Queensland will implement a mandatory data breach notification scheme, after the passage of the Information Privacy and Other Legislation Amendment Act 2023.

State government agencies will be required to comply from July 1, 2025, while local government agencies will have a further year until July 1, 2026.

It will require agencies to notify affected individuals and the Office of the Information Commissioner of eligible data breaches that could result in serious harm.

Queensland Attorney-General Yvette D’Ath, said, “This legislation responds to a wide range of recommendations outlined in several key reports.

“In doing so, it implements critical reforms which go to the heart of Queensland’s integrity framework.

“This will empower affected individuals to take action that will reduce the risk of adversity from a data breach.” 

The Queensland scheme follows implementation of mandatory data breach notification by the Australian federal and NSW Governments.

The Queensland Act was passed following several reviews, including two key reports of the Crime and Corruption Commission, a review of right to information and privacy legislation, and the Coaldrake review into the Queensland public sector.

It includes additional reforms designed to provide greater consistency with the Commonwealth Privacy Act; Reforms to the Right to Information framework to reduce red tape and deliver efficiencies for applicants and agencies; and amendments to the Criminal Code to increase the maximum penalty for conduct relating to the misuse of restricted computers.

“This legislation responds to a wide range of recommendations outlined in several key reports,” D’Ath said.

“In doing so, it implements critical reforms which go to the heart of Queensland’s integrity framework.