Information Privacy and Other Legislation Amendment Act

The Information Privacy and Other Legislation Amendment Act 2023 (IPOLA Act) was passed by Parliament on 29 November 2023. The IPOLA Act amends the Information Privacy Act 2009 (IP Act), Right to Information Act 2009 (RTI Act) and related provisions in other legislation.

Overview and key dates

Overview

The amendments to the IP Act, RTI Act and related provisions in other legislation aim to:

  • Better protect personal information and provide appropriate responses and remedies for data breaches and misuse of personal information by agencies
  • Clarify and improve the operation of information privacy and right to information frameworks
  • Support the operation of the administrative scheme which will provide for the proactive release of Cabinet documents.
  • Commencing on assent - Changed definition of photocopy (to copy)
  • The transfer of reporting on the functions of the Acts, to the Office of the Information Commissioner, is to be advised

Key dates

  • 1 March 2024 – RTI Act amendments that support the proactive release of Cabinet documents
  • Commencing on assent - Changed definition of photocopy (to copy)
  • 1 July 2025 – Anticipated commencement of IPOLA Act
  • 1 July 2026 – Anticipated commencement of Mandatory Notification of Data Breach (MNDB) scheme in local government
  • The transfer of reporting on the functions of the Acts, to the Office of the Information Commissioner, is to be advised.

Key changes for agencies

  • Introduction of a mandatory notification of data breach (MNDB) scheme applicable to all Queensland government agencies (delayed for local government)
  • Adjusted definition of personal information
  • A single set of Queensland Privacy Principles (QPP)
  • Creation of a single right of access and amendment in the RTI Act, including for documents containing personal information
  • Broader control requirements for agencies, including a QPP Privacy Policy, Data Breach Policy, and publication scheme changes
  • Introduction of a response period for agencies managing privacy complaints and reforms to the processing period for access and amendment applications
  • Enhanced powers and functions for the Information Commissioner, including:
    • powers to investigate or act as an own motion in support of compliance with privacy principles and the MNDB scheme
    • power to refer documents to agencies during an RTI external review

What can agencies do to prepare for these changes?

Complete an agency checklist:

  • Does your agency currently have the necessary policies and procedures in place to manage privacy and RTI?
  • Does your agency understand the personal information it holds and the processes in place to manage it?
  • Does your agency assess, record, and manage privacy risks?
  • Does your agency undertake privacy impact assessments where necessary?

Consider the potential impact of the MNDB scheme:

Based on the personal information your agency holds:

  • What are the potential breaches?
  • Can the controls managing potential breaches be improved on?
  • What would the consequence of a breach be, and how would it be mitigated?

The scheme mandates government agencies to publish a Data Breach Policy and maintain a register of eligible breaches. It asks agencies to consider the following:

  • What roles and responsibilities will be necessary to develop and implement the scheme?
  • What procedures will be required to ensure compliance?

Are you engaging with leadership to build awareness of the IPOLA changes and their possible impact?

OIC will share a range of resources which can be used to train and educate staff about the changes and how this will affect government agencies.

What resources are available?

OIC will develop a range of resources and activities to support agencies transition to the new legislation. These include:

  • A range of guidelines, fact sheets and presentations
  • In-person and online training
  • Training materials to help agencies share key information with stakeholders.

These resources will be communicated via OIC’s website and newsletter. Please subscribe to OIC News (When subscribing, select 'News' to receive IPOLA updates).

RTI Act amendments supporting the proactive release of Cabinet documents

The Right to Information Act 2009 (Qld) (RTI Act) has been amended to support the proactive publication of Cabinet documents through an administrative release scheme. The amendments have effect from 1 March 2024, with the commencement of sections 78, 87, 89 and 136 of the Information Privacy and Other Legislation Amendment Act 2023, preceding the proactive release of Cabinet documents which we understand will occur for the Cabinet meeting of 25th March 2024 onwards. Read more here.