Contractors and data breaches
Queensland government agencies1 must handle personal information2 in accordance with the Information Privacy Act 2009 (Qld) (IP Act). Chapter 3A of the IP Act creates a mandatory notification of data breach (MNDB) scheme, which requires agencies (other than local government3 to notify individuals and the Information Commissioner about eligible data breaches involving personal information held by the agency.
Chapter 3A of the IP Act applies to personal information contained in a document held by an agency, other than a document to which the privacy principle requirements do not apply. This guideline is intended to assist agencies to determine if personal information in the possession of a service provider is held by the agency. It must be read in conjunction with Mandatory notification of data breach.
Held by an agency
Section 13 of the IP Act provides that personal information is held by an agency if the personal information is contained in a document in the possession, or under the control, of the agency.
This definition is similar to the definition of document of an agency in the Right to Information Act 2009 (Qld), which is discussed in Documents of an agency and documents of a Minister.
In the agency’s possession
Documents in the agency’s possession include documents which are kept at the agency’s premises, eg a hard copy file in a filing cabinet at the agency’s office, or stored on agency IT equipment, eg contained on the agency’s servers or stored on an agency laptop.
Under the agency’s control
Documents are in the agency’s control if the agency has a present legal entitlement to take physical possession of them,4 or to handle or access them, eg due to a contractual or other legal right. Depending on the circumstances, this will include documents held by the agency’s service providers.
If an agency’s service provider has a data breach involving personal information associated with the agency contract, the agency will need to decide whether the personal information is held by the agency, taking into account the right of the agency to control the information’s use and whether the agency can require the service provider to give it the information.
For example, client documents held by an external legal adviser are under the agency’s control, despite being in the possession of the lawyer,5 because the agency is entitled to access them under the Australian Solicitor’s Conduct Rules. If the lawyer had a data breach involving client documents of the agency which contained personal information, it would be a data breach of the agency.
If the terms of a service agreement or a binding rule give the agency the right to access documents in the possession of the service provider, those documents will be under the agency’s control
Example
An agency enters into a contract with a service provider to provide services to the public on the agency’s behalf. The contract requires the service provider to provide an online customer portal that allows agency clients to lodge service requests and pay for agency services, which requires the collection and use of personal information.
The contract provides that the agency maintains control over this personal information and that the service provider must only use it to meet its contractual obligations. As such, the personal information is held by the agency despite being the service provider’s possession, because it is in the agency’s control.
If the service provider has a data breach involving the personal information of the agency’s clients, it would be a data breach of the agency for the purposes of chapter 3A of the IP Act.
Contractual terms
When entering into new or reviewing existing contracts, agencies should consider the specific circumstances of the contract, the kinds of personal information involved, and the relevant operating environment. This will help identify whether to include contractual data breach arrangements, eg:
- an obligations to promptly report data breaches
- a requirement to contain and mitigate data breaches; and
- a requirement to assist and cooperate with the agency’s data breach assessments.
When reviewing contracts, agencies should consider if the existing terms will address these points and seek amendment or modification where appropriate.
Refer to Binding contractors to the IP Act for more information.
Service providers and the Commonwealth notifiable data breach scheme
Some private sector entities are subject to the Commonwealth Notifiable Data Breach scheme and other obligations in the Privacy Act 1988 (Cth). However, section 7B(5) of that Act provides an exemption for acts done, or practices engaged in, for a contract with a State or Territory authority.
Queensland government agencies are State authorities within the meaning of the Privacy Act 1988 (Cth). As such, it is important that agencies do not attempt to rely on a service provider’s Commonwealth privacy obligations; appropriate privacy and data breach terms must be included in the contract.
- 1 Agency includes a Minister.
- 2 Information about an identified or identifiable individual. Refer to section 12 of the IP Act and Key privacy concepts – personal and sensitive information for more information.
- 3 The application of the MNDB scheme to local governments is delayed until 1 July 2026. Until that time, local government agencies should refer to Privacy breach management and notification for local government.
- 4 Y46 and Queensland Police Service [2020] QICmr 3 (4 February 2020), [44]; Price and Nominal Defendant (1999) 5 QAR 80, [18].
- 5 For more information on this point, see OIC’s guideline Documents held by third party legal providers. While this guideline concerns information access applications made under the RTI Act, the applicable statutory tests and legal principles are substantially similar.
Current as at: July 31, 2025