On October 12, 2023, the Queensland Government introduced the Information Privacy and Other Legislation Amendment Bill 2023 to the Queensland Parliament. In particular, the bill, among other things, creates a mandatory data breach notification scheme (MDBN Scheme) in Queensland. 

Scope

The MDBN Scheme will apply to all Queensland state and local government agencies that are subject to the Information Privacy Act 2009 (Qld) (Privacy Act).

Obligations for agencies

Under the bill, an eligible data breach at an agency is considered to have occurred if either:

• there is unauthorized access to, or disclosure of, personal information, which is likely to cause serious harm to the individual concerned; or
• personal information is lost in a way that unauthorized access or disclosure is probable, and such an incident would likely result in serious harm to the individuals to whom the personal data relates.

The bill provides that when an agency becomes aware of a potential eligible data breach, it must, within 30 days, assess if the breach is notifiable. If the breach is eligible the agency is required to, among other things:

• immediately take steps to contain the breach and mitigate its effects;

• notify the Office of the Information Commissioner (OIC);

• notify the affected individuals or, if impracticable, publish the information on its website for at least 12 months including details about the breach, agency contact details, and recommendations for individuals; and

• inform other agencies that might be affected by the breach.

However, the bill does not require agencies to complete an assessment If the breach involves personal information already subject to a breach at another agency, and that agency has committed to an assessment.

Exemptions

Notably, the bill highlights that agencies are not required to comply with the requirement to notify eligible data breaches if:

• doing so is likely to prejudice an investigation leading to prosecution or court/tribunal proceedings;
• an agency takes action to mitigate harm before serious harm occurs due to unauthorized access, disclosure, or loss of personal information, and as a result, serious harm is unlikely;
• doing so would be inconsistent with other laws regulating the use or disclosure of information;
• doing so creates a serious risk to an individual's health or safety; and
• compliance is likely to compromise the agency's cybersecurity or lead to further data breaches.

You can read the bill here and track its progress here.

Update: November 29, 2023

State Parliament approves mandatory data breach scheme for Government agencies

On November 29, 2023, the Attorney General, the Minister for Justice, and the Minister for the Prevention of Domestic and Family Violence announced that the Information Privacy and Other Legislation Amendment Act 2023 was passed by the Queensland Parliament, establishing the MDBN Scheme.

You can read the press release here,  the Information Privacy and Other Legislation Amendment Act 2023 here, and view its history here.