Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Queensland: State Parliament approves mandatory data breach scheme for Government agencies

On November 29, 2023, the Attorney General, the Minister for Justice, and the Minister for the Prevention of Domestic and Family Violence announced that the Information Privacy and Other Legislation Amendment Act 2023 was passed by the Queensland Parliament, creating, among other things, a mandatory data breach notification scheme (MDBN Scheme).

What are the new requirements introduced by the MDBN Scheme?

In particular, the MDBN Scheme provides for obligations in relation to data breaches that involve unauthorized access to, or unauthorized disclosure of, personal information, and that are likely to result in serious harm to affected individuals (eligible data breaches). The MDBN Scheme requires that Government agencies, among other actions:

  • assess whether there are reasonable grounds to believe that the data breach is an eligible data breach within the scope of the MDBN Scheme;
  • immediately take reasonable steps to contain and mitigate the harm caused by a confirmed or suspected eligible data breach;
  • notify affected individuals and the Office of the Information Commissioner (OIC) in case of eligible data breaches; and
  • prepare a statement to the OIC with a description of the kind of personal information affected by the data breach, the steps recommended by the agency to respond to the incident, and the total number or an estimate of the individuals affected, among other things.

What are the exemptions under the MDBN Scheme?

Notably, the obligations under the MDBN Scheme do not apply, among other situations, if:

  • the agency has taken mitigation steps before any harm affects individuals and, as a result, the data breach is no longer likely to cause serious harm to any individual; and
  • compliance with the MDBN Scheme would:
    • be inconsistent with a provision that prohibits or regulates the use or disclosure of information;
    • create a serious risk of harm to an individual's health or safety; or
    • compromise or worsen the agency's cybersecurity or lead to further data breaches within the agency.

The MDBN Scheme also provides for specific obligations regarding data breaches that affect more than one Government agency.

When will the Act enter into force?

The MDBN Scheme is not expected to enter into force until July 1, 2026, while other amendments provided under the Act are set to commence on July 1, 2025.

The MDBN Scheme is expected to improve privacy protections available to individuals by strengthening and regulating the response to data breaches by Government agencies.

You can read the press release here, the Information Privacy and Other Legislation Amendment Act 2023 here, and view its history here.