Major changes proposed to privacy and right to information framework 12 min read
The recently released consultation paper on Queensland's privacy and right to information framework outlines significant proposed reforms. This Insight explains the key suggested changes and their potential impacts.
- The consultation paper considers whether a number of key changes should be made to Queensland's information privacy framework (the Information Privacy Act 2009 (Qld) (the IP Act) and Right to Information Act 2009 (Qld) (the RTI Act)) , including by introducing a mandatory data breach notification scheme for entities subject to the IP Act.
- If implemented, the changes would create greater national consistency in privacy frameworks but not resolve some of the key questions around privacy law that are currently under consideration federally.
- The paper also seeks views on proposed reforms aimed to clarify and improve the operation of the information privacy and right to information frameworks.
- Government agencies, and any government owned corporations (GOCs) currently subject to the information access frameworks under the Right to Information Act and IP Act, should contemplate the extent to which the proposed changes would relieve or enhance their administrative and resource burdens, and consider providing feedback accordingly. Consultation is currently open, with the deadline for written submissions 5pm on 22 July 2022.
- The key changes include introducing:
- a mandatory data breach notification scheme (the mandatory DBN scheme) for agencies and entities subject to the IP Act, in a similar form to the regime in the Privacy Act 1988 (Cth) (the Privacy Act); and
- a number of other proposed alignments with the Privacy Act, including:
- an aligned definition of personal information;
- a single set of privacy principles based on the Australian Privacy Principles (the APPs); and
- enhanced powers for the Information Commissioner to respond to privacy breaches, including an 'own motion' power to investigate an act or practice without having received a privacy complaint; and
- a new criminal offence under the Queensland Criminal Code for misuse of confidential information by public officers.
These changes would largely impact public sector agencies, and if implemented, would create greater national consistency in privacy frameworks. However, this wouldn't resolve some of the key questions regarding the challenges in privacy law that are currently under consideration at the federal level (for more about the current consultations on the Privacy Act, see our Insights here and here). This may ultimately have the effect of bringing the IP Act into line with a federal legislative framework that subsequently receives a further regulatory uplift.
- The paper also seeks views on proposed reforms aimed to clarify and improve the operation of the information privacy and right to information frameworks, which would impact both government agencies, and any government owned corporations subject to the information access frameworks under these Acts.
- Notably, it proposes to amend the RTI Act to provide clearer criteria for prescribing entities as public authorities, and introduce non-binding factors to provide guidance on whether to prescribe an entity (including clarifying that Corporations Act 2001 (Cth) entities can be caught). While these amendments don't change the scope of entities that can be declared public authorities, the proposed changes suggest such entities are more likely to be declared public authorities in the future where connected to government agencies.
- Other proposed changes are largely procedural, and relate to making and processing applications under the Acts, exemptions from the disclosure requirements under the RTI Act, internal and external reviews under the RTI Act, application of the IP Act, and a number of privacy issues.
The consultation paper comes in the wake of several recent reports that have considered the ongoing adequacy of the frameworks established under the IP and RTI Acts. Recognising the growth of the impact of technological developments on information privacy and access to personal information, the paper considers a number of recommendations made in these reports, most notably in:
- the report on the Review of the Right to Information Act 2009 and Information Privacy Act 2009 (available here);
- the Crime and Corruption Commission (CCC)'s report, Operation Impala: Report on misuse of confidential information in the Queensland public sector (available here); and
- the CCC's report, Culture and Corruption Risks in Local Government: Lessons from an investigation into Ipswich City Council (the Windage Report) (available here).
There are two parts to the consultation paper. Part A considers whether key changes should be made to Queensland's information privacy framework to better protect personal information, and provide appropriate remedies and responses for the misuse of personal information by public sector agencies. Part B considers proposed changes to the information access regimes under the IP and RTI Acts to clarify and improve their operation.
This part seeks views on the following issues and proposals relating to Queensland's information privacy framework under the IP Act.
- Mandatory DBN scheme: The consultation paper proposes introducing a mandatory DBN scheme based on the federal Notifiable Data Breaches scheme under the Privacy Act, which would require agencies to notify the Office of the Information Commissioner (the OIC) and an affected individual of an 'eligible data breach'. This is defined in the same manner as under the Privacy Act, to involve unauthorised access to, unauthorised disclosure of, or loss of personal information that would be likely to result in serious harm to any of the affected individuals.
Relevant procedural matters are also proposed to be the same as in the Privacy Act, including:
- requiring expeditious assessment of suspected eligible data breaches, which agencies must take reasonable steps to complete within 30 days; and
- requirements regarding the content and method of notification.
Exceptions to the requirement to comply with the mandatory DBN scheme would include enforcement-related activities, where compliance would be inconsistent with secrecy provisions and where the OIC declares that notification isn't required. The OIC would have an oversight role with functions and powers to monitor and ensure compliance with the scheme.
- Other alignments with the Privacy Act: A number of other reforms are proposed to further align the Queensland and federal privacy frameworks:
- Definition of personal information: The paper seeks views on whether the definition of personal information in the IP Act should be amended to reflect the definition under the Privacy Act. This would entail changing the requirement that personal information be 'about an individual whose identity is apparent, or can reasonably be ascertained', to the requirement that personal information be about 'an identified individual, or an individual who is reasonably identifiable'. The paper argues that adopting the Privacy Act definition, which is broader and more flexible than the current definition, would ensure consistency between the Queensland and federal frameworks. However, it notes this would arguably not address the existing uncertainty surrounding the scope of the Privacy Act definition, including in relation to whether it captures online identifiers and other technical data about individuals. For discussion of these issues, see our Insights here and here.
- A single set of privacy principles: Currently, the IP Act contains two sets of privacy principles: the National Privacy Principles (the NPPs) (which apply to health agencies) and the Information Privacy Principles (the IPPs) (which apply to all other agencies). To reduce compliance costs and work towards national consistency, the paper proposes adopting a single set of privacy principles for Queensland that are broadly consistent with the APPs, to the extent those principles apply to agencies. The consultation paper sets out a proposed set of privacy principles (termed Queensland Privacy Principles or QPPs), and seeks views on whether they should be adopted in their current or a modified form. Government agencies should note that while adopting a single set of principles consistent with the APPs could ultimately reduce compliance costs, there would likely be administrative and resource implications for agencies. Agencies will have to familiarise themselves with a new set of principles, and adapt their practices, procedures and systems accordingly.
The paper also seeks views on whether the IP Act should prescribe a non-exhaustive list of matters that must be taken into account by agencies when determining 'reasonable steps' to take to protect personal information they hold from unauthorised access, use, disclosure, modification, and from any other misuse, as would be required under the proposed QPPs. This would go beyond the current Privacy Act approach, though amendments along a similar line have been suggested in the current Privacy Act review process (more in line with certain approaches taken under the European General Data Protection Regulation). An alternative proposal is for the IP Act to mandate that the OIC produce specific guidelines on what 'reasonable steps' would entail in this context.
- Enhanced powers and functions for the OIC to respond to privacy breaches: Feedback is also sought on whether the powers of the OIC should be enhanced to provide it with 'own motion' powers to investigate an act or practice that may be a breach of the privacy principles, in line with similar powers under the Privacy Act, and allow the OIC to intervene in tribunal or court proceedings involving the IP Act (with the leave of the court or tribunal). The paper also seeks views on whether the OIC should be given a power to make declarations, based on the federal model under the Privacy Act, after an own-motion investigation has been conducted.
- Criminal sanctions for misuse of personal information by public officers: In light of the particular position of trust that public sector employees hold by virtue of their office, and the potential loss of public confidence that can result from misuse of confidential information by public sector employees, the consultation paper considers the creation of a new criminal offence of misuse of confidential information by public officers. It seeks views on whether a new offence is required to effectively prosecute misuse of confidential information, or whether existing provisions in the Criminal Code and other legislation are already adequate.
Part B discusses proposals for reforms aimed to clarify and improve the operation of the information privacy and right to information framework. Many of these proposed changes will also affect GOCs who are subject to the information access frameworks under this legislation.
- Application of the RTI Act to particular entities: Under the RTI Act, an entity can be declared a public authority (and therefore subject to the Act) if it meets any of the following criteria:
- it is supported directly or indirectly by government funds or other assistance; or
- the government is in a position to exercise control over it; or
- it is established under an Act; or
- it is given public functions under an Act.
It is proposed to amend the RTI Act to provide clearer criteria for prescribing entities as public authorities, including by clarifying that entities can be prescribed for only part of their functions, and to clarify that companies under the Corporations Act can be prescribed. It is also proposed to introduce non-binding factors to provide guidance on whether to prescribe an entity, including the size of the entity, the purpose of the entity (including whether it is performing functions generally identified with the functions of government), the extent to which functions of the entity have previously been undertaken by government, and, if the entity is a company, whether it is limited by shares. These proposals come in the wake of the Windage Report, which found that private entities established by local governments can create corruption risks through lack of oversight and transparency.
While these amendments don't change the scope of entities that can be declared public authorities and therefore subject to the RTI Act, they suggest that such entities are more likely to be declared public authorities in the future.
- Other procedural reforms: Numerous other procedural reforms are proposed to simplify and streamline operation of the IP and RTI Acts. These relate to:
- Making applications: It is proposed to establish a single right of access to information under the RTI Act (regardless of whether the information requested is the applicant's personal information), remove the requirement for applications to be in the approved form, and relax some identification requirements;
- Processing applications: A number of changes to the RTI Act are suggested to streamline the processing of applications: eg to provide for a single period of time for processing applications, and extend the timeframe for a decision that a document or entity is outside the scope of the Act;
- Exemptions: It is proposed to introduce a new exemption in Schedule 3 of the RTI Act for matters affecting relations with other governments. The exemption would apply if disclosure of information could reasonably be expected to cause damage to relations between Queensland and another government, or divulge information communicated in confidence by or for another government.
- Internal and external reviews: A number of reforms to the RTI Act are proposed relating to processes for internal and external reviews, including to remove the right of internal and external review to the OIC of a decision by a judicial or quasi-judicial entity that an application is outside the scope of the Act, and to allow agencies to extend the time in which they must make internal review decisions;
- Application of the IP Act to subcontractors: It is proposed to extend privacy obligations in the IP Act to subcontractors, and require contracted service providers to take all reasonable steps to ensure a subcontracted service provider is contractually bound to comply with the privacy principles.
- Privacy issues: Various changes relating to privacy issues are put forward, such as introducing certain requirements for lodgement of a privacy complaint and allowing agencies to request extensions of time for resolution of privacy complaints. However, if some of the reforms proposed under Part A are implemented, some of these suggested reforms may no longer be relevant; and
- Other issues: A number of possible reforms to the RTI Act in relation to requirements for disclosure logs, publication schemes and annual reporting are proposed to minimise administrative burden. For instance, it is proposed to remove some requirements to include certain information on a disclosure, and to implement less onerous requirements relating to information that must be published under a publication scheme.
The Queensland Government is seeking views on the proposed changes from a wide range of stakeholders, including individuals, interest groups, government agencies, statutory bodies, and the legal sector. Written submissions close at 5pm on 22 July 2022, and can be made by email to PrivacyandRTIreforms@justice.qld.gov.au. For more information, see here.
If you have any questions, please get in touch.