You are here:
Data Breach Policy
Purpose and Scope
This Data Breach Policy (the Policy) outlines the steps the Office of the Queensland Parliamentary Counsel (OQPC) will take to respond to a data breach including a Suspected Eligible Data Breach to meet obligations under the Information Privacy Act 2009 (IP Act).
Responding to a data breach
Our response to a potential data breach generally follows the steps below:
Step 1: Identifying a data breach
It is the responsibility of all staff members to report a data breach or possible data breach to the Executive Director, Legislation and Business Services and/or Parliamentary Counsel immediately. If the staff member is unsure whether a breach has occurred, they should err on the side of caution and report the incident. The Executive Director, Legislation and Business Services and/or Parliamentary Counsel should always be the first point of contact if a data breach is suspected.
Step 2: Containing a data breach
Once informed of a possible data breach, the Executive Director, Legislation and Business Services and/or Parliamentary Counsel will take steps to immediately contain the breach and as soon as practicable take remedial action to prevent or lessen the likelihood the breach will result in harm to any individual.
Step 3: Assessing a data breach
The Executive Director, Legislation and Business Services and/or Parliamentary Counsel, with support of the DPC privacy team, must assess whether the data breach is an eligible data breach (see Definitions in section 4).
To determine whether the breach is an eligible data breach, the Executive Director, Legislation and Business Services and/or Parliamentary Counsel must ascertain whether the information in question is personal information as defined in the IP Act and whether an individual affected by the breach is likely to experience serious harm (see Definitions in section 4). Both limbs must be met for the breach to qualify as ‘eligible.’ Regarding the second limb, harm must be both serious and likely.
Under the IP Act, the assessment must be completed within 30 days, unless the Executive Director, Legislation and Business Services and/or Parliamentary Counsel extends the assessment period and gives written notice to the Information Commissioner of the extension.
Step 4: Notification of a data breach
If the data breach is determined to be an eligible data breach, the Executive Director, Legislation and Business Services and/or Parliamentary Counsel will take steps to notify the Information Commissioner, relevant individuals and other agencies of the breach in accordance with the notification requirements in the IP Act, unless relevant exemptions under the IP Act apply.
In some circumstances, it may be appropriate or necessary to notify other third parties of the breach. This could include the following:
- Queensland Police Service if the breach appears to involve theft or other criminal activity
- Crime and Corruption Commission if the breach involves corrupt conduct within the meaning of the Crime and Corruption Act 2001.
Any further notifications will only be made with the approval of the Parliamentary Counsel.
Step 5: Data Breach Register
The Executive Director, Legislation and Business Services and/or Parliamentary Counsel will ensure that appropriate records of the data breach are maintained in the Office’s Data Breach Register in accordance with the IP Act.
Step 6: Post breach review
After a data breach, the circumstances of the breach will be considered by the Executive Director, Legislation and Business Services and/or Parliamentary Counsel for any actions required to prevent a similar breach in the future.
Legislation
Information Privacy Act 2009
Definitions
| Term | Definition |
|---|---|
| Data Breach |
Data breach of an agency means either of the following in relation to information held by the agency:
Refer Information Privacy Act 2009, schedule 5 (Dictionary) |
| Eligible data breach |
An Eligible Data Breach occurs when:
Refer Information Privacy Act 2009, section 47 |
| Personal Information |
Personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable from the information or opinion:
Refer Information Privacy Act 2009, section 12 |
| Serious harm |
Serious harm to an individual in relation to the unauthorised access or unauthorised disclosure of the individual’s personal information, includes, for example –
Refer Information Privacy Act 2009, schedule 5 (Dictionary) |
Last updated 18 June 2026 at 13:27
