Queensland’s parliament has passed a mandatory data breach notification scheme, affecting state agencies from mid-2025 and local governments from mid-2026.
The state’s Attorney-General Yvette D’Ath said in a statement that Queensland joins NSW as the only states “to legislate such a scheme”.
The NSW scheme came into effect earlier this week.
There is also a mandatory data breach notification scheme at a federal level, but it largely affects federal agencies and private organisations that exceed an annual turnover threshold, not state or local government.
D’Ath said the “requirement for notification will prompt [Queensland] agencies to consider data security issues and will make them more proactive in preventing and managing data breaches.”
“The mandatory data breach notification scheme is significant and will enhance public confidence in Queensland’s privacy laws,” she said.
“Everyone is aware of high-profile data breaches in recent years.
“That’s why we have progressed these reforms to ensure individuals are notified of data breaches of Queensland government agencies which are likely to result in serious harm.
“This will empower affected individuals to take action that will reduce the risk of adversity from a data breach.”
The scheme is part of a package of privacy-related changes that aim to align Queensland with the Commonwealth Privacy Act, reforms the right to information framework, and increases criminal sanctions for “misuse of restricted computers”.
“This legislation responds to a wide range of recommendations outlined in several key reports,” D’Ath said.