The Information Privacy Act 2009 (Qld) (IP Act) applies to the personal information handling practices of Queensland public sector agencies and their contractors, and contains two sets of privacy principles – the National Privacy Principles (NPPs) that apply to Queensland Health and Queensland’s Hospital and Health Services, and the information Privacy Principles (IPPs) that apply to all other Queensland public sector agencies.
The Queensland Department of Justice and Attorney-General’s report on the review of the IP Act and the Right to Information Act 2009 (Qld) was tabled in Parliament on 12 October 2017.
Recommended changes to the IP Act include:
- Extension of the privacy obligations under the IP Act to government subcontractors, in addition to the existing obligations for contractors.
- Amendment of the definition of “personal information” so that it is consistent with the definition of personal information under the Federal Privacy Act 1988 (Cth).
- Amendment of the definition of “generally available publication” to make it consistent with the definition under the Federal Act and to make sure that it captures purely digital communications.
- Amendment of section 33 of the IP Act so that it restricts “disclosures” of personal information outside of Australia, rather than “transfers” outside of Australia, again consistent with the 2014 amendments to the Federal Act.
- Amendment to the procedures and timeframes for making privacy complaints.
- Provision of an “own motion power” to the Information Commissioner to allow investigation of an act or practice which may be a breach of the privacy principles, whether or not a complaint has been made.
- Amendment to IPP4 so that agencies are only required to take “reasonable steps” to ensure information is protected against loss and misuse, as is the requirement under the NPPs and under the Australian Privacy Principles (APPs) applicable under the Federal Act.
- Amendment of the IP Act so that the NPPs apply to health agencies in the same way as the IPPs apply to other agencies in relation to law enforcement activities .
There will be no change to the treatment of Queensland Government Owned Corporations (GOCs). The information handling practices of GOCs are currently governed by the APPs under the Federal Act, not the Queensland IP Act, and given the strength of the Federal Act it was considered change is not necessary.
The review also considered whether the NPPs and IPPs should both be replaced or aligned with the APPs that apply under the Federal Act, with a view to facilitating national consistency. It was noted that although there is strong support for amalgamating the IPPs and NPPs, there is no national commitment to alignment with the APPs. The Australian Capital Territory is the only jurisdiction that has adopted a version of the APPs to date. The conclusion was that further research is required as to the strength of privacy protection provided by the APPs in comparison to the IPPs and the NPPs, and to assess the impact on the Queensland public sector.
Similarly, further research and consultation was recommended as to whether a mandatory data breach notification scheme should be introduced under the IP Act to reflect the new scheme that will apply under the Federal Act from 22 February 2018.
A full copy of the report is available here: https://www.parliament.qld.gov.au/work-of-assembly/tabled-papers/online-tabled-papers