Data Compliance updates for 4 Jan 24
A bill was submitted end of 2023 to make changes to the existing Information Privacy Act 2009 (Qld). The reason they have submitted this bill is to bring Qld privacy laws closer to match the Australian federal privacy laws.
The proposed changes are:
Changing the definition of “personal information” to match the federal Privacy Act 1988.
To combine the current National Privacy Principles (NPP) and the Information Privacy Principles (IPP) into one document called the Queensland Privacy Principles (QPP).
To introduce a new, mandatory, regime for data breaches.
Give new powers of investigation to the Queensland Information Commissioner.
What you need to know/ What it means for CAM practitioners:
Follow the mean of “personal information” as per the Privacy Act 1988.
The QPP aims to mimic the Australian Privacy Principles (APP) - so just use the APP as your main guide.
If the bill passes, in about 1 year you will need to be familiar with the new guidelines and have your clinic compliant to their new regulations to avoid a potential fine of up to $15,480.
What you need to do:
Check your clinic data management of personal information matches that of the Australian Privacy Principles
Make sure no one unauthorised can access your data
Have a data breach plan in place that outlines the strategy you will take in the event of a data breach
The extra details:
1: The proposed mandatory data breach regime:
Why: to make businesses liable if they have a data breach. To bring in consequences for businesses that are not taking data management seriously.
What: A data breach in relation to personal information will include:
If your clients’ information can be accessed by someone unauthorised or it is disclosed to someone unauthorised which results in serious harm to that person.
You lose your clients information - where someone has gained unauthorised access to your clients’ information and results in serious harm to that person.
Under the new data breach regime, you will be expected to:
If you suspect a data breach you must:
Do everything you can to contain it (stop it from spreading) and try to correct it and stop harm from coming to that person.
You have 30 days to report the data breach if it is classified as an eligible data breach. In the report you need to include:
Date of the breach
Type of information taken
How it happened
The steps you took to contain it
The steps you took to advice the victim/s
2: The additional Commissioner powers:
What: the commissioner can investigate a breach if they suspect a data breach or non-compliance to the QPP.
The investigation can include:
Entering your business property
Inspecting your documents
Asking for a demonstration on how you handle your data
Prove your compliance to the QPP
Non-compliance can be up to fines of $15,480
References and more information: