You are here:

Data Breach Policy

Purpose and Scope

This Data Breach Policy (the Policy) outlines the steps the Office of the Queensland Parliamentary Counsel (OQPC) will take to respond to a data breach including a Suspected Eligible Data Breach to meet obligations under the Information Privacy Act 2009 (IP Act).

Responding to a data breach

Our response to a potential data breach generally follows the steps below:

Step 1: Identifying a data breach

It is the responsibility of all staff members to report a data breach or possible data breach to the Executive Director, Legislation and Business Services and/or Parliamentary Counsel immediately. If the staff member is unsure whether a breach has occurred, they should err on the side of caution and report the incident.  The Executive Director, Legislation and Business Services and/or Parliamentary Counsel should always be the first point of contact if a data breach is suspected.

Step 2: Containing a data breach

Once informed of a possible data breach, the Executive Director, Legislation and Business Services and/or Parliamentary Counsel will take steps to immediately contain the breach and as soon as practicable take remedial action to prevent or lessen the likelihood the breach will result in harm to any individual.

Step 3: Assessing a data breach

The Executive Director, Legislation and Business Services and/or Parliamentary Counsel, with support of the DPC privacy team, must assess whether the data breach is an eligible data breach (see Definitions in section 4).  

To determine whether the breach is an eligible data breach, the Executive Director, Legislation and Business Services and/or Parliamentary Counsel must ascertain whether the information in question is personal information as defined in the IP Act and whether an individual affected by the breach is likely to experience serious harm (see Definitions in section 4). Both limbs must be met for the breach to qualify as ‘eligible.’ Regarding the second limb, harm must be both serious and likely.

Under the IP Act, the assessment must be completed within 30 days, unless the Executive Director, Legislation and Business Services and/or Parliamentary Counsel extends the assessment period and gives written notice to the Information Commissioner of the extension.

Step 4: Notification of a data breach

If the data breach is determined to be an eligible data breach, the Executive Director, Legislation and Business Services and/or Parliamentary Counsel will take steps to notify the Information Commissioner, relevant individuals and other agencies of the breach in accordance with the notification requirements in the IP Act, unless relevant exemptions under the IP Act apply.

In some circumstances, it may be appropriate or necessary to notify other third parties of the breach. This could include the following:

  • Queensland Police Service if the breach appears to involve theft or other criminal activity
  • Crime and Corruption Commission if the breach involves corrupt conduct within the meaning of the Crime and Corruption Act 2001.

Any further notifications will only be made with the approval of the Parliamentary Counsel.

Step 5: Data Breach Register

The Executive Director, Legislation and Business Services and/or Parliamentary Counsel will ensure that appropriate records of the data breach are maintained in the Office’s Data Breach Register in accordance with the IP Act.

Step 6: Post breach review

After a data breach, the circumstances of the breach will be considered by the Executive Director, Legislation and Business Services and/or Parliamentary Counsel for any actions required to prevent a similar breach in the future.

Legislation

Information Privacy Act 2009

Definitions

Term Definition
Data Breach

Data breach of an agency means either of the following in relation to information held by the agency:

  1. unauthorised access to, or unauthorised disclosure of, information; or
  2. the loss of the information in circumstances where unauthorised access to, or unauthorised disclosure of the information is likely to occur.

Refer Information Privacy Act 2009, schedule 5 (Dictionary)

Eligible data breach  

An Eligible Data Breach occurs when:

  1. a data breach of an agency occurs in relation to personal information held by the agency; and
  2. the unauthorised access or disclosure of the personal information is likely to result in serious harm to an individual.

Refer Information Privacy Act 2009, section 47

Personal Information

Personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable from the information or opinion:

 

  1. whether the information or opinion is true or not; and
  2. whether the information or opinion is recorded in a material form or not.

 

Refer Information Privacy Act 2009, section 12

Serious harm

Serious harm to an individual in relation to the unauthorised access or unauthorised disclosure of the individual’s personal information, includes, for example –

  1. serious physical, psychological, emotional or financial harm to the individual because of the access or disclosure; or
  2. serious harm to the individual’s reputation because of the access or disclosure.  

Refer Information Privacy Act 2009, schedule 5 (Dictionary)


Last updated 18 June 2026 at 13:27