The Queensland government has introduced a bill to set up a mandatory data breach notification scheme.
The introduction of the scheme comes about 15 months after it was recommended to be introduced by the Coaldrake review into the culture and accountability of the Queensland government.
Queensland will join NSW as “the only other state to introduce such a scheme”, it said.
“Recent high profile data breaches demonstrate that loss or unauthorised access or disclosure of personal information has the potential to result in serious harm to individuals,” Attorney-General Yvette D’Ath said in a statement.
“That’s why we are establishing this scheme so there are clear, consistent requirements to notify individuals of data breaches of Queensland government agencies, so that individuals are empowered to take steps to reduce the risk of harm resulting from a data breach.”
If a Queensland government agency suspects it has been breached, it must “take all reasonable” containment steps, and will generally have up to 30 days to assess the incident, although it can extend the assessment period via a written notice.
There are also a series of exemptions, under Division 3, to issuing notifications; these include if notifying could “compromise or worsen the agency’s cyber security; or lead to further data breaches of the agency.”
Agencies will need to keep a “register” of breaches and publish a “data breach policy”.
A survey of Queensland agencies back in June found they had “more work to do” to prepare for the introduction of the scheme.
Legislation covering the scheme also seeks to align Queensland privacy principles with the Australian Privacy Principles.
“This will provide a stepping stone for further reform following any legislation arising out of the Commonwealth government’s review of the [federal] Privacy Act,” the Queensland government said.