Publication
Queensland Government introduces mandatory data breach notification regime
Australia | Publication | oktober 2023
On 12 October 2023, the Government introduced the Information Privacy and Other Legislation Amendment Bill 2023 (Bill) to Queensland Parliament which, amongst other things, establishes a mandatory data breach notification scheme (MDBN Scheme) in Queensland. The Bill is consistent with the recommendations in the Coaldrake Review and is currently under consideration by the Education, Employment and Training Committee.
It is unclear when the Bill will pass, however, if enacted, the MDBN Scheme will apply to all Queensland state and local government agencies that are subject to the Information Privacy Act 2009 (Qld) (Privacy Act). Notably, the Queensland government will take a phased approach to implement the MDBN Scheme and local councils will be subject to a 12-month transition period to mitigate the resourcing impacts and costs involved to comply with the scheme.
Content
The Bill will introduce requirements for agencies to:
- assess (within 30 days) whether a data breach is an ‘eligible data breach’;
- contain and mitigate the harm caused by the data breach;
- subject to certain exceptions, notify affected individuals and the Office of the Information Commissioner of eligible data breaches that would likely result in serious harm to an individual to whom the personal information relates;
- keep a register of eligible data breaches; and
- publish an external-facing data breach policy.
How can agencies prepare for the MDBN Scheme:
- Establish clear roles and responsibilities: Agencies should establish clear roles and responsibilities to manage data breaches or suspected data breaches. This may include establishing a team to undertake the required assessments, containing the data breach and mitigating the effects of the data breach, and reporting and/or notifying the Information Commissioner and affected individuals.
- Prepare an eligible data breach register: Agencies should prepare a register of eligible data breaches. The register must include a description of an eligible data breach, the date an eligible data breach statement is provided to the Information Commissioner (including dates when further statements were provided to the Information Commissioner), the date and method used to notify individuals and details of the steps taken by the agency to contain and mitigate the harm caused by an eligible data breach.
- Prepare a data breach policy: Agencies must prepare and publish an external-facing data breach policy, which includes how it will respond to a data breach, including a suspected eligible data breach.
- Review existing contracts: If an agency engages third party suppliers (especially where the supplier handles personal information for or on behalf of the agency), then that agency should ensure that the contract with the supplier contains provisions to enable the agency to comply with the MDBN Scheme, including:
- Processes and procedures to manage and mitigate the harm arising from data breaches caused by a supplier.
- Obligations to provide assistance and information to the agency and nominated third parties (e.g. the Information Commissioner) in relation to a data breach caused by a supplier.
- Rights for agencies and nominated third parties (e.g. the Information Commissioner) to assess the supplier’s data handling systems and practices.
- Update privacy policies and procedures: Agencies should review and update any relevant policies and procedures to comply with the MDBN Scheme.
Non-compliance with the MDBN Scheme may result in a privacy complaint being made to the Minister, compliance action under the Privacy Act or an order by the Queensland Civil and Administrative Tribunal for compensatory payments to the individual affected.
If you have any queries in respect to the potential effect of the MDBN Scheme, please feel free to contact:
- Peter Mulligan, Partner peter.mulligan@nortonrosefulbright.com
- Ren Niemann, Partner ren.niemann@nortonrosefulbright.com
- Jim Lennon, Special Counsel jim.lennon@nortonrosefulbright.com
- Donna Lin, Associate donna.lin@nortonrosefulbright.com
Recent publications
Publication
The 2025 Dutch tax plan: Impact on real estate sector
On 17 September 2024, the Dutch Ministry of Finance published its 2025 Tax Plan (Belastingplan 2024). The plan contains several proposals that affect the Dutch real estate sector.
Publication
The 2025 Dutch tax plan: Impact on businesses
Today, 17 September 2024, the Dutch Ministry of Finance published its 2025 Tax Plan (Belastingplan 2025). The plan contains several proposals that affect businesses operating in or with the Netherlands. Most provisions of the 2025 Tax Plan will enter into force on 1 January 2025 (unless otherwise indicated).
Subscribe and stay up to date with the latest legal news, information and events . . .