Queensland has introduced a new data breach notification law, set to take effect on July 1, 2025. The Information Privacy and Other Legislation Amendment Act 2023 (Qld) was passed on December 4, 2023, marking a significant change. Previously, agencies were not required to notify the Office of the Information Commissioner Queensland (OICQ) of data breaches. However, the new law introduces a mandatory notification system for breaches, aiming to increase transparency and protect individuals’ privacy.
Under the new law, an “eligible data breach” will require notifications if there is unauthorized access, disclosure, or loss of personal information. This includes situations where unauthorized access or disclosure could result in serious harm to individuals. When these conditions are met, both the OICQ and affected individuals must be informed. The act emphasizes that the risk of harm to the individual is a critical component in triggering notifications.
In cases where unauthorized access or disclosure happens, but serious harm is unlikely, agencies will not be required to notify the OICQ.
However, these incidents are still considered data breaches. It is essential for agencies to assess whether an event meets the criteria for a mandatory notification, which will require careful evaluation of the risk to the affected individuals. The new guidelines issued by the OICQ offer practical advice on how agencies can comply with the notification requirements.
Agencies in Queensland are encouraged to begin preparing for the new law by reviewing their current privacy practices. This includes creating a process for detecting, evaluating, and reporting eligible data breaches. By July 2025, Queensland agencies must be ready to follow these new regulations, ensuring better protection of personal information and compliance with the law.
ve organizations the time needed to adapt to these changes while strengthening overall internet security.
Reference:
