach’;
- contain and mitigate the harm caused by the data breach;
- subject to certain exceptions, notify affected individuals and the Office of the Information Commissioner of eligible data breaches that would likely result in serious harm to an individual to whom the personal information relates;
- keep a register of eligible data breaches; and
- publish an external-facing data breach policy.
How can agencies prepare for the MDBN Scheme:
- Establish clear roles and responsibilities: Agencies should establish clear roles and responsibilities to manage data breaches or suspected data breaches. This may include establishing a team to undertake the required assessments, containing the data breach and mitigating the effects of the data breach, and reporting and/or notifying the Information Commissioner and affected individuals.
- Prepare an eligible data breach register: Agencies should prepare a register of eligible data breaches. The register must include a description of an eligible data breach, the date an eligible data breach statement is provided to the Information Commissioner (including dates when further statements were provided to the Information Commissioner), the date and method used to notify individuals and details of the steps taken by the agency to contain and mitigate the harm caused by an eligible data breach.
- Prepare a data breach policy: Agencies must prepare and publish an external-facing data breach policy, which includes how it will respond to a data breach, including a suspected eligible data breach.
- Review existing contracts: If an agency engages third party suppliers (especially where the supplier handles personal information for or on behalf of the agency), then that agency should ensure that the contract with the supplier contains provisions to enable the agency to comply with the MDBN Scheme, including:
- Processes and procedures to manage and mitigate the harm arising from data breaches caused by a supplier.
- Obligations to provide assistance and information to the agency and nominated third parties (e.g. the Information Commissioner) in relation to a data breach caused by a supplier.
- Rights for agencies and nominated third parties (e.g. the Information Commissioner) to assess the supplier’s data handling systems and practices.
- Update privacy policies and procedures: Agencies should review and update any relevant policies and procedures to comply with the MDBN Scheme.
Non-compliance with the MDBN Scheme may result in a privacy complaint being made to the Minister, compliance action under the Privacy Act or an order by the Queensland Civil and Administrative Tribunal for compensatory payments to the individual affected.
If you have any queries in respect to the potential effect of the MDBN Scheme, please feel free to contact: