OAIC submission to Consultation Paper on proposed changes to Queensland's Information Privacy and Right to Information Framework

29 July 2022

Submission by the Office of the Australian Information Commissioner

Introduction

  1. The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to respond to the Department of Justice and Attorney-General’s (the Department) Consultation Paper on proposed changes to Queensland’s Information Privacy and Right to Information Framework (Consultation Paper).
  2. The purpose of the Consultation Paper is to consider whether changes should be made to Queensland’s information privacy and right to information frameworks to clarify and improve their operation and, in relation to the information privacy framework, to better protect personal information.
  3. The Office of the Australian Information Commissioner (OAIC) is an independent Commonwealth regulator, established to bring together three functions: privacy functions (protecting the privacy of individuals under the Privacy Act 1988 (Cth) (Privacy Act), freedom of information (FOI) functions (access to information held by the Commonwealth Government in accordance with the Freedom of Information Act 1982 (Cth) (FOI Act)), and information management functions (as set out in the Information Commissioner Act 2010 (Cth)).
  4. The OAIC’s key role is to meet the needs of the Australian community in relation to the regulation of privacy and FOI by promoting and upholding privacy and information access rights.[1]
  5. We draw on our privacy and FOI regulatory experience in this submission to highlight the benefits of alignment between the Queensland privacy framework and the federal privacy scheme and set out our view of the key principles of an effective information access framework to help inform the Department’s consideration of changes to the right to information scheme.

The value of nationally consistent privacy regulation

  1. The Consultation Paper sets out key principles to guide the proposed reforms including that ‘as far as possible, there should be consistency in privacy rights and obligations across jurisdictions and information types’.[2] To this end, it seeks feedback on proposals to more closely align the Information Privacy Act 2009 (Qld) (IP Act) with the Privacy Act, including by aligning the definition of personal information, adopting a single set of Queensland Privacy Principles that are broadly consistent with the Australian Privacy Principles (APPs) and introducing a mandatory data breach notification scheme.
  2. One of the objects of the Privacy Act is to provide the basis for nationally consistent regulation of privacy and the handling of personal information.[3] The APPs promote national consistency of regulation by providing minimum baseline standards that are applicable to both Australian government agencies and private sector organisations covered by the Privacy Act.
  3. The Privacy Act also contains the mandatory Notifiable Data Breaches (NDB) scheme, which commenced in February 2018. The NDB scheme requires entities covered by the Privacy Act to notify affected individuals if their personal information is involved in a data breach that is likely to result in serious harm (‘eligible data breach’).
  4. As noted in the Consultation Paper, inconsistent regulation can give rise to unjustified compliance costs, particularly for entities that may be subject to more than one set of privacy obligations and may also limit individuals’ understanding of their privacy rights.
  5. Alignment is also particularly important as Commonwealth, state and territory governments are increasingly working together on national initiatives that involve sharing information across jurisdictions. In many instances, these initiatives rely on jurisdictions across Australia having privacy frameworks that are equivalent to the protections afforded by the Privacy Act, including commensurate protections for personal information such as mandatory data breach notification requirements.
  6. By way of example, the Data Availability and Transparency Act 2022 (Cth) (DAT Act) establishes a data sharing scheme that enables accredited Commonwealth, State or Territory government bodies to request Australian Government data and includes measures to ensure that personal information shared under the scheme is handled consistently with the privacy obligations in the Privacy Act. Specifically, all data scheme entities must meet the privacy coverage condition by either being subject to the Privacy Act or comparable privacy protections.
  7. The privacy coverage condition can only be met by a State or Territory law that provides for all of the following:
    1. protection of personal information comparable to that provided by the APPs
    2. monitoring of compliance with the law
    3. a means for an individual to seek recourse if the individual’s personal information is dealt with in a way contrary to the law.[4]
  8. Similar privacy coverage requirements also apply in other proposed legislative schemes that will encompass both Commonwealth and State government entities, such as in the Trusted Digital Identity legislative package.[5]
  9. In our oversight of the NDB scheme, we have also observed the intersection of data breaches affecting multiple entities, including state and territory government agencies and entities covered by the Privacy Act, and the resultant fragmentation of responsibilities and rights regarding data breaches that transcend borders.
  10. Consistency of regulation across domestic jurisdictions will reduce compliance burdens and cost and provide clarity and simplicity for regulated entities and the community. Alignment of rights and obligations with the Privacy Act will ensure that Australians’ personal information is subject to similar requirements whether that personal information is handled by an Australian Government agency, a state or territory government agency, or private sector organisations. For these reasons, we recommend that the reforms to Queensland’s privacy framework should, to the extent possible, align with the requirements of the Privacy Act and APPs.

Right to Information framework

  1. The consultation paper also seeks feedback on proposed changes to Queensland’s right to information framework to clarify and improve the operation of that framework.
  2. The OAIC considers that any reforms to Queensland’s right to information framework should continue to be informed by the following key principles:
    1. information held by government and public institutions is a public resource and that public access to it should be prompt and at the lowest reasonable cost
    2. decision making on information access requests should be timely and efficient
    3. formal requests under right to information legislation should be complemented by provisions that require the proactive publication of government information and schemes that facilitate administrative access and informal release of government information
    4. information access schemes should incorporate alternative dispute resolution mechanisms for parties to resolve applications by agreement without the need for a formal decision, as well as merits review
    5. information access schemes should be relevant for the digital age, which includes examining the use of the word ‘document’ in light of technological advancements.

Conclusion

  1. As noted above, the OAIC suggests that proposed reform measures in relation to Queensland’s privacy framework should seek to align with the federal privacy scheme where possible to promote national consistency and ensure privacy protections are commensurate across domestic jurisdictions. In addition, we suggest that the Department have regard to the key principles of an effective information access framework when considering reforms to Queensland’s information access laws.
  2. The OAIC is available to discuss any aspect of this submission and we welcome further engagement with the Department as it progresses the law reform process.
  3. It is also relevant to note that the Commonwealth Attorney-General’s Department has policy responsibility for the Privacy Act and FOI Act and is also currently conducting a review of the Privacy Act. [6] The Department may also wish to engage with the Attorney-General’s Department as part of its consultation process and to ensure alignment with the direction of the broader Privacy Act reforms.

Footnotes

[1] OAIC, Annual Report 2020-21, OAIC, 21 October 2021, accessed 18 July 2022.

[2] Department of Justice and Attorney-General, Consultation Paper – Proposed changes to Queensland’s Information Privacy and Right to Information Framework, Department of Justice and Attorney-General, June 2022, p 8.

[3] Privacy Act 1988 (Cth) s 2A(c).

[4] Data Availability and Transparency Act 2022 (Cth) s 16E(1)(d).

[5] Exposure Draft Trusted Digital Identity Bill 2021 (Cth) cl 65.

[6] Attorney-General’s Department (AGD), Privacy Act Review – Discussion paper, AGD, 25 October 2021, accessed 13 July 2022. The OAIC has published its response to the Discussion Paper making 113 recommendations for privacy law reform – OAIC, OAIC Submission to Privacy Act Review Discussion Paper, OAIC website, 23 December 2021, accessed 13 July 2022.