Why are these changes being considered?
A number of reports have made recommendations for change to Queensland’s information privacy and right to information framework including:
- the report on the Review of the Right to Information Act 2009 and Information Privacy Act 2009 (Review Report);
- the Crime and Corruption Commission (CCC)’s report, Operation Impala, A report on misuse of confidential information in the Queensland public sector (Impala Report);
- the CCC’s report, Culture and Corruption Risks in Local Government: Lessons from an investigation into Ipswich City Council (Windage Report); and
- the Strategic Review of the Office of the Information Commissioner (Strategic Review Report).
This Consultation Paper considers certain recommendations for change from these reports.
Principles relevant to proposed reform
Individuals have a right to have their personal information protected from unlawful and arbitrary interference. This is consistent with the right to privacy in the Human Rights Act 2019 (Qld) (HR Act). Appropriate support, remedies and responses should exist in relation to the misuse/unauthorised disclosure of personal information. The law should provide a range of means to prevent, reduce or redress serious breaches of privacy and it should facilitate appropriate access to justice for those affected.
Members of the public should have access to information held by government. This is consistent with the right to freedom of expression in the HR Act and is central to achieving accountability and transparency in government.
Consumers, businesses, and agencies should have clarity about their rights and obligations under privacy and right to information law. The law should be precise and certain, but also flexible and able to adapt to changes in social and technological conditions.
As far as possible, there should be consistency in privacy rights and obligations across jurisdictions and information types. Consistency in laws of different jurisdictions will lessen compliance burdens and costs and make it easier for individuals wanting to make a privacy complaint. ...
Consultation questions
Below is a list of all the consultation questions in the Consultation Paper. However, any comments on the proposed reforms are welcome.
Part A: Proposed Privacy Reforms
Definition of Personal Information
1. Should the definition of personal information in the Information Privacy Act 2009 (IP Act) be amended to reflect the definition which is currently in the Privacy Act 1988 (Cth) (Privacy Act)?
A Single Set of Privacy Principles
2. Should the proposed Queensland Privacy Principles (QPPs) be adopted in Queensland?
3. If not, in what ways should they be changed? Reasonable Steps for the protection of personal information
4. What are the benefits and disadvantages of defining the factors that must be considered in ‘reasonable steps’ for proposed QPP 9 in the IP Act?
5. Could these factors be applied to other relevant parts of the IP Act?
6. Would statutory guidelines produced by Office of the Information Commissioner (OIC) be more flexible and useful?
Enhanced powers for the Information Commissioner to respond to privacy breaches
7. Should the Information Commissioner be given a power to conduct an ‘own motion’ investigation into whether there has been a breach of the privacy principles?
8. Should the Information Commissioner be given a power to make declarations, based on the Commonwealth model, after an own-motion investigation has been conducted?
9. Should the OIC have the power to intervene in tribunal or court proceedings, involving the IP Act?
10. Do you have any other comments about the powers and roles of the OIC, including the current range of support services provided by the OIC?
Mandatory data breach notification (DBN) scheme
11. Is the mandatory DBN scheme as outlined in this Consultation Paper suitable for adoption in Queensland? 12. If not, in what ways should it be changed?
13. Would the Information Commissioner require any additional powers to monitor and provide oversight to the mandatory DBN scheme?
Criminal sanctions for misuse of personal information by public officers
14. Is a new criminal offence required to prosecute offences for misuse of confidential information, or are existing provisions in the Criminal Code Act 1899 (Criminal Code) and other legislation adequate?
15. Do you have any other comments about this issue?
Part B: Further proposed right to information and information privacy reforms
Feedback is sought on the proposed right to information and information privacy reforms, including to both the IP Act and the RTI Act outlined in this part.
Queensland’s Information Privacy and Right to Information Framework
Framework
The RTI Act and the IP Act Queensland’s framework for right to information and information privacy includes the RTI and IP Acts. The Right to Information Act 2009 (RTI Act) provides a right of access to government information unless, on balance, it is contrary to the public interest to release the information. The IP Act contains privacy principles governing the collection, storage, transfer, use and disclosure of personal information in the public sector. It also provides a formal mechanism for a person to apply to access or amend their own personal information.
The OIC is an important part of Queensland’s information privacy and right to information framework. The OIC is an independent body established to promote access to government-held information and protect personal information held by the public sector.
The importance of right to information and information privacy regulation
Right to information and freedom of information laws
Right to information and freedom of information laws play an important role in modern democratic societies. They are recognised as a means of achieving greater participation in government decisionmaking and greater accountability by government for the decisions they make. The repealed Freedom of Information Act 1992 (the FOI Act) was passed following recommendations made by the Fitzgerald Inquiry, the Electoral and Administrative Review Commission and the Parliamentary Committee for Electoral and Administrative Review.
Following an extensive review of Queensland’s freedom of information laws by a panel of experts chaired by Dr David Solomon, AM10 the FOI Act was replaced by the RTI Act and the IP Act.
All Australian jurisdictions, as well as many other countries, have right to information or freedom of information legislation. Its democratic purpose is to confer a legal right of access to information held by the government unless disclosure is contrary to the public interest.
It is broadly acknowledged that this legislative right:
- · provides a mechanism for individuals to see what information is held about them on government files and to seek to correct that information if it is wrong or misleading;
- enhances the transparency and accountability of policy-making, administrative decision-making and government service delivery; and
- provides for a community that is better informed and thus able to participate more effectively in the nation.
Privacy legislation
Closely related to the right to information held by government are specific rights in relation to the handling of personal information by government. All Australian jurisdictions, except Western Australia and South Australia, have privacy legislation that regulates the handling of personal information by government.
Other applicable laws/frameworks
The HR Act
Queensland’s HR Act protects 23 human rights. The right to privacy (section 25) protects privacy in a broad sense, including personal information and data collection. Individuals have a right not to have their privacy unlawfully or arbitrarily interfered with. This means any interference with their privacy must not only be lawful but also not capricious, unpredictable, unjust or unreasonable (in the sense of not being proportionate to a legitimate aim that is sought). The protection of the right to privacy expresses the fundamental values of ‘physical and psychological integrity, and the autonomy and inherent dignity of the person.’There is a strong connection between dignity, personal identity and autonomy and a person’s name, including the collection and use of personal information.
The right to freedom of expression (section 21) includes the right to seek and receive information from government. The importance of freedom of expression to a democratic system of government is recognised in both human rights and the common law where it has been stated that: ‘In a democracy it is the primary right: without it an effective rule of law is not possible.’
The HR Act requires each arm of government to act compatibly with human rights. This means that parliament must consider human rights when proposing and scrutinising laws, that courts and tribunals must, so far as is possible to do so, interpret legislation in a way that is compatible with human rights, and that public entities must act and make decisions in a way that is compatible with human rights.
The Privacy Act
Queenslanders’ privacy is also protected by the Privacy Act, which contains Australian Privacy Principles (APPs) which protect personal information where it is collected and handled by ‘APP entities’. These ‘APP entities’ include Commonwealth agencies and organisations, businesses with an annual turnover of more than $3 million, private sector health service providers, credit reporting bodies and businesses that sell or purchase personal information. The Privacy Act does not generally apply to Queensland agencies, however Government Owned Corporations (GOCs) under the Government Owned Corporations Act 1993 are APP entities and are subject to the APPs.
Other confidentiality provisions
Many legislative provisions across the Queensland statute book also regulate how information is collected, stored, used and disclosed. These provisions generally prohibit the use or disclosure of personal information gained in the administration of the legislation unless an exception applies.
Information Security Policy
Queensland Government departments and statutory bodies are required to consider the Queensland Government Enterprise Architecture (QGEA) – the digital and Information and Communication Technology (ICT) strategies, policies and publications that guide agency digital and ICT investments. The Information Security Policy (IS18:2018) under the QGEA seeks to ensure all departments apply a consistent, risk-based approach to the implementation of information security to maintain confidentiality, integrity and availability.
The Information Security Policy requires departments to meet stringent information security requirements. These include compliance with the Queensland Government Information Security Classification Framework, a data encryption standard, and an Authentication Framework. They must also implement an Information Security Management System to protect all information, application and technology assets.
Part A: Proposed Privacy Reforms
This part seeks feedback on whether key changes should be made to Queensland’s information privacy framework to better protect an individual’s personal information and provide appropriate remedies and responses for the misuse of personal information by public sector agencies.
Information Privacy – Key themes and developments
Common themes in privacy
A number of recent reports both in Queensland and elsewhere have raised common themes about the handling of personal information by public sector agencies. These include:
- the increasing breadth of personal information held by public sector agencies (including personal details such as residential addresses, phone numbers, emails, court orders, information about children, medical information and financial information);
- growing community expectations that personal information should be respected and kept private by agencies authorised to collect, store and use it;
- the serious impacts on individuals of misuse of personal information by public sector agencies, and the breach of trust represented by that misuse; and
- that personal data is an increasingly valuable commodity and may be sought and exploited by commercial enterprises seeking market advantage or an extended consumer base, or even stolen or appropriated for use in criminal activity such as identity fraud and cybercrime.
The Impala Report detailed the serious impacts that a data breach can have on an individual including embarrassment, distress, reputational harm and financial loss. It also highlighted the case of Zil v Queensland Police Service [2019] QCAT 79 which involved a police officer’s disclosure of Zil’s residential address to her ex-husband where there was a history of domestic violence. Misuse of confidential information in cases of domestic and family violence can not only impact a person’s safety and cause distress and psychological harm but, as the Impala Report detailed, may also have other wide-ranging impacts including incurring costs associated with moving to a new house; children having to change schools; and change of employment.
The Impala Report recommended legislative change (including to the IP Act) to provide enhanced remedies and responses for victims of the misuse of confidential information.
The Review Report also made a number or recommendations for legislative change or further research into whether changes should be made to Queensland’s framework for protection of personal information.
Recurring recommendations
This part addresses a number of recommendations arising from the recurring themes in the various privacy reports and reviews including:
- updating the definition of ‘personal information’ to be more flexible and technology neutral (including to capture a variety of technical data collected in relation to individuals) and for consistency with the Privacy Act;
- a single set of privacy principles based on the Commonwealth APPs;
- enhanced powers for the Information Commissioner to respond to privacy breaches including an own motion power to investigate an act or practice without having received a privacy complaint; and an amicus curiae role in relation to privacy complaint proceedings in the Queensland Civil and Administrative Tribunal (QCAT);
- a mandatory DBN scheme for Queensland to improve the protections and remedies available to victims who have had their personal information unlawfully accessed and/or disclosed by public sector employees;
- and a new criminal offence in the Criminal Code for offending related to misuse of confidential information.
Out of scope
This Consultation Paper will not address the following areas/recommendations:
A statutory tort for invasion of privacy - This was a recommendation made in a number of reports, including the Impala Report. It is understood that as part of the review of the Privacy Act, the Commonwealth Government is considering whether there should be a similar statutory tort in Australia. Consideration at the Commonwealth level would arguably lead to greater consistency and uniformity in approach.
A new statutory scheme for civil surveillance - This was recommended by the Queensland Law Reform Commission (QLRC) in its report, Review of Queensland’s Laws relating to civil surveillance and the protection of privacy in the context of current and emerging technologies. While the RTI and IP Acts relate to the handling of personal information by government, the QLRC Report has a much broader scope, focused on privacy of location and space in the broader community as impacted by both the actions of government and private individuals and organisations. Queensland’s current legislation, the Invasion of Privacy Act 1971, reflects the current regulatory response in this space but is currently limited in its application to listening devices.