An Act to amend the Coal Mining Safety and Health Act 1999, the Criminal Code, the Information Privacy Act 2009, the Ombudsman Act 2001, the Right to Information Act 2009 and the legislation mentioned in schedule 1 for particular purposes
The Parliament of Queensland enacts—
This Act may be cited as the Information Privacy and Other Legislation Amendment Act 2023.
(1)This Act, other than parts 1A and 6 and schedule 1, part 1, commences on a day to be fixed by proclamation.(2)The Acts Interpretation Act 1954, section 15DA does not apply to this Act.
Part 1A Amendment of Coal Mining Safety and Health Act 1999
This part amends the Coal Mining Safety and Health Act 1999.
2BInsertion of new pt 20, div 11
Part 20—
insert—327Application of sch 3, definition union
(1)Schedule 3, definition union, as in force from the commencement, is taken to have applied from 1 December 2023 for all purposes.(2)To remove any doubt, it is declared that the amendment of schedule 3, definition union by the Information Privacy and Other Legislation Amendment Act 2023, section 2C—(a)has effect only to reflect a change of the union’s name; and(b)does not affect the appointment or funding of industry safety and health representatives under part 8 before the commencement.
2CAmendment of sch 3 (Dictionary)
Schedule 3, definition union—
omit, insert—union means the Mining and Energy Union, Queensland District Branch.
Part 2 Amendment of Criminal Code
This part amends the Criminal Code.See also the amendment in schedule 1, part 2.
4Amendment of s 408E (Computer hacking and misuse)
(1)Section 408E, heading—
omit, insert—(2)Section 408E(1), ‘an offence’—
omit, insert—a misdemeanour
(3) Section 408E(1), penalty, ‘2 years’—
omit, insert—3 years
(4)Section 408E(5), definition benefit, ‘a benefit’—
omit, insert—a benefit, pecuniary or otherwise,
5Insertion of new pt 9, ch 108
Part 9—
insert—(1)This section applies if an act or omission constituting an offence against section 408E happened before the commencement, whether the proceeding for the offence is started before or after the commencement.(2)Section 408E as in force before the commencement continues to apply in relation to the act or omission as if the Information Privacy and Other Legislation Amendment Act 2023, section 4 had not commenced.
Part 3 Amendment of Information Privacy Act 2009
This part amends the Information Privacy Act 2009.See also the amendments in schedule 1, part 2.
Long title, from ‘, and’—
omit.
8Amendment of s 3 (Object of Act)
Section 3(1)—
omit, insert—(1)The primary object of this Act is to provide for the fair collection and handling in the public sector environment of personal information.
Sections 4 and 5—
omit.
10Replacement of s 7 (Relationship with other Acts prohibiting disclosure of information)
Section 7—
omit, insert—7Relationship with other laws regulating personal information
(1)This Act is intended to operate subject to the provisions of other Acts regulating—(a)the collection, storage, handling, accessing, amendment, management, transfer and use of personal information; or(b)the disclosure, within the meaning of section 23, of personal information.(2)Without limiting subsection (1), the operation of QPPs 6.1 and 6.2(d) and the permitted health situation mentioned in schedule 4, section 5 do not override any law with respect to assisted and substituted decision-making, including, for example, the Guardianship and Administration Act 2000 and the Powers of Attorney Act 1998.
11Omission of s 9 (Relationship with Right to Information Act)
Section 9—
omit.
Sections 12 to 14—
omit, insert—12Meaning of personal information
Personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable from the information or opinion—(a)whether the information or opinion is true or not; and(b)whether the information or opinion is recorded in a material form or not.13Meaning of held or holds in relation to personal information
Personal information is held by a relevant entity, or the entity holds personal information, if the personal information is contained in a document in the possession, or under the control, of the relevant entity.
13Replacement of s 15 (Meaning of document otherwise)
Section 15—
omit, insert—In this Act, a document does not include a document to which the privacy principle requirements do not apply.
14Replacement of s 16 (Meaning of document to which the privacy principles do not apply)
Section 16—
omit, insert—16Meaning of document to which the privacy principle requirements do not apply
In this Act, a document to which the privacy principle requirements do not apply means a document mentioned in schedule 1.
15Omission of s 17 (Meaning of agency for ch 3)
Section 17—
omit.
16Amendment of s 18 (Meaning of agency otherwise)
(1)Section 18, heading, ‘otherwise’—
omit.(2)Section 18(1), ‘For this Act, other than for chapter 3,’—
omit, insert—In this Act,
(3)Section 18(2)—
omit, insert—(2)However, in this Act, agency does not include an excluded entity.(4)Section 18—
insert—(4)In this section—excluded entity means—(a)an entity mentioned in schedule 2, part 1; or(b)an entity mentioned in schedule 2, part 2 in relation to the function mentioned in that part.
17Omission of s 19 (Meaning of entity to which the privacy principles do not apply)
Section 19—
omit.
18Amendment of s 20 (Special provision about application of Act other than ch 3 to a Minister)
(1)Section 20, heading, ‘other than ch 3’—
omit.(2)Section 20(2)—
omit.
19Amendment of s 21 (Meaning of public authority)
(1)Section 21(1)(c)(i), from ‘other’—
omit, insert—other government assistance; or
(2)Section 21(1)(c)—
insert—(ia)over which government is in a position to exercise control; or(3)Section 21(1)(c)(ia) to (iii)—
renumber as section 21(1)(c)(ii) to (iv).(4)Section 21(1)(d), ‘subsection (3)’—
omit, insert—subsection (4)
(5)Section 21—
insert—(1B)For subsection (1)(c), an entity may be declared by regulation to be a public authority for this Act in relation to only a part of the entity’s functions.(6)Section 21(1B) to (4)—
renumber as section 21(2) to (5).
20Amendment of s 23 (What it means to disclose personal information and to use personal information)
(1)Section 23(1)—
omit.(2)Section 23(4), ‘Subsection (3)’—
omit, insert—Subsection (2)
(3)Section 23(2) to (5)—
renumber as section 23(1) to (4).
Sections 24 and 25—
omit, insert—24References to doing an act or engaging in a practice
In this Act, a reference to doing an act or engaging in a practice in contravention of a requirement includes a reference to a failure to act or a failure to engage in a practice in contravention of the requirement.
22Replacement of s 26 (Information Privacy Principles)
Section 26—
omit, insert—26Queensland privacy principles
(1)Each Queensland privacy principle (QPP) is set out in schedule 3.(2)In this Act, a reference to a QPP followed by a number is a reference to the provision of schedule 3 having that number.
23Amendment of s 27 (Agencies to comply with IPPs)
(1)Section 27, heading, ‘IPPs’—
omit, insert—QPPs
(2)Section 27(1) and (2)—
omit, insert—(1)An agency must comply with the QPPs.For the application of the Act in relation to a Minister, see also section 20.(2)Without limiting subsection (1), the agency must not do an act or engage in a practice that contravenes, or is otherwise inconsistent with, a requirement of a QPP.
24Amendment of s 28 (Noncompliance with particular IPPs)
(1)Section 28, heading, ‘IPPs’—
omit, insert—QPPs
(2)Section 28(1), ‘prescribed IPP’—
omit, insert—prescribed QPP
(3)Section 28(2)—
omit, insert—(2)In this section—prescribed QPP means QPP 6 or 10.2.publish, for personal information, means publish the information by way of television, newspaper, radio, internet or other form of communication.
25Amendment of s 29 (Special provision for law enforcement agencies)
(1)Section 29(1), ‘IPP 2, 3, 9, 10 or 11’—
omit, insert—QPP 3.6, 5, 6 or 10.1
(2)Section 29(1), ‘the IPP’—
omit, insert—the QPP
26Omission of ch 2, pt 2 (Compliance with NPPs)
Chapter 2, part 2—
omit.
27Replacement of ch 2, pt 3, hdg (Transfer of personal information outside Australia)
Chapter 2, part 3, heading—
omit, insert—
28Amendment of s 33 (Transfer of personal information outside Australia)
(1)Section 33, heading, ‘Transfer’—
omit, insert—Disclosure
(2)Section 33, ‘may transfer’—
omit, insert—may disclose
(3)Section 33, ‘the transfer’—
omit, insert—the disclosure
(4)Section 33(d)(iv), ‘transfers’—
omit, insert—discloses
(5)Section 33(d)(i) and (iv), ‘IPPs or, if the agency is a health agency, the NPPs’—
omit, insert—QPPs
29Replacement of ch 2, pt 4, hdg (Compliance with parts 1 to 3 by contracted service providers)
Chapter 2, part 4, heading—
omit, insert—
30Amendment of s 35 (Binding a contracted service provider to privacy principles)
(1)Section 35, heading, ‘principles’—
omit, insert—principle requirements
(2)Section 35(1), ‘part 1 or 2 and part 3’—
omit, insert—parts 1 and 2 and section 41
31Amendment of s 36 (Bound contracted service provider to comply with privacy principles)
(1)Section 36, heading, ‘principles’—
omit, insert—principle requirements
(2)Section 36(1), ‘part 1 or 2 and part 3’—
omit, insert—parts 1 and 2 and section 41
(3)Section 36(3), ‘part 1 or 2 and part 3’—
omit, insert—the privacy principle requirements
32Amendment of s 38 (Personal information relevant to portfolio responsibilities)
Section 38, ‘IPPs or NPPs’—
omit, insert—QPPs
33Replacement of ch 3 (Disclosure and amendment by application under this Act)
Chapter 3—
omit, insert—(1)A QPP code is a written code of practice about information privacy, approved by regulation under section 43, that states—(a)how 1 or more of the QPPs are to be applied or complied with; and(b)the agencies that are bound by the code, or a way of determining the agencies that are bound by the code.(2)A QPP code may also impose additional requirements to those imposed by a QPP, to the extent the additional requirements are not inconsistent with a QPP.(3)A QPP code expires on the earlier of the following days—(a)the day that is 5 years after the day the QPP code is approved under section 43;(b)if the QPP code states an expiry day—the stated day.41Agencies must comply with QPP codes
An agency must not do an act, or engage in a practice, that contravenes a QPP code that is in effect and binds the agency.(1)The information commissioner or an agency may prepare a draft QPP code or draft amendment of a QPP code and submit the draft to the Minister for endorsement.(2)However, before the information commissioner or agency submits the draft code or amendment to the Minister, the commissioner or agency must—(a)publish the draft on an accessible agency website; and(b)invite the public to make submissions to the commissioner or agency about the draft within a stated period of at least 20 business days; and(c)consider any submissions made within the stated period.(3)An agency must, immediately after publishing a draft QPP code or draft amendment of a QPP code under subsection (2), notify the information commissioner of the publication.43Approval of QPP codes or amendments of QPP codes
(1)This section applies if a draft QPP code or draft amendment of a QPP code is submitted to the Minister under section 42.(2)If the draft is submitted by an agency, the Minister must ask the information commissioner for submissions about the draft.(3)The Minister must decide to endorse or refuse to endorse the draft, having regard to—(a)any submissions made by the information commissioner; and(b)any other relevant matter.(4)If the Minister endorses the draft, the Minister must recommend to the Governor in Council the making of a regulation approving the QPP code or amended QPP code.(5)The QPP code or amended QPP code—(a)does not take effect unless it is approved by regulation; and(b)takes effect on the day prescribed by regulation for the code or amended code.(6)The information commissioner must, as soon as practicable after a regulation approving a QPP code or amended QPP code is made, publish the code or amended code on the commissioner’s website.(1)The information commissioner may—(a)prepare a draft guideline about the collection, use or disclosure of personal information to assist an entity locate a person who has been reported as missing; and(b)submit the draft to the Minister for endorsement.(2)However, before the information commissioner submits the draft guideline to the Minister, the commissioner must—(a)publish the draft on the commissioner’s website; and(b)invite the public to make submissions to the commissioner about the draft within a stated period of at least 20 business days; and(c)consider any submissions made within the stated period.(1)This section applies if a draft guideline is submitted to the Minister under section 44.(2)The Minister must decide to endorse or refuse to endorse the draft.(3)If the Minister endorses the draft, the Minister must recommend to the Governor in Council the making of a regulation approving the guideline.(4)The guideline—(a)does not take effect unless it is approved by regulation; and(b)takes effect on the day prescribed by regulation for the guideline; and(c)expires 5 years after the day mentioned in paragraph (b).(5)The information commissioner must, as soon as practicable after a regulation approving a guideline is made under this section, publish the guideline on the commissioner’s website.This chapter applies in relation to personal information, other than personal information in a document to which the privacy principle requirements do not apply, held by an agency.47Meaning of eligible data breach
(1)An eligible data breach of an agency is a data breach of the agency that occurs in relation to personal information held by the agency if—(a)both of the following apply—(i)the data breach involves unauthorised access to, or unauthorised disclosure of, the personal information;(ii)the access or disclosure is likely to result in serious harm to an individual (an affected individual) to whom the personal information relates, having regard to the matters stated in subsection (2); or(b)the data breach involves the personal information being lost in circumstances where—(i)unauthorised access to, or unauthorised disclosure of, the personal information is likely to occur; and(ii)if the unauthorised access to or unauthorised disclosure of the personal information were to occur, it would be likely to result in serious harm to an individual (also an affected individual) to whom the personal information relates, having regard to the matters stated in subsection (2).(2)For subsection (1)(a)(ii) and (b)(ii), the matters are—(a)the kind of personal information accessed, disclosed or lost; and(b)the sensitivity of the personal information; and(c)whether the personal information is protected by 1 or more security measures; and(d)if the personal information is protected by 1 or more security measures—the likelihood that any of those security measures could be overcome; and(e)the persons, or the kinds of persons, who have obtained, or who could obtain, the personal information; and(f)the nature of the harm likely to result from the data breach; and(g)any other relevant matter.48Obligations of agencies in relation to data breaches
(1)This section applies in relation to a data breach of an agency if the agency knows, or reasonably suspects, that the data breach is an eligible data breach of the agency.(2)The agency must—(a)immediately, and continue to, take all reasonable steps to—(i)contain the data breach; and(ii)mitigate the harm caused by the data breach; and(b)if the agency does not know whether the data breach is an eligible data breach of the agency—assess whether there are reasonable grounds to believe the data breach is an eligible data breach of the agency.(3)An assessment under subsection (2)(b) must be completed within—(a)30 days after the suspicion mentioned in subsection (1) was formed; or(b)if the period mentioned in paragraph (a) is extended under section 49—the extended period.(4)If, at any time, the agency becomes aware the data breach may affect another agency, the agency must give a written notice to the other agency of the data breach that includes—(a)a description of the data breach; and(b)a description of the kind of personal information the subject of the data breach, without including any personal information in the description.(5)The agency need not comply with subsections (2)(b) and (3) in relation to the data breach if—(a)all of the personal information the subject of the data breach is also the subject of a data breach of 1 or more other agencies; and(b)at least 1 of the other agencies has undertaken to conduct the assessment in relation to the data breach.49Extension of period for assessment by agency
(1)This section applies if an agency required to conduct an assessment under section 48 is satisfied the assessment can not reasonably be completed within the 30 day period mentioned in section 48(3)(a).(2)The agency may extend the period within which the assessment must be completed by no longer than the period reasonably required for the agency to complete the assessment.(3)If the period is extended under subsection (2), the agency must, within the 30 day period mentioned in section 48(3)(a)—(a)start the assessment; and(b)give a written notice to the information commissioner stating—(i)that the assessment has started; and(ii)the period within which the assessment must be completed has been extended under this section; and(iii)the day the extended period ends.(4)The information commissioner may ask the agency to provide further information or updates about the progress of the assessment.(1)This part applies if an agency reasonably believes that there has been an eligible data breach of the agency.(2)However, division 2 does not apply in relation to the agency to the extent an exemption applies to the agency under division 3.51Agency must give statement about eligible data breach to information commissioner
(1)The agency must, as soon as practicable after forming the belief mentioned in section 50—(a)prepare a statement that includes the information stated in subsection (2); and(b)give the statement to the information commissioner.(2)For subsection (1)(a), the statement must, to the extent it is reasonably practicable, include the following information—(a)the information that must be included in a notification given under section 53(2)(a) to (e), (h) and (i);(b)a description of the kind of personal information the subject of the data breach, without including any personal information in the description;(c)the agency’s recommendations about the steps individuals should take in response to the data breach;(d)whether the agency is reporting on behalf of other agencies affected by the same data breach and, if so, the details of the other agencies;(e)the total number or, if it is not reasonably practicable to work out the total number, an estimate of the total number of each of the following—(i)the individuals whose personal information has been accessed, disclosed or lost;(ii)affected individuals for the data breach;(f)either—(i)the total number of individuals notified of the data breach or, if it is not reasonably practicable to work out the total number, an estimate of the total number; or(ii)if section 57 is relied on, the total number of individuals who would have been notified if that section had not been relied on or, if it is not reasonably practicable to work out the total number, an estimate of the total number;(g)whether the individuals notified have been advised about how to make a privacy complaint to the agency under section 166A.52Further information to be provided
(1)This section applies if it is not reasonably practicable to include any information required under section 51 when the statement is given to the information commissioner under that section, including, for example, the total number of individuals mentioned in section 51(2)(e) or (f).(2)The agency must take all reasonable steps to provide the information to the commissioner as soon as practicable after the statement is given.53Agencies must notify particular individuals
(1)The agency must, as soon as practicable after the belief mentioned in section 50 is formed—(a)if it is reasonably practicable to notify each individual whose personal information has been accessed, disclosed or lost—take reasonable steps to notify each individual of the information mentioned in subsection (2); or(b)if paragraph (a) does not apply and it is reasonably practicable to notify each affected individual for the data breach—take reasonable steps to notify each affected individual of the information mentioned in subsection (2); or(c)if paragraphs (a) and (b) do not apply—publish the information mentioned in subsection (2) on an accessible agency website for a period of at least 12 months, other than information that would prejudice the agency’s functions.(2)A notification under subsection (1) must, to the extent it is reasonably practicable, include the following information—(a)the name of the agency and, if more than 1 agency was affected by the data breach, the name of each other agency;(b)the contact details of the agency or a person nominated by the agency for the individual to contact in relation to the data breach;(c)the date the data breach occurred;(d)a description of the data breach, including the type of eligible data breach under section 47;(e)information about how the data breach occurred;(f)for a notification under subsection (1)(a) or (b)—(i)a description of the personal information the subject of the data breach; and(ii)the agency’s recommendations about the steps the individual should take in response to the data breach;(g)for a notification under subsection (1)(c)—(i)a description of the kind of personal information the subject of the data breach, without including any personal information in the description; and(ii)the agency’s recommendations about the steps individuals should take in response to the data breach;(h)if the data breach involved unauthorised access to or disclosure of personal information—the period during which the access or disclosure was available or made;(i)the steps the agency has taken or will take to contain the data breach and mitigate the harm caused to individuals by the data breach;(j)information about how an individual may make a privacy complaint to the agency under section 166A.(3)The agency must, as soon as practicable after a notice is published under subsection (1)(c), provide the information commissioner with information about how to access the notice.(4)The information commissioner must, after receiving the information under subsection (3), publish on the commissioner’s website information about how to access the notice for a period of at least 12 months.54Particular agencies may collect, use and disclose relevant personal information for notification
(1)A regulation may prescribe—(a)an agency (a disclosing agency) that may, under this section, disclose relevant personal information to another agency; and(b)an agency (a receiving agency) that may, under this section, collect and use relevant personal information from a disclosing agency and disclose relevant personal information to the disclosing agency.(2)A disclosing agency may disclose relevant personal information held by the agency to a receiving agency if the receiving agency is the subject of an eligible data breach.(3)The receiving agency may collect and use relevant personal information from a disclosing agency, and disclose relevant personal information to the disclosing agency, if it is reasonably necessary for the purpose of confirming—(a)the name and contact details of a notifiable individual; or(b)whether a notifiable individual is deceased.(4)A disclosing agency or receiving agency is not required to comply with a QPP in relation to the disclosure, collection or use of relevant personal information under this section.(5)For subsection (2), an eligible data breach includes—(a)a data breach that an agency reasonably believes is an eligible data breach; and(b)a suspected data breach of an agency mentioned in section 61(1), whether or not the information commissioner has made a recommendation under section 61(4).(6)If a disclosing agency may, under an Act, enter into an arrangement and charge a fee for the provision of personal information kept by the agency under that Act, the agency may do so under that Act in relation to personal information that may be disclosed under this section.(7)In this section—identifier, for an individual, means an identifier other than solely the individual’s name, including, for example, a number, that is—(a)assigned to the individual in relation to the individual’s personal information by an entity for the purpose of uniquely identifying that individual, whether or not it is subsequently used other than in relation to the personal information; or(b)adopted, used or disclosed in relation to the individual’s personal information by an entity for the purpose of uniquely identifying the individual.notifiable individual means—(a)an individual mentioned in section 53(1)(a) or (b); or(b)an individual the information commissioner recommends should be notified under section 61(4).relevant personal information means the following information about an individual—(a)the name of the individual;(b)the contact details of the individual;(c)the date of birth of the individual;(d)an identifier for the individual;(e)if the individual is deceased—the date of the individual’s death.55Exemption—investigations and proceedings
An agency need not comply with division 2 to the extent complying with that division is likely to prejudice—(a)an investigation that could lead to the prosecution of an offence; or(b)proceedings before a court or tribunal.56Exemption—eligible data breach of more than 1 agency
(1)This section applies if—(a)an agency is not required to comply with requirements about assessing a data breach under section 48(2)(b) and (3) because section 48(5) applies to the agency; and(b)another agency is required to comply with division 2 in relation to the data breach.(2)The agency need not comply with division 2 in relation to the data breach.57Exemption—agency has taken remedial action
(1)This section applies in relation to an eligible data breach of an agency if—(a)for a data breach involving unauthorised access to, or disclosure of, personal information—(i)the agency takes action to mitigate the harm caused by the data breach; and(ii)the action is taken before the access or disclosure results in serious harm to any individual; and(iii)as a result of the action taken, the data breach is no longer likely to result in serious harm to any individual; or(b)for a data breach involving the loss of personal information—(i)the agency takes action to mitigate the loss; and(ii)the action is taken before there is unauthorised access to, or disclosure of, the personal information; and(iii)as a result of the action taken, there is no unauthorised access to, or disclosure of, the personal information; or(c)for a data breach involving the loss of personal information—(i)the agency takes action to mitigate the loss; and(ii)the action is taken after there is unauthorised access to, or unauthorised disclosure of, the personal information but before the access or disclosure results in serious harm to any individual; and(iii)as a result of the action taken, the data breach is no longer likely to result in serious harm to any individual.(2)The agency need not comply with section 53 in relation to the eligible data breach.58Exemption—inconsistency with confidentiality provision
An agency need not comply with division 2 in relation to an eligible data breach of the agency to the extent the compliance would be inconsistent with a provision of an Act of the Commonwealth or a State that prohibits or regulates the use or disclosure of the information.59Exemption—serious risk of harm to health or safety
(1)An agency need not comply with section 53 in relation to an eligible data breach to the extent compliance would create a serious risk of harm to an individual’s health or safety, having regard to, for example—(a)whether the harm caused by complying with division 2 is greater than the harm of not complying with that division; and(b)the currency of the information relied on.(2)If an agency relies on this section, the agency must give a written notice to the information commissioner stating—(a)the extent to which the agency is exempt from complying with division 2 under this section; and(b)whether or not the exemption is permanent or temporary; and(c)if the exemption is temporary—when the agency expects the exemption will stop applying.60Exemption—compromise to cybersecurity
(1)An agency need not comply with section 53 in relation to an eligible data breach if compliance is likely to—(a)compromise or worsen the agency’s cybersecurity; or(b)lead to further data breaches of the agency.(2)The exemption applies only for the period during which a matter mentioned in subsection (1)(a) or (b) continues to apply for the agency in relation to the eligible data breach.(3)If an agency relies on this section, the agency must give a written notice to the information commissioner stating—(a)the agency is exempt from complying with division 2 under this section; and(b)when the agency expects the exemption will stop applying; and(c)how the agency will review the application of the exemption.(4)The agency must—(a)review the application of the exemption each month for the period during which the exemption is relied on; and(b)give the commissioner a summary of the review as soon as practicable after it is completed.61Information commissioner may direct agency to give statement and make recommendations
(1)This section applies if the information commissioner reasonably suspects a data breach of an agency may be an eligible data breach of the agency.(2)The information commissioner may, after complying with subsections (5) and (6), direct the agency by written notice to prepare and give to the commissioner a statement providing the following information—(a)the name and contact details of the agency and, if more than 1 agency was affected by the data breach, the name of each other agency;(b)a description of the data breach, including the kind of personal information involved in the data breach;(c)recommendations about the steps an individual who may be affected by the data breach should take in response to the data breach;(d)any other information related to the data breach requested by the commissioner.(3)The agency must comply with the direction.(4)If a direction is given under subsection (2), the information commissioner may also, after complying with subsections (5) and (6), recommend to the agency that the agency notify individuals under section 53 as if the agency reasonably believed the data breach were an eligible data breach.(5)Before giving a direction under subsection (2) or making a recommendation under subsection (4), the information commissioner must invite the agency to make a submission to the commissioner, within a reasonable period, about the data breach.(6)Without limiting the matters the information commissioner may consider, in deciding whether to give a direction under subsection (2) or make a recommendation under subsection (4), the information commissioner must have regard to the following—(a)any advice given to the information commissioner by a law enforcement agency;(b)any submission made by the agency under subsection (5).The functions of an authorised officer are to monitor and investigate whether an occasion has arisen for the exercise of the information commissioner’s powers that relate to an agency’s compliance with this chapter.The information commissioner may, by instrument in writing, appoint an appropriately qualified person as an authorised officer.(1)The information commissioner must issue an identity card to each authorised officer.(2)The identity card must—(a)contain a recent photo of the authorised officer; and(b)contain a copy of the signature of the information commissioner and authorised officer; and(c)identify the person as an authorised officer under this part; and(d)state an expiry date for the card.65Production or display of identity card
(1)In exercising a power in relation to a person in the person’s presence or by audio visual link, an authorised officer must—(a)produce the authorised officer’s identity card for the person’s inspection before exercising the power; or(b)have the identity card displayed so it is clearly visible to the person when exercising the power.(2)However, if it is not practicable to comply with subsection (1), the authorised officer must produce the identity card for the person’s inspection at the first reasonable opportunity.If the office of a person as an authorised officer ends, the person must return the person’s identity card to the information commissioner within 15 business days after the office ends unless the person has a reasonable excuse.Maximum penalty—10 penalty units.
67General power to enter places occupied by agency
An authorised officer may enter an agency’s place of business, or another place occupied by the agency, if either of the following apply—(a)the agency has consented to the commissioner’s request for entry made under section 68;(b)the agency has failed to consent to the commissioner’s request for entry made under section 68, and the entry is made in compliance with the notice given for the entry under section 68(2).68Information commissioner must give written notice of entry
(1)Before an authorised officer enters a place occupied by an agency under section 67, the information commissioner must, by written notice, ask the agency to consent to an authorised officer entering the place.(2)The notice must—(a)explain the purpose of the entry, including the powers intended to be exercised; and(b)propose a reasonable date and time for the entry; and(c)ask for the agency’s principal officer’s written consent to the entry to be given to the information commissioner within a stated reasonable period; and(d)if the place is the agency’s place of business, state that if the written consent is not given to the commissioner within the stated period, an authorised officer may enter the place on a stated reasonable date and at a stated reasonable time when the place—(a)is open for carrying on the business; or(b)is otherwise open for entry.(3)If the notice is given to an agency, the agency must take all reasonable steps to facilitate entry by an authorised officer on the date and time consented to or stated under subsection (2)(d).Maximum penalty—100 penalty units.
(4)For subsection (2)(d), an agency’s place of business does not include a part of the place where a person resides.(1)If an authorised officer enters a place under section 67, the authorised officer may do the following—(a)require a person at the place who has the necessary skills or knowledge to demonstrate the data handling systems and practices of the agency that relate to the agency’s compliance with this chapter;(b)inspect a document that is relevant to the systems, policies and practices of the agency that relate to the agency’s compliance with this chapter;(c)remain at the place for the time necessary to achieve the purpose of the entry.(2)Also, if the agency agrees, an authorised officer may exercise a power mentioned in subsection (1)(a) or (b) by audio visual link provided by the agency.(3)In this section—audio visual link means facilities that enable reasonably contemporaneous and continuous audio and visual communication between persons at different places and includes videoconferencing.70Power to require reasonable help
(1)If an authorised officer enters a place occupied by an agency under section 67, the authorised officer may require a person at the place to give the authorised officer reasonable help to exercise a power under that section, including, for example, to demonstrate data handling systems and practices or produce a document.(2)When making a requirement under subsection (1), the authorised officer must give the person an offence warning for the requirement.(3)In this section—offence warning, for a requirement made by an authorised officer under subsection (1), means a warning that, without a reasonable excuse, it is an offence for the person of whom the requirement is made not to comply with the requirement.71Offence to contravene help requirement
(1)A person of whom a requirement is made under section 70(1) must comply with the requirement unless the person has a reasonable excuse.Maximum penalty—100 penalty units.
(2)It is a reasonable excuse for an individual not to comply with a requirement under section 70(1) if complying with the requirement might—(a)tend to incriminate the individual or expose the individual to a penalty; or(b)result in the disclosure of information that is the subject of legal professional privilege; or(c)result in the disclosure of confidential information in contravention of a law.(3)However, subsection (2) does not apply if a document or information the subject of the help requirement is required to be held or kept by the individual under this Act.See, however, section 74.(1)An agency must keep a register of eligible data breaches of the agency.(2)The register must include the following information for each eligible data breach—(a)a description of the eligible data breach, including the type of data breach under section 47;(b)if a statement is required for the eligible data breach under section 51—the date the statement is provided;(c)if further information about the eligible data breach is required to be given to the information commissioner under section 52—each date the further information is given;(d)if individuals are notified of the eligible data breach under section 53(1)(a) or (b)—the individuals notified and the date and method used to notify the individuals;(e)if the agency relied on an exemption under part 3, division 3—the exemption relied on;(f)details of the steps taken by the agency to—(i)contain the eligible data breach under section 48(2)(a) or (4)(a); and(ii)mitigate the harm caused by the eligible data breach under section 48(4)(a);(g)details of the actions taken by the agency to prevent future data breaches of a similar kind occurring.(3)If it is not practicable to include any or all of the information mentioned in subsection (2) for an eligible data breach at a particular time, the agency must record the information in the register as soon as it is practicable to do so.73Agency must publish data breach policy
(1)An agency must prepare and publish a policy about how it will respond to a data breach, including a suspected eligible data breach, of the agency.(2)The policy must be published on an accessible agency website.74Evidential immunity for individuals complying with particular requirements
(1)Subsection (2) applies if an individual gives information to an authorised officer under section 69 or 70(1).(2)Evidence of the information, and other evidence directly or indirectly derived from the information, is not admissible against the individual in any proceeding to the extent it tends to incriminate the individual, or expose the individual to a penalty, in the proceeding.(3)Subsection (2) does not apply to a proceeding about the false or misleading nature of the information or anything in which the false or misleading nature of the information is relevant evidence.
34Amendment of s 134 (Information commissioner not subject to direction)
(1)Section 134(1)(a), ‘section 135, 136 or 137’—
omit, insert—section 135 or 136
(2)Section 134(1)(b), ‘and reviews’—
omit, insert—, reviews, audits mentioned in section 135(1)(b)(iii) and privacy complaints
35Amendment of s 135 (Performance monitoring and support functions)
(1)Section 135, heading, after ‘monitoring’—
insert—, investigation
(2)Section 135(1)(a)(i) and (ii)—
omit, insert—(i)conducting—(A)reviews of personal information handling practices of relevant entities, including technologies, programs, policies and procedures, to identify privacy related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; or(B)reviews of acts or practices of agencies in relation to compliance with chapter 3A, including data handling systems and practices, to identify data breach related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; and(ii)investigating an act done or practice engaged in by a relevant entity in relation to personal information, if the commissioner is satisfied on reasonable grounds that the act or practice may contravene the privacy principle requirements or, if the entity is an agency, the entity’s obligations under chapter 3A; and(3)Section 135(1)(b)(i), ‘the privacy principles’—
omit, insert—this Act
(4)Section 135(1)(b)(iii)—
omit, insert—(iii)monitor and audit relevant entities’ compliance with this Act; and(5)Section 135(1)(b)—
insert—(vii)prepare, or assist in the preparation of, QPP codes; and(viii) assist relevant entities in complying with obligations under QPP codes; and(ix)prepare guidelines for permitted general situations under chapter 3, part 2; and(6)Section 135(1)(c)—
omit, insert—(c)issuing guidelines under section 138; and(7)Section 135(1)(d), from ‘applicants’ to ‘Act,’—
omit, insert—complainants for privacy complaints,
(8)Section 135(1)—
insert—(e)if the commissioner considers it appropriate, reporting to the Speaker on the findings of a reportable matter, including reporting any recommendations to the relevant entity the subject of the reportable matter.(9)Section 135(2), definition relevant entity—
omit.(10)Section 135(2)—
insert—reportable matter means—(a)a review or investigation under subsection (1)(a); or(b)an audit under subsection (1)(b)(iii).
36Amendment of s 136 (Decision-making functions)
(1)Section 136(a)—
omit, insert—(a)waiving or modifying—(i)an obligation of a relevant entity to comply with the privacy principle requirements; or(ii)an obligation of an agency to comply with chapter 3A, part 2 or 3 or section 72 or 73; and(2)Section 136(c)—
omit.(3)Section 136(d)—
renumber as section 136(c).
37Omission of s 137 (External review functions)
Section 137—
omit.
38Replacement of s 138 (Guidelines under Right to Information Act)
Section 138—
omit, insert—(1)The information commissioner may issue a guideline about any matter relating to the information commissioner’s functions, including, for example, guidelines about—(a)the interpretation and administration of this Act; and(b)best practice for relevant entities in relation to information privacy generally; and(c)the application of the privacy principle requirements, including the factors to be considered in determining whether the QPPs are being complied with.(2)To remove any doubt, it is declared that—(a)this section does not limit the information commissioner’s power to make guidelines under the Right to Information Act, section 132; and(b)a guideline issued under that Act may include guidelines relating to the information commissioner’s functions under this Act.
39Amendment of ch 4, pt 5, hdg (Waiving or modifying privacy principles obligations in the public interest)
Chapter 4, part 5, heading, ‘privacy principles’—
omit, insert—particular
40Amendment of s 157 (Waiver or modification approval)
(1)Section 157, heading—
omit, insert—157Applying for waiver or modification of particular obligations
(2)Section 157(1)—
omit, insert—(1)A relevant entity may apply to the information commissioner for an approval that waives or modifies an obligation of the entity to comply with—(a)the privacy principle requirements; or(b)for an agency—chapter 3A, part 2 or 3 or section 72 or 73.(3)Section 157(2), ‘the agency’s obligation to comply with the privacy principles’—
omit, insert—an obligation mentioned in subsection (1)
(4)Section 157(4) and (5)—
omit, insert—(4)The commissioner may give an approval under this section for an obligation only if the commissioner is satisfied that the public interest in the relevant entity’s compliance with the obligation is outweighed by the public interest in waiving or modifying the entity’s compliance with the obligation to the extent stated in the approval.(5)While an approval is in force, the relevant entity does not contravene this Act in relation to the obligation the subject of the approval if the entity acts in accordance with the approval.(5)Section 157(7)—
omit.
41Amendment of s 158 (Compliance notice)
(1)Section 158(1), from ‘an agency a notice’ to ‘that the agency’—
omit, insert—a relevant entity a notice (a compliance notice) if the commissioner is satisfied on reasonable grounds that the entity
(2)Section 158(1)(a)—
omit, insert—(a)has done an act or engaged in a practice in contravention of a relevant obligation; and(3)Section 158(2), ‘an agency’—
omit, insert—a relevant entity
(4)Section 158—
insert—(3)In this section—relevant obligation means an obligation to comply with—(a)the privacy principle requirements; or(b)for an agency—(i)chapter 3A, part 2 or 3; or(ii)a direction given to the agency under section 61(2); or(iii)section 72 or 73.
42Amendment of s 159 (Extension of time for compliance)
(1)Section 159(1), ‘An agency’—
omit, insert—A relevant entity
(2)Section 159(3)(a) and (b), ‘agency’—
omit, insert—relevant entity
43Amendment of s 160 (Agency must comply with notice)
(1)Section 160, heading, ‘Agency’—
omit, insert—Relevant entity
(2)Section 160, ‘An agency’—
omit, insert—A relevant entity
44Amendment of s 161 (Application to Queensland Civil and Administrative Tribunal for review of decision to give compliance notice)
(1)Section 161(1), ‘An agency’—
omit, insert—A relevant entity
(2)Section 161(1), ‘the agency’—
omit, insert—the entity
45Amendment of s 162 (Parties to QCAT proceeding)
Section 162, ‘The agency given a compliance notice’—
omit, insert—The relevant entity given a compliance notice under this part
46Amendment of s 163 (How QCAT may dispose of review)
Section 163, ‘an agency’—
omit, insert—a relevant entity
47Replacement of s 164 (Meaning of privacy complaint)
Section 164—
omit, insert—164Meaning of privacy complaint
(1)A privacy complaint is a complaint by an individual about an act done or practice engaged in by a relevant entity in relation to the individual’s personal information that may be a breach of the relevant entity’s obligation to comply with—(a)the privacy principle requirements; or(b)for an agency—chapter 3A, part 2 or 3.(2)However, a privacy complaint does not include a complaint in relation to the individual’s personal information to the extent the personal information is—(a)in a document to which this Act does not apply; or(b)if the personal information is held by a bound contracted service provider—in a document held by the provider other than for the purpose of performing its obligations under the provider’s service arrangement.164A Response period for privacy complaints
(1)The response period for a privacy complaint made to a relevant entity is—(a)the period of 45 business days after the day the privacy complaint is received by the relevant entity; or(b)if the relevant entity asks the complainant for a longer period under subsection (2)—the period during which, under subsection (4), the relevant entity may continue to consider the privacy complaint, in addition to the period mentioned in paragraph (a).(2)The relevant entity may, before the end of a response period under subsection (1), ask the complainant for a further specified period to consider the complaint.(3)A request under subsection (2) may be made more than once.(4)If the relevant entity makes a request under subsection (2), the relevant entity may continue to consider the complaint and respond to it until—(a)the complainant refuses the request; or(b)the relevant entity receives a notice that the complainant has made a privacy complaint to the information commission; or(c)the further specified period requested under subsection (2) ends.
48Amendment of s 166 (Requirements for privacy complaint)
(1)Section 166, heading, after ‘complaint’—
insert—to information commissioner
(2)Section 166(1)(c), ‘act or practice complained of’—
omit, insert—act or practice the subject of the complaint
(3)Section 166(3)—
omit, insert—(3)However, an individual may not make a privacy complaint to the commissioner unless—(a)the individual has first made a privacy complaint to the relevant entity under section 166A; and(b)either—(i)the individual does not consider the relevant entity’s response to the complaint to be adequate; or(ii)the response period for the complaint has ended and the individual has not received a response to the complaint.
After section 166—
insert—166A Requirements for privacy complaint to relevant entity
(1)A privacy complaint made to a relevant entity by an individual must—(a)be in writing; and(b)state an address to which the entity may respond to the complaint; and(c)give particulars of the act or practice the subject of the complaint; and(d)be made within 12 months after the complainant becomes aware of the act or practice the subject of the complaint, or a longer period agreed by the relevant entity.(2)The relevant entity may agree to a longer period under subsection (1)(d) if the relevant entity is satisfied the extension is reasonable in the circumstances.(3)The relevant entity must give reasonable help to the individual to put the complaint in writing.
50Amendment of s 168 (Information commissioner may decline to deal with or to deal further with complaint)
Section 168(1)(f)—
omit, insert—(f)12 months have elapsed since the earlier of the following days—(i)the last day of the response period for the complaint;(ii)the day the relevant entity responds to the complaint or part.
After section 173—
insert—173A Confidentiality of mediation
Nothing said or done in the course of a mediation of a privacy complaint is admissible in any criminal, civil or administrative proceeding, unless the complainant and respondent for the complaint agree.
52Amendment of s 175 (Advice to parties)
Section 175(b)—
omit, insert—(b)that the complainant may ask the commissioner to refer the privacy complaint to QCAT under section 175A.
After section 175—
insert—175A Complainant’s request for referral to Queensland Civil and Administrative Tribunal
(1)Within 20 business days after the date of the notice given under section 175, the complainant may, by written notice given to the information commissioner, ask the commissioner to refer the privacy complaint to QCAT.(2)The information commissioner may, if asked by the complainant, extend the period mentioned in subsection (1) if the commissioner is satisfied extending the period is reasonable in all the circumstances.(3)If the information commissioner extends the period under subsection (2), the commissioner must give a written notice to the complainant and the respondent for the privacy complaint stating the new period within which the complainant may give notice under subsection (1).
54Amendment of s 176 (Referral to Queensland Civil and Administrative Tribunal)
Section 176(1)—
omit, insert—(1)If the complainant gives written notice to the information commissioner under section 175A, the commissioner must refer the privacy complaint to QCAT within 20 business days after receiving the written notice.
55Amendment of s 178 (How QCAT may dispose of complaint)
(1)Section 178(a), (b) and (c), ‘the complaint, or a part of the complaint’—
omit, insert—the breach the subject of the complaint, or part of the complaint
(2)Section 178(a)(i)—
omit, insert—(i)that the respondent must not repeat or continue the act or practice the subject of the complaint;(3)Section 178(a)(iii)—
omit, insert—(iii)that the respondent must apologise to the complainant for the act or practice the subject of the complaint;(4)Section 178(a)(v)—
omit, insert—(v)that the respondent is liable to pay the complainant a stated amount, of not more than $100,000 to compensate the complainant for loss or damage suffered by the complainant because of the act or practice the subject of the complaint, including for any injury to the complainant’s feelings or humiliation suffered by the complainant;
56Amendment of s 179 (Access—protection against actions for defamation or breach of confidence)
(1)Section 179(1)—
omit, insert—(1)If a person has been given access to a document and the access was required or permitted to be given under this Act—(a)no action for defamation or breach of confidence lies against the State, an agency or an officer of an agency because of the authorising or giving of the access; and(b)no action for defamation or breach of confidence in relation to any publication involved in, or resulting from, the giving of the access lies against the author of the document or another person because of the author or another person having given the document to an agency.(2)Section 179(2), from ‘(including’ to ‘principles’—
omit, insert—in compliance with the privacy principle requirements
(3)Section 179(3)—
omit.
57Omission of s 180 (Publication—protection against actions for defamation or breach of confidence)
Section 180—
omit.
58Replacement of s 181 (Access—protection in respect of offences)
Section 181—
omit, insert—181Access—protection in respect of offences
If access has been given to a document and the access was required or permitted to be given under this Act, neither the person authorising the access nor any other person concerned in the giving of the access commits a criminal offence merely because of the authorising or giving of the access.
59Omission of s 182 (Publication—protection in respect of offences)
Section 182—
omit.
60Amendment of s 183 (Protection of agency, information commissioner etc. from personal liability)
(1)Section 183(3), definition relevant entity, paragraph (c)—
omit.(2)Section 183(3), definition relevant entity, paragraphs (d) to (f)—
renumber as section 183(3), definition relevant entity, paragraphs (c) to (e).
61Amendment of s 185 (Unlawful access)
Section 185(2)—
omit.
62Amendment of s 186 (False or misleading information)
(1)Section 186(1), ‘the information commissioner, or a member of the staff of the OIC,’—
omit, insert—an official
(2)Section 186(2)(a), ‘commissioner or member’—
omit, insert—official
(3)Section 186(2)(b), ‘commissioner or member’—
omit, insert—the official
(4)Section 186—
insert—(4)In this section—official means—(a)the information commissioner; or(b)a member of the staff of the OIC; or(c)an authorised officer.
63Replacement of s 187 (Failure to produce documents or attend proceedings)
Section 187—
omit, insert—187Failure to give information or attend proceedings
(1)A person given notice under section 197 to give information to, or attend before, the information commissioner must not, without reasonable excuse, fail to do so.Maximum penalty—100 penalty units.
(2)If the person is an individual and is given notice to give information, it is a reasonable excuse for the person to fail to give the information if complying with the requirement might tend to incriminate the person or expose the person to a penalty.(3)Subsection (2) does not apply in relation to information that is in a document required to be kept by the person under this Act.
64Amendment of s 188 (Disclosure or taking advantage of information)
(1)Section 188(b), ‘himself or herself’—
omit, insert—themself
(2)Section 188—
insert—(2)Subsection (1)(a) does not apply if the person reasonably believes that the disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of an individual, or to public health or safety.
65Omission of ch 7, pt 1 (Archival documents)
Chapter 7, part 1—
omit.
66Amendment of s 193 (Reports of information commissioner)
Section 193(1)—
omit, insert—(1)The information commissioner may make a report to the Speaker on matters relating to—(a)the findings of a reportable matter under section 135(2); or(b)the performance of any other function of the commissioner.
67Replacement of s 194 (Report to Assembly on Act’s operation)
Section 194—
omit, insert—194Report to Assembly on Act’s operation
(1)An agency or Minister must, as soon as practicable after the end of each financial year, give the information commissioner the information prescribed by regulation about the operation of this Act in relation to the agency or Minister during that year.(2)The information commissioner must, as soon as practicable after receiving the information mentioned in subsection (1), prepare a report on the operation of this Act during that year and give the report to the parliamentary committee.(3)A report under subsection (2) must include, in relation to the financial year to which it relates, details of the matters prescribed by regulation.(4)The chair of the parliamentary committee must table a report received under subsection (2) in the Assembly within 3 sitting days after the committee receives the report.(5)A report under this section may be included as part of a report prepared by the information commissioner and given and tabled under the Right to Information Act, section 185.
68Amendment of s 195 (Functions of parliamentary committee)
(1)Section 195(c)—
omit.(2)Section 195(d) to (f)—
renumber as section 195(c) to (e).
69Amendment of s 196 (Power of person acting for another person)
(1)Section 196(1), ‘an access or amendment application or other’—
omit, insert—a
(2)Section 196(2)—
omit, insert—(2)In this section—child means an individual who is under 18 years.parent—1Parent, of a child, means any of the following persons—(a)the child’s mother;(b)the child’s father;(c)a person who exercises parental responsibility for the child, including a person who is granted guardianship of the child under the Child Protection Act 1999 or who otherwise exercises parental responsibility for the child under a decision or order of a federal court or a court of a State.2However, a person standing in the place of a parent of a child on a temporary basis is not a parent of the child.3A parent of an Aboriginal child includes a person who, under Aboriginal tradition, is regarded as a parent of the child.4A parent of a Torres Strait Islander child includes a person who, under Island custom, is regarded as a parent of the child.
After section 196—
insert—196A Information commissioner may make preliminary inquiries
The information commissioner may make preliminary inquiries of any person for the purpose of determining whether to investigate an act or practice on the commissioner’s own initiative or otherwise under section 135(1)(a)(ii).
71Amendment of s 197 (Power of information commissioner for compliance notices and privacy complaints)
(1)Section 197, heading, from ‘for’—
omit, insert—to require information or attendance
(2)Section 197(1), before paragraph (a)—
insert—(aaa) a review into personal information handling practices under section 135(1)(a)(i); or(aab) an investigation of an act done or practice engaged in by a relevant entity in relation to personal information under section 135(1)(a)(ii); or(aac) an audit under section 135(1)(b)(iii); or(3)Section 197(1)—
insert—(aa)preliminary inquiries the commissioner is making of the respondent for a privacy complaint under section 167; or(4)Section 197(1)(aaa) to (b)—
renumber as section 197(1)(a) to (f).(5)Section 197(4), from ‘relevant’—
omit, insert—relevant to the matter mentioned in subsection (1).
72Replacement of s 199 (Contents of prescribed written notice)
Section 199—
omit, insert—(1)The information commissioner may enter into an arrangement (an information-sharing arrangement) with a prescribed agency for the purpose of sharing or exchanging information—(a)held by the information commissioner or the prescribed agency; or(b)to which the information commissioner or prescribed agency has access.(2)An information-sharing arrangement may relate only to information that assists—(a)the information commissioner perform the commissioner’s functions under this Act; or(b)the prescribed agency perform its functions.(3)Under an information-sharing arrangement, the information commissioner and the prescribed agency are, despite another Act or law, authorised to—(a)ask for and receive information held by the other party to the arrangement or to which the other party has access; and(b)disclose information to the other party.(4)In this section—prescribed agency—(a)means a department or administrative unit within a department that has functions related to whole of government cybersecurity management and operations; or(b)a department or government entity of the State, another State or the Commonwealth that has functions related to protecting the privacy of individuals, whether or not the entity has other functions; or(c)another department, public authority or government entity of the State, another State or the Commonwealth, prescribed by regulation for this paragraph.199A Corporations legislation displacement
(1)A regulation may declare a provision of this Act that applies in relation to a prescribed corporation to be a Corporations legislation displacement provision for the purposes of the Corporations Act, section 5G.(2)A regulation under subsection (1) may be declared to apply in relation to—(a)the whole of the Corporations legislation or a particular provision of the Corporations legislation; or(b)all prescribed corporations or a particular prescribed corporation.(3)In this section—prescribed corporation means a corporation, within the meaning of the Corporations Act, that is declared under section 21(1)(c) to be a public authority for this Act.
73Insertion of new ch 8, pt 3
Chapter 8—
insert—In this part—amendment Act means the Information Privacy and Other Legislation Amendment Act 2023.former, for a provision of this Act, means the provision as in force from time to time before the commencement of the provision in which the term is used.former IP Act means this Act as in force from time to time before the commencement of the provision in which the term is used.216Existing bound contracted service providers
(1)This section applies in relation to a contracted service provider that, immediately before the commencement, was a bound contracted service provider required to comply with former chapter 2, part 1 or 2 and part 3 under former section 36.(2)The requirement to comply with former chapter 2, part 1 or 2 and part 3 continues to apply to the contracted service provider in relation to personal information it holds under the service arrangement.(3)This Act applies in relation to the contracted service provider as if a reference to the privacy principle requirements were a reference to the requirement to comply with former chapter 2, part 1 or 2 and part 3 under former section 36.(4)Subsections (2) and (3) do not prevent the contracted service provider and agency agreeing to vary the service arrangement to require the contracted service provider to comply with chapter 2, parts 1 and 2 and section 41.(5)This section stops applying in relation to the contracted service provider if the service arrangement is varied as mentioned in subsection (4).217Existing access and amendment applications
(1)This section applies if an application or purported application under former chapter 3 has been made, but not finalised, before the commencement.(2)The former IP Act continues to apply in relation to the application or purported application as if the amendment Act had not been enacted.(3)For subsection (1), an application or purported application under former chapter 3 has not been finalised until—(a)a decision on the application or purported application has been made or taken to have been made; and(b)either—(i)the time for exercising any review rights or appeal rights in relation to the decision has ended without any rights being exercised; or(ii)any review or appeal in relation to the decision has ended.See also the Right to Information Act, section 206Q.218Continued protection for giving access to or publishing chapter 3 documents
(1)This section applies in relation to a chapter 3 document accessed or published—(a)before the commencement; or(b)under section 217.(2)Former sections 179 and 181 continue to apply in relation to the authorising or giving of access to a chapter 3 document as if the amendment Act had not been enacted.(3)Former sections 180 and 182 continue to apply in relation to the publication of a chapter 3 document as if the amendment Act had not been enacted.(4)In this section—chapter 3 document means a chapter 3 document within the meaning of the former IP Act.219Delayed application of ch 3A to local governments
Chapter 3A does not apply in relation to an agency that is a local government until the day that is 1 year after the commencement.220Existing approvals under former s 157
A waiver or modification approval given under former section 157 lapses on the commencement of this section.221Existing compliance notices under s 158
(1)This section applies if—(a)before the commencement, the information commissioner had given an agency a compliance notice under section 158 in relation to the privacy principles as in force before the commencement; and(b)immediately before the commencement, the time for complying with the notice under this Act had not ended.(2)The agency must comply with the notice in relation to the privacy principles under the former IP Act as if the amendment Act had not been enacted.222Information commissioner may issue compliance notice for failure to comply with former IP Act
(1)This section applies if—(a)before the commencement, an agency had done an act or engaged in a practice in contravention of a requirement to comply with the privacy principles under the former IP Act; and(b)immediately before the commencement the information commissioner had not yet given a compliance notice to the agency under section 158 in relation to the act or practice; and(c)the act or practice also constitutes a contravention of the privacy principle requirements.(2)The information commissioner may give the agency a compliance notice under section 158 in relation to the act or practice.223Privacy complaints about act or practice of relevant entity not yet made before commencement
(1)This section applies if—(a)before the commencement, a person could have made a privacy complaint under former chapter 5, part 1 about an act or practice engaged in by a relevant entity before the commencement; and(b)immediately before the commencement, the privacy complaint had not been made.(2)The privacy complaint may be made under former chapter 5, and former chapter 5 continues to apply in relation to the complaint, as if the amendment Act had not been enacted.224Privacy complaints made but not finalised before commencement
(1)This section applies if—(a)before the commencement, a privacy complaint was made or referred to the information commissioner under former chapter 5, part 1; and(b)immediately before the commencement, the complaint, or a part of the complaint, had not been finalised.(2)Former chapter 5 continues to apply in relation to the privacy complaint or part of the privacy complaint as if the amendment Act had not been enacted.(3)For subsection (1)(b), a privacy complaint or part of a privacy complaint is finalised if—(a)any of the following apply—(i)the information commissioner has declined to deal, or continue to deal, with the complaint or part under former section 168;(ii)the information commissioner has referred the privacy complaint or part to another entity under section 169;(iii)a mediated agreement has been certified for the privacy complaint or part under section 172;(iv)QCAT has disposed of the complaint or part under former section 178; and(b)the time for exercising any review or appeal rights in relation to a matter mentioned in paragraph (a) has ended without any rights being exercised.225Continuation of sections 185 and 187 for chapter 3 documents
(1)This section applies in relation to an offence against former section 185 or 187 committed in relation to a chapter 3 document by a person before the commencement.(2)Without limiting the Acts Interpretation Act 1954, section 20, a proceeding for the offence may be continued or started, and the person may be convicted of and punished for the offence, as if the amendment Act, sections 61 and 63 had not commenced.(3)Subsection (2) applies despite the Criminal Code, section 11.226Report to Assembly on Act’s operation
(1)This section applies in relation to a financial year ending before the commencement if the report for the financial year has not been tabled in the Assembly under former section 194.(2)Former section 194 continues to apply in relation to the financial year as if the amendment Act had not been enacted.(3)Section 194 as in force on the commencement does not apply in relation to the financial year.
73AAmendment of sch 2 (Entities to which the privacy principles do not apply)
(1)Schedule 2, heading, ‘Entities to which the privacy principles do not apply’—
omit, insert—Excluded entities
(2)Schedule 2, part 1, heading, ‘Entities to which the privacy principles do not apply’—
omit, insert—Excluded entities
(3)Schedule 2, part 1—
insert—7an APP entity under the Privacy Act 1988 (Cwlth)(4)Schedule 2, part 2, heading, ‘to which the privacy principles do not apply’—
omit, insert—that are excluded entities
Schedules 3 and 4—
omit, insert—section 26
In this schedule—(a)each QPP is numbered using the provision number of the corresponding APP; and(b)a reference in an editor’s note to an APP followed by a number is a reference to a provision of the Privacy Act 1988 (Cwlth), schedule 1, having that number; and(c)editor’s notes describe material differences between a particular QPP and the corresponding APP.1QPP 1—open and transparent management of personal information
1.1The object of this QPP is to ensure that agencies manage personal information in an open and transparent way.Compliance with the QPPs etc.1.2An agency must take reasonable steps to implement practices, procedures and systems relating to the agency’s functions or activities that—(a)will ensure the agency complies with the QPPs and any QPP code that binds the agency; and(b)will enable the agency to deal with inquiries and complaints from individuals about the agency’s compliance with the QPPs or any QPP code that binds the agency.QPP privacy policy1.3An agency must have a clearly expressed and up-to-date policy (the QPP privacy policy) about the management of personal information by the agency.1.4Without limiting QPP 1.3, the QPP privacy policy of the agency must contain the following information—(a)the kinds of personal information that the agency collects and holds;(b)how the agency collects and holds personal information;(c)the purposes for which the agency collects, holds, uses and discloses personal information;(d)how an individual may access personal information about the individual that is held by the agency and seek the correction of the information;(e)how an individual may complain about a breach of the QPPs, or any QPP code that binds the agency, and how the agency will deal with the complaint;(f)whether the agency is likely to disclose personal information to entities outside Australia;(g)if the agency is likely to disclose personal information to entities outside of Australia—the countries in which the recipients are likely to be located if it is practicable to state those countries in the policy.Availability of QPP privacy policy etc.1.5An agency must take reasonable steps to make its QPP privacy policy available—(a)free of charge; and(b)in an appropriate form.Example of how agency may make its QPP privacy policy available—
publication on the agency’s website1.6If a person requests a copy of the QPP privacy policy of an agency in a particular form, the agency must take reasonable steps to give the person a copy in that form.2QPP 2—anonymity and pseudonymity
2.1Individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with an agency in relation to a particular matter.2.2QPP 2.1 does not apply if, in relation to the matter—(a)the agency is required or authorised under an Australian law, or a court or tribunal order, to deal with individuals who have identified themselves; or(b)it is impracticable for the agency to deal with individuals who have not identified themselves or who have used a pseudonym.3QPP 3—collection of solicited personal information
Personal information other than sensitive information3.1An agency must not collect personal information, other than sensitive information, unless the information is reasonably necessary for, or directly related to, 1 or more of the agency’s functions or activities.The equivalent APP includes a provision applying to certain private sector entities (see APP 3.2).Sensitive information3.3An agency must not collect sensitive information about an individual unless—(a)the individual consents to the collection of the information and the information is reasonably necessary for, or directly related to, 1 or more of the agency’s functions or activities; orThe equivalent APP includes a provision applying to certain private sector entities (see APP 3.3(a)(ii)).(b)QPP 3.4 applies in relation to the information.3.4This QPP applies in relation to sensitive information about an individual if—(a)the collection of the information is required or authorised under an Australian law or a court or tribunal order; or(b)a permitted general situation exists in relation to the collection of the information by the agency; orPermitted general situations are stated in schedule 4, part 1.(c)the agency is a health agency and a permitted health situation exists in relation to the collection of the information by the agency; orPermitted health situations are stated in schedule 4, part 2.(d)the agency is a law enforcement agency and the agency reasonably believes that the collection of the information is reasonably necessary for, or directly related to, 1 or more of the agency’s functions or activities.The equivalent APP includes a provision applying to—(a)the Commonwealth Immigration Department (see APP 3.4(d)(i)); and(b)non-profit organisations (see APP 3.4(e)).Means of collection3.5An agency must collect personal information only by lawful and fair means.3.6An agency must collect personal information about an individual only from the individual unless—(a)either—(i)the individual consents to the collection of the information from someone other than the individual; or(ii)the agency is required or authorised under an Australian law, or a court or tribunal order, to collect the information from someone other than the individual; or(b)it is unreasonable or impracticable to do so.Solicited personal information3.7This QPP applies to the collection of personal information that is solicited by an agency.4QPP 4—dealing with unsolicited personal information
4.1If—(a)an agency receives personal information; and(b)the agency did not solicit the information;the agency must, within a reasonable period after receiving the information, decide whether or not the agency could have collected the information under QPP 3 if the agency had solicited the information.4.2The agency may use or disclose the personal information for the purposes of making the decision under QPP 4.1.4.3If—(a)the agency decides the agency could not have collected the personal information; and(b)the information is not contained in a public record;the agency must, as soon as practicable but only if it is lawful and reasonable to do so, destroy the information or ensure that the information is de-identified.4.4If QPP 4.3 does not apply in relation to the personal information, QPPs 5 to 13 apply in relation to the information as if the agency had collected the information under QPP 3.5QPP 5—notification of the collection of personal information
5.1At or before the time or, if that is not practicable, as soon as practicable after, an agency collects personal information about an individual, the agency must take steps, if any, that are reasonable in the circumstances to—(a)notify the individual of the matters mentioned in QPP 5.2 that are reasonable in the circumstances; or(b)otherwise ensure that the individual is aware of those matters.5.2The matters for QPP 5.1 are the following—(a)the identity and contact details of the agency;(b)if—(i)the agency collects the personal information from someone other than the individual; or(ii)the individual may not be aware that the agency has collected the personal information;the fact that the agency collects, or has collected, the information and the circumstances of that collection;(c)if the collection of the personal information is required or authorised under an Australian law, or a court or tribunal order—the fact that the collection is required or authorised, including the name of the Australian law, or details for the court or tribunal order, that requires or authorises the collection;(d)the purposes for which the agency collects the personal information;(e)the main consequences, if any, for the individual if all or some of the personal information is not collected by the agency;(f)any other agency or entity, or the kinds of any other agencies or entities, to which the agency usually discloses personal information of the kind collected by the agency;(g)that the QPP privacy policy of the agency contains information about how the individual may access the personal information about the individual that is held by the agency and seek the correction of the information;(h)that the QPP privacy policy of the agency contains information about how the individual may complain about a breach of the QPPs, or any QPP code that binds the agency, and how the agency will deal with the complaint;(i)whether the agency is likely to disclose the personal information to entities outside of Australia;(j)if the agency is likely to disclose the personal information to entities outside of Australia—the countries in which the recipients are likely to be located if it is practicable to state those countries in the notification or to otherwise make the individual aware of them.6QPP 6—use or disclosure of personal information
Use or disclosure6.1If an agency holds personal information about an individual that was collected for a particular purpose (the primary purpose), the agency must not use or disclose the information for another purpose (the secondary purpose) unless—(a)the individual has consented to the use or disclosure of the information; or(b)QPP 6.2 applies in relation to the use or disclosure of the information.6.2This QPP applies in relation to the use or disclosure of personal information about an individual if—(a)the individual would reasonably expect the agency to use or disclose the information for the secondary purpose and the secondary purpose is—(i)if the information is sensitive information—directly related to the primary purpose; or(ii)if the information is not sensitive information—related to the primary purpose; or(b)the use or disclosure of the information is required or authorised under an Australian law or a court or tribunal order; or(c)a permitted general situation exists in relation to the use or disclosure of the information by the agency; orPermitted general situations are stated in schedule 4, part 1.(d)the agency is a health agency and a permitted health situation exists in relation to the use or disclosure of the information by the agency; orPermitted health situations are stated in schedule 4, part 2.(e)the agency reasonably believes the use or disclosure of the information is reasonably necessary for one or more enforcement-related activities conducted by a law enforcement agency; or(f)all of the following apply—(i)ASIO has asked the agency to disclose the personal information;(ii)an officer or employee of ASIO authorised in writing by the director-general of ASIO for this paragraph has certified in writing that the personal information is required in connection with the performance by ASIO of its functions;(iii)the disclosure is made to an officer or employee of ASIO authorised in writing by the director-general of ASIO to receive the personal information; orQPP 6.2(f) applies in relation to Queensland agencies and does not correspond to an APP.(g)all of the following apply—(i)the use or disclosure is necessary for research, or the compilation or analysis of statistics, in the public interest;(ii)the use or disclosure does not involve the publication of all or any of the personal information in a form that identifies any individual;(iii)it is not practicable to obtain the express or implied agreement of each individual the subject of the personal information before the use or disclosure;(iv)if the personal information is disclosed to another entity—the agency is satisfied on reasonable grounds that the relevant entity will not disclose the personal information to another entity.1QPP 6.2(g) applies in relation to Queensland agencies and does not correspond to an APP.2The Privacy Act 1988 (Cwlth), schedule 1 includes a privacy principle about the disclosure of personal information that is biometric information or biometric templates to an enforcement body in certain circumstances (see APP 6.3).
There is no equivalent QPP for APP 6.3.6.4If—(a)the agency is a health agency; and(b)schedule 4, part 2, section 3 applied in relation to the collection of the personal information by the agency;the agency must take reasonable steps to ensure the information is de-identified before the agency discloses it under QPP 6.1 or QPP 6.2.Written note of use or disclosure6.5If an agency uses or discloses personal information in accordance with QPP 6.2(e), the agency must make a written note of the use or disclosure.The equivalent APP includes a provision applying to certain private sector entities (see APP 6.6 and APP 6.7).The Privacy Act 1988 (Cwlth), schedule 1 includes a privacy principle prohibiting direct marketing by certain private sector entities (see APP 7).
There is no equivalent QPP for APP 7.QPP 6 is relevant to the use or disclosure of personal information for the purpose of direct marketing.8QPP 8—cross-border disclosure of personal information
The Privacy Act 1988 (Cwlth), schedule 1 includes a privacy principle about requirements for cross-border disclosure of personal information (see APP 8).
There is no equivalent QPP for APP 8.9QPP 9—adoption, use or disclosure of government related identifiers
The Privacy Act 1988 (Cwlth), schedule 1 includes a privacy principle regulating the adoption, use or disclosure of government related identifiers by certain private sector entities (see APP 9).
There is no equivalent QPP for APP 9.10QPP 10—quality of personal information
10.1An agency must take reasonable steps to ensure the personal information the agency collects is accurate, up to date and complete.10.2An agency must take reasonable steps to ensure the personal information the agency uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up to date, complete and relevant.11QPP 11—security of personal information
11.1If an agency holds personal information, the agency must take reasonable steps to protect the information—(a)from misuse, interference or loss; and(b)from unauthorised access, modification or disclosure.11.2If—(a)an agency holds personal information about an individual; and(b)the agency no longer needs the information for a purpose for which the information may be used or disclosed by the agency under the QPPs; and(c)the information is not contained in a public record; and(d)the agency is not required under an Australian law, or a court or tribunal order, to retain the information;the agency must take reasonable steps to destroy the information or to ensure the information is de-identified.12QPP 12—access to personal information
Access12.1If an agency holds personal information about an individual, the agency must, on request by the individual, give the individual access to the information.Exception to access12.2If the agency is required or authorised to refuse to give the individual access to the personal information under—(a)the Right to Information Act; or(b)another law in force in Queensland that provides for access by people to documents;then, despite QPP 12.1, the agency is not required to give access to the extent the agency is required or authorised to refuse to give access.1The equivalent APP includes a provision applying to certain private sector entities (see APP 12.3).2The Privacy Act 1988 (Cwlth), schedule 1 includes privacy principles about the procedures for requesting access to personal information, including requirements for dealing with requests for access, other means of access, access charges and refusals to give access (see APPs 12.4 to 12.10).
There are no equivalent QPPs for APPs 12.3 to 12.10.13QPP 13—correction of personal information
Correction13.1If—(a)an agency holds personal information about an individual; and(b)either—(i)the agency is satisfied that, having regard to a purpose for which the information is held, the information is inaccurate, out of date, incomplete, irrelevant or misleading; or(ii)the individual requests the agency to correct the information;the agency must take reasonable steps to correct the information to ensure that, having regard to the purpose for which it is held, the information is accurate, up to date, complete, relevant and not misleading.The Privacy Act 1988 (Cwlth), schedule 1 includes privacy principles about requirements to notify other APP entities of corrections to personal information, and refusals to correct personal information (see APPs 13.2 and 13.3).
There are no equivalent QPPs for APPs 13.2 and 13.3.Request to associate a statement13.4If—(a)the agency refuses to correct the personal information as requested by the individual; and(b)the individual requests the agency to associate with the information a statement that the information is inaccurate, out of date, incomplete, irrelevant or misleading;the agency must take reasonable steps to associate the statement in a way that will make the statement apparent to users of the information.The Privacy Act 1988 (Cwlth), schedule 1 includes a privacy principle about dealing with requests to correct personal information (see APP 13.5).
There is no equivalent QPP for APP 13.5.13.6An agency need not comply with QPP 13.1 in relation to a request made to the agency to correct personal information if the agency is required or authorised to refuse to correct or amend the information under the Right to Information Act or another Act regulating the amendment of personal information.QPP 13.6 applies in relation to Queensland agencies and does not correspond to an APP.schedule 5, definitions permitted general situation and permitted health situation
1Collection, use or disclosure
A permitted general situation exists in relation to the collection, use or disclosure by an agency of personal information about an individual if—(a)both of the following apply—(i)it is unreasonable or impracticable to obtain the individual’s consent to the collection, use or disclosure;(ii)the agency reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of an individual or to public health or safety; or(b)both of the following apply—(i)the agency has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the agency’s functions or activities has been, is being or may be engaged in;(ii)the agency reasonably believes that the collection, use or disclosure is necessary in order for the agency to take appropriate action in relation to the matter; or(c)both of the following apply—(i)the agency reasonably believes that the collection, use or disclosure is reasonably necessary to assist an entity to locate a person who has been reported as missing;(ii)the collection, use or disclosure complies with a guideline in effect under chapter 3, part 2; or(d)the collection, use or disclosure is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim; or(e)the collection, use or disclosure is reasonably necessary for the purposes of a confidential alternative dispute resolution process.2Collection—provision of a health service
(1)A permitted health situation exists in relation to the collection by a health agency of health information about an individual if—(a)the information is necessary to provide a health service to the individual; and(b)either—(i)the collection is required or authorised under an Australian law; or(ii)the individual would reasonably expect the health agency to collect the information for that purpose.(2)Also, a permitted health situation exists in relation to the collection by a health agency of health information about an individual if—(a)the information is a family medical history, social medical history or other relevant information about the individual or another individual; and(b)it is necessary to collect the information about the individual for the purpose of providing the individual or another individual with a health service; and(c)the information about the individual is collected by the health agency from—(i)the person who is receiving or about to receive the health service; or(ii)a responsible person for the individual.(1)A permitted health situation exists in relation to the collection by a health agency of health information about an individual if—(a)the collection is necessary for any of the following purposes—(i)research relevant to public health or public safety;(ii)the compilation or analysis of statistics relevant to public health or public safety;(iii)the management, funding or monitoring of a health service; and(b)that purpose can not be served by the collection of information that does not identify the individual or from which the individual’s identity can not reasonably be ascertained; and(c)it is impracticable for the health agency to seek the individual’s consent to the collection; and(d)the information is collected—(i)as required or authorised under an Australian law; or(ii)by a designated person with the approval of the relevant chief executive; or(iii)in accordance with guidelines approved by the chief executive of the health department for this subparagraph.(2)In this section—designated person see the Hospital and Health Boards Act 2011, section 139A.relevant chief executive, of a health agency, means—(a)if the health agency is a Hospital and Health Service—the health service chief executive or the chief executive of the health department; or(b)otherwise—the chief executive of the health department.4Use or disclosure—research etc.
A permitted health situation exists in relation to the use or disclosure by a health agency of health information about an individual if—(a)the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety; and(b)it is impracticable for the health agency to obtain the individual’s consent before the use or disclosure; and(c)the use or disclosure is conducted in accordance with guidelines approved by the chief executive of the health department for this paragraph; and(d)for disclosure—the health agency reasonably believes the entity receiving the health information will not disclose the health information or personal information derived from the health information.5Disclosure—responsible person for an individual
A permitted health situation exists in relation to the disclosure by a health agency of health information about an individual if—(a)the health agency provides a health service to the individual; and(b)the recipient of the information is a responsible person for the individual; and(c)the individual is—(i)physically or legally incapable of giving consent to the disclosure; or(ii)physically can not communicate consent to the disclosure; and(d)a health professional providing the health service for the organisation is satisfied—(i)the disclosure is necessary to provide appropriate care or treatment of the individual; or(ii)the disclosure is made for compassionate reasons; and(e)the disclosure is not contrary to any wish—(i)expressed by the individual before the individual became unable to give or communicate consent; and(ii)of which the health professional is aware, or of which the health professional could reasonably be expected to be aware; and(f)the disclosure is limited to the extent reasonable and necessary for a purpose mentioned in paragraph (d).
75Amendment of sch 5 (Dictionary)
(1)Schedule 5—
omit the following definitions—•access application•access charge•adult child•adult sibling•agency•agent•amendment application•appeal tribunal•applicant•appropriately qualified•backup system•chapter 3 agency•chapter 3 document•considered decision•contrary to public interest document•contrary to public interest information•control•decision-maker•deemed decision•designated person•document•document to which the privacy principles do not apply•eligible family member•entity to which the privacy principles do not apply•exempt document•exempt information•external review•external review application•generally available publication•healthcare professional•holds•internal review•internal review application•IPP•judicial member•narrow•NPP•participant•prescribed information•prescribed written notice•privacy principles•processing period•relevant chief executive•relevant entity•relevant healthcare information•reviewable decision•review under this Act•sensitive information•transfer period(2)Schedule 5—
insert—accessible agency website means a website that is—(a)accessible by members of the public; and(b)operated by an agency.affected individual, in relation to a data breach of an agency, see section 47(1)(a)(ii) and (b)(ii).agency see section 18.APP means an Australian Privacy Principle set out in the Privacy Act 1988 (Cwlth), schedule 1.Australian law, for schedules 3 and 4, means a law of the Commonwealth or a State, and includes the common law.authorised officer means a person who holds office under chapter 3A, part 5 as an authorised officer.collect, for schedules 3 and 4, in relation to personal information, means collect the information for inclusion in a document or generally available publication.data breach, of an agency, means either of the following in relation to information held by the agency—(a)unauthorised access to, or unauthorised disclosure of, the information;(b)the loss of the information in circumstances where unauthorised access to, or unauthorised disclosure of, the information is likely to occur.de-identify, for schedule 3, in relation to information, means to amend the information so it is no longer about an identified individual, or an individual who is reasonably identifiable from the information.document see section 15.document to which the privacy principle requirements do not apply see section 16.eligible data breach, of an agency, see section 47.enforcement-related activity, for schedule 3, means—(a)the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of laws imposing penalties or sanctions; or(b)the enforcement of laws relating to the confiscation of the proceeds of crime; or(c)the protection of the public revenue; or(d)the prevention, detection, investigation or remedying of seriously improper conduct; or(e)the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.excluded entity see section 18(4).generally available publication means a magazine, book, article, newspaper or other publication that is, or will be, generally available to members of the public whether or not it is—(a)published in print, electronically or in any other form; or(b)available on payment of a fee or charge.held, in relation to personal information, see section 13.holds, in relation to personal information, see section 13.identity card, for a provision about authorised officers, means an identity card issued under section 64.permitted general situation means a permitted general situation described in schedule 4, part 1.permitted health situation means a permitted health situation described in schedule 4, part 2.privacy principle requirements means—(a)for an agency—the requirements under chapters 2 and 3 applying to the agency; or(b)for a bound contracted service provider—the requirements under chapter 2, parts 1 and 2 and section 41 applying to the service provider under section 36(1).public record means a public record under the Public Records Act 2023.QPP see section 26.QPP code see section 40(1).QPP privacy policy, for schedule 3, see QPP 1.3.relevant entity means an agency or bound contracted service provider.response period, for a privacy complaint to a relevant entity, for chapter 5, part 1, see section 164A(1).responsible person, for an individual, for schedule 4, means—(a)a parent of the individual; or(b)a child or sibling of the individual if a health professional believes the child or sibling has capacity; or(c)a spouse of the individual; or(d)a relative of the individual if the relative is a member of the individual’s household; or(e)a guardian of the individual; or(f)a person exercising a power under an enduring power of attorney made by the individual that is exercisable in relation to decisions about the individual’s health; or(g)a person who has sufficient personal interest in the health and welfare of the individual; or(h)a person nominated by the individual to be contacted in case of emergency.sensitive information, for an individual, means the following—(a)information or an opinion, that is also personal information, about the individual’s—(i)racial or ethnic origin; or(ii)political opinions; or(iii)membership of a political association; or(iv)religious beliefs or affiliations; or(v)philosophical beliefs; or(vi)membership of a professional or trade association; or(vii)membership of a trade union; or(viii) sexual orientation or practices; or(ix)criminal record;(b)health information about the individual;(c)genetic information about the individual that is not otherwise health information;(d)biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or(e)biometric templates.serious harm, to an individual in relation to the unauthorised access or unauthorised disclosure of the individual’s personal information, includes, for example—(a)serious physical, psychological, emotional or financial harm to the individual because of the access or disclosure; or(b)serious harm to the individual’s reputation because of the access or disclosure.solicit, for schedule 3, by an entity in relation to personal information, means ask another entity to provide the personal information, or to provide information of a kind in which the personal information is included.(3)Schedule 5, definition consent, ‘the NPPs’—
omit, insert—schedules 3 and 4
(4)Schedule 5, definition health information, ‘, for the NPPs,’—
omit.(5)Schedule 5, definition health professional, ‘, for the NPPs,’—
omit.(6)Schedule 5, definition law enforcement agency, paragraph (a), ‘IPP 11(1)(e)’—
omit, insert—QPP 6
(7)Schedule 5, definition law enforcement agency, paragraph (b)(iv)—
insert—(E)the protection of public revenue.
Part 4 Amendment of Ombudsman Act 2001
This part amends the Ombudsman Act 2001.
77Amendment of s 16 (What ombudsman may not investigate)
Section 16(2)(h), after ‘131’—
insert—or the Information Privacy Act 2009, section 135 or 136
Part 5 Amendment of Right to Information Act 2009
This part amends the Right to Information Act 2009.See also the amendments in schedule 1, part 2.
Long title, after ‘to’—
insert—, and relating to,
80Amendment of s 3 (Object of Act)
Section 3(1)—
omit, insert—(1)The primary object of this Act is to give—(a)a right of access to information in the government’s possession or under the government’s control unless, on balance, it is contrary to the public interest to give the access; and(b)a right of amendment of personal information in the government’s possession or under the government’s control unless, on balance, it is contrary to the public interest to allow the information to be amended.
Sections 4 and 5—
omit, insert—4Act not intended to prevent other publication, access or amendment
(1)This Act is not intended to prevent or discourage the publication of information or the giving of access to, or allowing the amendment of, documents otherwise than under this Act if the publication, giving of access or amendment can properly be done or is permitted or required to be done by law.(2)To remove any doubt, it is declared that subsection (1) applies to—(a)the giving of access to documents to which this Act does not apply, exempt documents and contrary to public interest documents, or documents to which the privacy principle requirements do not apply; and(b)allowing the amendment of documents to which the privacy principle requirements do not apply; and(c)the publication of information and the giving of access to, or allowing the amendment of, documents by—(i)an entity to which this Act does not apply or to which this Act does not apply in relation to a particular function; or(ii)an entity to which the privacy principle requirements do not apply; or(iii)an entity to which the privacy principle requirements do not apply in relation to a particular function.(3)In this section—document to which the privacy principle requirements do not apply see the Information Privacy Act 2009, section 16.entity to which the privacy principle requirements do not apply see the Information Privacy Act 2009, section 18(4).5Relationship with other Acts requiring access, amendment or publication
Without limiting section 4, this Act does not affect the operation of another Act or administrative scheme that does 1 or more of the following things, whether or not on payment of a charge—(a)requires information about documents or personal information in the possession, or under the control, of government to be made available to members of the community;(b)enables a member of the community to access documents in the possession, or under the control, of government;(c)enables an individual to be given access to or to amend the individual’s personal information in the possession, or under the control, of government;(d)requires the publication of information concerning government operations.
82Replacement of s 8 (Relationship with Information Privacy Act)
Section 8—
omit, insert—8Relationship with Information Privacy Act 2009
The Information Privacy Act 2009 is intended to operate subject to the provisions of this Act regulating the accessing and amendment of personal information.See the Information Privacy Act 2009, section 7.
83Amendment of s 14 (Meaning of agency)
Section 14(2), note, from ‘Also,’—
omit, insert—See also sections 26 and 78G for restrictions on making access or amendment applications to the OIC, the information commissioner, the RTI commissioner or the privacy commissioner.
84Amendment of s 16 (Meaning of public authority)
(1)Section 16(1)(c), from ‘declared by’—
omit, insert—declared to be a public authority for this Act under section 16A;
(4)Section 16(4), definition prescribed entity, ‘by regulation’—
omit, insert—under section 16A
After section 16—
insert—16ADeclaration of entities to be public authorities
(1)An entity may be declared by regulation to be a public authority for this Act.(2)The Minister may recommend to the Governor in Council the making of a regulation under subsection (1) declaring an entity to be a public authority for this Act only if the Minister—(a)is satisfied the entity—(i)is supported directly or indirectly by government funds or other government assistance; or(ii)is an entity over which government is in a position to exercise control; or(iii)is established under an Act; or(iv)is given public functions under an Act; and(b)considers it is in the public interest for the entity to be declared as a public authority for this Act.(3)In deciding whether it would be in the public interest for the entity to be declared as a public authority for this Act, the Minister may have regard to each of the following matters—(a)if the entity is a company, whether it is a company limited by shares;(b)the size of the entity, having regard to the number of the entity’s employees or the entity’s turnover;(c)the purpose of the entity, including whether it is performing functions that are generally identified with the functions of government;(d)the extent to which functions of the entity have previously been performed by government;(e)the extent to which the entity has been the subject of an adverse comment by a regulatory or investigatory body such as the Auditor-General or Crime and Corruption Commission;(f)any other relevant matter.(4)Also, for subsection (1), an entity may be declared by regulation to be a public authority for this Act in relation to only a part of the entity’s functions.
86Replacement of s 18 (Meaning of processing period, revision period and transfer period)
Section 18—
omit, insert—18Meaning of processing period
(1)The processing period, for an access or amendment application to an agency or Minister, is the total of—(a)a period of 25 business days from the valid application day for the application; and(b)each additional period mentioned in column 2 of the following table for a circumstance mentioned in column 1 applying to the application.
Column 1
CircumstanceColumn 2
Additional periodthe application is transferred to the agency or Minister
the lesser of the following—
(a) the period starting on the day the application is received by the agency or Minister who transfers the application and ending on the day the application is transferred;(b) 10 business daysthe applicant is given a notice under section 42(1)(a) or 78O(1)(a)
the prescribed consultation period under section 42 or 78O
the only address to be sent notices the applicant gives the agency or Minister by the valid application day is a postal address
5 business days
for an access application—the applicant is given a charges estimate notice under section 36, other than a charges estimate notice stating the agency’s or Minister’s decision that charges will be waived under chapter 3, part 6, division 3
the period starting on the date of the first charges estimate notice given under section 36 and ending on the earlier of the following—
(a) the day the applicant confirms the application or, if the applicant narrows the application, confirms the changed application;(b) the day the agency or Minister gives the applicant a prescribed written notice of a decision to waive any processing charge, or access charge, under section 66(2)for an access application—the application involves consultation with a relevant third party under section 37
10 business days
the agency or Minister asks for a further specified period under subsection (2)
the following period—
(a) if paragraph (b) does not apply—the further specified period;(b) if the applicant refuses the request or applies for external review under section 86A—the period starting on the day the further specified period starts and ending on the day the applicant refuses the request or applies for external review(2)Before the end of the processing period for the access or amendment application, the agency or Minister may ask the applicant for a further specified period to consider the application.(3)A request under subsection (2) may be made more than once.(4)In this section—valid application day, for an access or amendment application, means the day on which the application complies with all relevant application requirements for the application under section 33(8) or 78K(8).
87Insertion of new ch 1, pt 3
Chapter 1—
insert—18AEffect of publication by Cabinet on public interest immunity
(1)This section applies in relation to a decision being made in a proceeding or process about whether a common law or statutory rule prevents the production or disclosure of information in connection with Cabinet because the production or disclosure would be contrary to the public interest.(2)In the making of the decision, the following matters must be disregarded in assessing the public interest—(a)the publication by Cabinet of any other information contained in the document that contains the information;(b)the publication by Cabinet of any other Cabinet information;(c)a decision by Cabinet to officially publish Cabinet information on a regular basis.(3)In this section—Cabinet information means information contained in a document mentioned in schedule 3, section 2(3).proceeding or process includes any extra-curial proceeding or inquisitorial or investigative process carried out under an Act.•an investigation carried out by the Crime and Corruption Commission•an investigation carried out by the Independent Assessor under the Local Government Act 2009•an inquiry carried out by a professional body into a complaint against a member of the body
88Replacement of s 21 (Requirement for publication scheme)
Section 21—
omit, insert—21Requirement for publication scheme
(1)An agency must publish a scheme (a publication scheme)—(a)setting out the following details—(i)the agency’s structure and functions;(ii)how the agency’s functions affect members of the public;(iii)any arrangements that enable members of the public to engage with the agency’s functions;(iv)the types of information held by the agency;(v)the types of information the agency makes publicly available and how that information is made available;(vi)procedures for asking for information, including, for example, any fee or charge that may be payable; and(b)publishing information about the agency that is prescribed by regulation to the extent the information is held by the agency.(2)An agency must, as far as is reasonably practicable, publish the agency’s publication scheme on an accessible agency website.(3)However, if it is not reasonably practicable for an agency to publish a part of the agency’s publication scheme on an accessible agency website, the agency must publish information on the accessible agency website about how a person may access the part of the agency’s publication scheme.If a part of an agency’s publication scheme can only be accessed in person, the agency must publish information on an accessible agency website stating how the part of the agency’s publication scheme can be accessed in person.(4)Nothing in this section prevents an agency from deleting exempt information or contrary to public interest information from the information published under this section.(5)In this section—accessible agency website means a website that is—(a)accessible by members of the public; and(b)operated by an agency.agency does not include a prescribed entity under section 16.
After section 22—
insert—22ACivil liability of Minister for disclosing information
(1)A Minister does not incur civil liability as a result of, or in connection with, disclosing information under a publication scheme or other administrative scheme in good faith.Examples of disclosing information—
•publishing information on a department’s website•official publication by decision of Cabinet of information contained in a Cabinet document(2)If subsection (1) prevents liability attaching to a Minister, the liability attaches instead to the State.See also the Public Sector Act 2022, section 269, in relation to the civil liability of prescribed persons engaging in conduct in an official capacity.
90Amendment of s 24 (Making access application)
(1)Section 24(2)(a), ‘the approved form’—
omit, insert—writing
(2)Section 24(2)(b), from ‘a’ to ‘or the’—
omit, insert—the agency or
(3)Section 24(2)(d) and (e)—
omit, insert—(d)for an application for access to a document containing personal information of the applicant, be accompanied by—(i)evidence of identity for the applicant; and(ii)if an agent is acting for the applicant—evidence of the agent’s authorisation.Examples of an agent’s authorisation—
•the will or court order appointing the agent to act as the applicant’s guardian•the client agreement authorising a legal practitioner to act for an applicant•if the application is made in reliance on section 25, evidence the agent is the child’s parent(4)Section 24(3)—
omit, insert—(3)The application may, but need not be, in the approved form.(5)Section 24(4), note—
omit.(6)Section 24(5)—
omit, insert—(5)However, no application fee is payable for an application for access to a document if the only document applied for contains personal information of the applicant.(6)If an applicant pays an application fee for an application but no application fee is payable for the application under subsection (5), the application fee must be refunded as soon as practicable.See also section 46(1) in relation to the refund of an application fee if a deemed decision is made.
91Amendment of s 26 (Access application may not be made to commissioner)
(1)Section 26, heading, ‘commissioner’—
omit, insert—OIC etc.
(2)Section 26, after ‘transferred to’—
insert—the OIC,
(3)Section 26—
insert—(2)Subsection (1) does not apply to an access application made to the OIC by a person who is or was a staff member of the OIC in relation to the person’s personal information.
92Amendment of s 32 (Application outside scope of Act)
(1)Section 32, heading, after ‘Application’—
insert—or part of application
(2)Section 32(1)(a), ‘purports to make’—
omit, insert—makes
(3)Section 32(1)(b)—
omit, insert—(b)the entity decides the application or a part of the application is outside the scope of this Act for 1 or more of the following reasons—(i)the application or part relates to a document that is not a document of an agency or a document of a Minister;(ii)for the application or part, the entity is an entity to which this Act does not apply;(iii)the application or part is made to the OIC, the information commissioner, the RTI commissioner or the privacy commissioner in contravention of section 26.(4)Section 32(2)—
omit, insert—(2)Within 25 business days after the application is received, the entity must give prescribed written notice of the decision to the applicant.A decision that an application or a part of an application is outside the scope of this Act under any of schedule 2, part 2, items 1 to 8 is a judicial function decision (see schedule 5, definition judicial function decision) which is not a reviewable decision (see schedule 4A, section 1(a)), but may be appealed to the appeal tribunal (see section 119(2)).(3)If an entity gives prescribed written notice to an applicant of a decision under this section in relation to only part of an application—(a)the application continues to be an access application excluding the part of the application the subject of the decision; and(b)the entity must consider the access application as continued under paragraph (a).
93Amendment of s 33 (Noncompliance with application requirement)
(1)Section 33(3), from ‘with an’ to ‘making an’—
omit, insert—with an access application because it does not comply with all relevant application requirements without first giving the applicant a reasonable opportunity to consult with a view to making any changes or doing any other thing necessary to make the
(2)Section 33(3)—
insert—Example of doing a thing for subsection (3)—
paying the application fee(3)Section 33(4), after ‘an’—
insert—access
(4)Section 33—
insert—(6A)The agency or Minister must provide advice and help, to the extent it would be reasonable to expect the agency or Minister to do so, to help the applicant to make an access application in a form complying with all relevant application requirements.(5)Section 33(7), definition relevant application requirement, ‘section 24(2) or (3)’—
omit, insert—section 24(2)
(6)Section 33(6A) and (7)—
renumber as section 33(7) and (8).
94Omission of s 34 (Application for personal information)
Section 34—
omit.
95Omission of s 35 (Longer processing period)
Section 35—
omit.
96Amendment of s 36 (Schedule of relevant documents and charges estimate notice)
(1)Section 36, heading, from ‘Schedule’ to ‘charges’—
omit, insert—Charges
(2)Section 36(1)(b)—
omit, insert—(b)if a processing charge or access charge is payable in relation to the application—give the applicant a charges estimate notice before the end of the processing period for the application.(3)Section 36(5)—
omit, insert—(5)If the applicant does not confirm or withdraw the access application, as narrowed under subsection (4), within the prescribed period, the applicant is taken to have withdrawn the applicant’s application at the end of the prescribed period.(4)Section 36(6), ‘Also, subsections (2) to (4)’—
omit, insert—Subsections (2) to (5)
(5)Section 36(7), definition charges estimate notice, paragraph (f)—
omit, insert—(f)for a notice given under subsection (1)—the effect of subsections (2) and (3);(fa)for a notice given under subsection (4)—the effect of subsection (5);(6)Section 36(7), definition charges estimate notice, paragraphs (fa) and (g)—
renumber as section 36(7), definition charges estimate notice, paragraphs (g) and (h).(7)Section 36(7), definition schedule of relevant documents—
omit.
97Amendment of s 38 (Transfer of application)
(1)Section 38(1)—
insert—application includes a purported application.(2)Section 38(1)—
relocate and renumber as section 38(7).(3)Section 38(4), from ‘If’ to ‘applies’—
omit, insert—If an application is made to an agency for access to 2 or more documents, at least 1 of which is a document mentioned in subsection (1)(a), this section (other than subsections (4) and (5)) applies
(4)Section 38(5), ‘that is not’—
omit, insert—that does not contain
(5)Section 38(6), from ‘that is’ to ‘subsection (5)’—
omit, insert—that contains personal information of the applicant, subsection (4)
(6)Section 38(2) to (7)—
renumber as section 38(1) to (6).
98Amendment of s 43 (Previous application for same documents)
(1)Section 43(1)(a), ‘, whether under this Act or the Information Privacy Act,’—
omit.(2)Section 43(1)(b), ‘under this Act’—
omit.(3)Section 43(2)—
omit, insert—(2)For subsection (1)(a), the first application—(a)does not include an access application taken to have been withdrawn under section 36(3) or (5) or 42(4); and(b)if an access application has been narrowed under section 36 or 42—means only the access application as changed.(4)Section 43(3)(b), ‘, if made under this Act’—
omit.(5)Section 43(3)(c)—
omit.(6)Section 43(3)(d)—
renumber as section 43(3)(c).(7)Section 43(5) and (6)—
omit, insert—(5)For subsection (3)(c)—(a)review means an internal review, an external review or a proceeding under chapter 3B, part 4; and(b)a review is complete if the review has ended because of an informal resolution or because of a decision of the entity conducting the review.
99Amendment of s 46 (Deemed decision on access application)
Section 46(1)(b), ‘the application fee’—
omit, insert—any application fee paid for the application
100Amendment of s 49 (Contrary to public interest)
(1)Section 49(3)(a)—
omit, insert—(a)identify any factor that is irrelevant to deciding whether, on balance, disclosure of the information would be contrary to the public interest that applies in relation to the information (an irrelevant factor), including, for example, any factor mentioned in schedule 4, part 1;(2)Section 49(3)(b) and (c), after ‘including’—
insert—, for example,
101Amendment of s 54 (Notification of decision and reasons)
(1)Section 54(2)(a)(iii) and (iv), ‘78 or’—
omit.(2)Section 54(2)—
insert—(da)if access is to be given to a copy of a document subject to the deletion under section 75A of the personal information of a child—(i)the fact that the document is such a copy; and(ii)the reason under section 50 the agency or Minister considers disclosure of the information would not be in the best interests of the child;(db)if access is to be given to a copy of a document subject to the deletion under section 75B of relevant healthcare information of the applicant—(i)the fact that the document is such a copy; and(ii)the reason under section 51 the agency or Minister considers disclosure of the information to the applicant might be prejudicial to the physical or mental health or wellbeing of the applicant;(3)Section 54(2)(da) to (g)—
renumber as section 54(2)(e) to (i).
102Omission of s 78 (Disclosure logs—departments and Ministers)
Section 78—
omit.
103Amendment of s 78A (Disclosure logs—other agencies)
(1)Section 78A, heading, ‘—other agencies’—
omit.(2)Section 78A(1) and (3), after ‘agency’—
insert—or Minister
(3)Section 78A(6), ‘section 78B(2)’—
omit, insert—section 78B(1)
(4)Section 78A(7), definition agency, ‘a department or’—
omit.
104Amendment of s 78B (Requirements about disclosure logs)
(1)Section 78B(1)—
omit.(2)Section 78B(2), from ‘Without’ to ‘or 78A,’—
omit, insert—An agency or Minister must delete from any document or information included in a disclosure log under section 78A
(3)Section 78B(2)(d)(i), after ‘agency’—
insert—or Minister
(4)Section 78B(3), definition agency, ‘includes a Minister but’—
omit.(5)Section 78B(2) and (3)—
renumber as section 78B(1) and (2).
After section 78B—
insert—78C Right to amend personal information in particular documents
(1)Subject to this Act, an individual has a right under this Act to amend, if inaccurate, incomplete, out of date or misleading—(a)documents of an agency to the extent they contain the individual’s personal information; and(b)documents of a Minister to the extent they contain the individual’s personal information.1See part 2 for how to exercise this right to amend.2Exclusions of the right are provided for under—(a)section 78G, which restricts the making of amendment applications to the OIC, the information commissioner, the RTI commissioner or the privacy commissioner; and(b)part 4, which provides particular circumstances where an entity may refuse to deal with an application; and(c)section 78S, which provides grounds on which an entity may refuse to make an amendment.(2)Subsection (1) applies to documents regardless of when the documents came into existence.78DOther ways of amending personal information
Personal information may be amended other than by application under this chapter.78E Making amendment application
(1)An individual who has had access to a document of an agency or a document of a Minister, whether or not under this Act, may apply to the agency or Minister for amendment of any part of the individual’s personal information contained in the document that the individual claims is inaccurate, incomplete, out of date or misleading.1Minister is defined to include an Assistant Minister—see schedule 5.2Section 78F provides for amendment applications by parents for children and section 190 clarifies the powers of those acting for others.(2)For subsection (1), the reference to an individual who has had access to a document includes a reference to an individual whose agent has had access to the document.(3)Without limiting how an agent may be authorised for this section in relation to an applicant who is deceased, an agent may include—(a)an eligible family member of the deceased person; or(b)a person the agency or Minister considers has an appropriate interest in the amendment of the personal information.(4)The amendment application must—(a)be in writing; and(b)provide sufficient information concerning the document to enable the agency or Minister to identify the document; and(c)state an address to which notices under this Act may be sent to the applicant; and(d)be accompanied by—(i)evidence of identity for the applicant; and(ii)if an agent is acting for the applicant—evidence of the agent’s authorisation; andExamples of an agent’s authorisation—
•the will or court order appointing the agent to act as the applicant’s guardian•the client agreement authorising a legal practitioner to act for an applicant•if the application is made in reliance on section 78F, evidence the agent is the child’s parent(e)state the information the applicant claims is inaccurate, incomplete, out of date or misleading; and(f)state the way in which the applicant claims the information to be inaccurate, incomplete, out of date or misleading and the grounds for the applicant’s claim; and(g)if the applicant claims the information to be inaccurate or misleading—state the amendments the applicant claims are necessary for the information to be accurate or not misleading; and(h)if the applicant claims the information to be incomplete or out of date—state the other information the applicant claims is necessary to complete the information or to bring it up to date.(5)The amendment application may, but need not be, in the approved form.78FMaking amendment applications for children
(1)Without limiting the ability of persons to make amendment applications for children, an amendment application may be made for the child by the child’s parent.1Section 190 clarifies the powers of those acting for others.2For an application made for a child, the child (and not the parent) is the applicant—see schedule 5, definition applicant.(2)In this section—child see section 25.parent see section 25.78G Amendment application may not be made to OIC etc.
(1)An amendment application may not be made or transferred to the OIC, the information commissioner, the RTI commissioner or the privacy commissioner.(2)Subsection (1) does not apply to an amendment application made to the OIC by a person who is or was a staff member of the OIC.78H Decision-maker for application to agency
(1)An amendment application to an agency must be dealt with for the agency by the agency’s principal officer.(2)The agency’s principal officer may delegate the power to deal with the application to another officer of the agency.(3)Also, for an agency other than a local government, the agency’s principal officer may, with the agreement of another agency’s principal officer, delegate the power to deal with the application to the other agency’s principal officer.(4)The principal officer of the other agency may subdelegate a power delegated to the principal officer under subsection (3).Under the Acts Interpretation Act 1954, section 27A(2), a delegation may be revoked, wholly or partly, by the delegator. Accordingly, a delegation may be revoked before a decision is made in a particular case and the delegator may make the decision.(5)In this section—power to deal, with an amendment application, includes power to deal with an application for internal review in relation to the amendment application.Examples of dealing with an application for internal review—
•making a new decision under section 80(2)•giving notice under section 83(3)78IDecision-maker for application to Minister
(1)An amendment application to a Minister may be dealt with by the person the Minister directs, either generally or in a particular case.(2)In this section—deal, with an amendment application, includes deal with an application for internal review in relation to the amendment application.Examples of dealing with an application for internal review—
•making a new decision under section 80(2)•giving notice under section 83(3)78JApplication or part of application outside scope of Act
(1)This section applies if—(a)a person makes an application under this chapter to an entity to amend a document; and(b)the entity decides the application or a part of the application is outside the scope of this Act for 1 or more of the following reasons—(i)the application or part relates to a document that is not a document of an agency or a document of a Minister;(ii)for the application or part, the entity is an entity to which this Act does not apply;(iii)the application or part is made to the OIC, the information commissioner, the RTI commissioner or the privacy commissioner in contravention of section 78G.(2)Within 25 business days after the application is received, the entity must give prescribed written notice of the decision to the applicant.A decision that an application or a part of an application is outside the scope of this Act under any of schedule 2, part 2, items 1 to 8 is a judicial function decision (see schedule 5, definition judicial function decision) which is not a reviewable decision (see schedule 4, section 2(a)), but may be appealed to the appeal tribunal (see section 119(2)).(3)If an entity gives prescribed written notice to an applicant of a decision under this section in relation to only part of an application—(a)the application continues to be an amendment application excluding the part of the application the subject of the decision; and(b)the entity must consider the amendment application as continued under paragraph (a).78KNoncompliance with application requirement
(1)This section applies if—(a)a person purports to make an amendment application for a document to an agency or Minister; and(b)the application does not comply with all relevant application requirements for the application.(2)The agency or Minister must make reasonable efforts to contact the person within 15 business days after the purported application is received and inform the person how the application does not comply with a relevant application requirement.(3)An agency or Minister must not refuse to deal with an amendment application because it does not comply with all relevant application requirements without first giving the applicant a reasonable opportunity to consult with a view to making any changes or doing any other thing necessary to make the application in a form complying with all relevant application requirements.(4)The applicant is taken to have made an amendment application under this Act if and when the application is made in a form complying with all relevant application requirements.(5)Subsection (4) does not limit section 78J.(6)If, after giving the opportunity mentioned in subsection (3) and any consultation, an agency or Minister decides the application does not comply with all relevant application requirements, the agency or Minister must, within 10 business days after making the decision, give the applicant prescribed written notice of the decision.(7)The agency or Minister must provide advice and help, to the extent it would be reasonable to expect the agency or Minister to do so, to help the applicant to make an amendment application in a form complying with all relevant application requirements.(8)In this section—relevant application requirement, for an amendment application, means a matter set out in section 78E(4) that is required for the application.78LTransfer of amendment application
(1)An agency to which an amendment application has been made (the original agency) may transfer the application to another agency if—(a)the document to which the application relates is not in the original agency’s possession but is, to the original agency’s knowledge, in the other agency’s possession; and(b)the other agency consents to the transfer.(2)An application that is transferred from 1 agency to another agency is taken to have been made to the other agency.(3)If an application is made to an agency for amendment of 2 or more documents, at least 1 of which is a document mentioned in subsection (1)(a), this section applies to each of the documents as if separate amendment applications had been made to the agency for each of the documents.(4)In this section—agency includes a Minister.amendment application includes a purported amendment application.78MPro-amendment bias in deciding to deal with applications
(1)It is the Parliament’s intention that if an amendment application is made to an agency or Minister, the agency or Minister should deal with the application unless this would, on balance, be contrary to the public interest.(2)Section 78N states the only circumstances in which the Parliament considers it would, on balance, be contrary to the public interest to deal with an amendment application.(3)However, it is the Parliament’s intention that this Act should be administered with a pro-amendment bias and an agency or Minister may deal with an amendment application even if this Act provides that the agency or Minister may refuse to deal with the application.78NEffect on agency’s or Minister’s functions
(1)An agency or Minister may refuse to deal with an amendment application or, if the agency or Minister is considering 2 or more amendment applications by the applicant, all the applications, if the agency or Minister considers the work involved in dealing with the application or all the applications would, if carried out—(a)substantially and unreasonably divert the resources of the agency from their use by the agency in the performance of its functions; or(b)interfere substantially and unreasonably with the performance by the Minister of the Minister’s functions.(2)Without limiting the matters to which the agency or Minister may have regard in making a decision under subsection (1), the agency or Minister must have regard to the resources that would have to be used—(a)in identifying, locating or collating any document in the filing system of the agency or the Minister’s office; or(b)in making a copy, or edited copy, of any document; or(c)in notifying any final decision on the application.(3)In deciding whether to refuse, under subsection (1), to deal with an amendment application, an agency or Minister must not have regard to—(a)any reasons the applicant gives for applying for amendment; or(b)the agency’s or Minister’s belief about what are the applicant’s reasons for applying for amendment.78OPrerequisites before refusal because of effect on functions
(1)An agency or Minister may refuse to deal with an amendment application under section 78N only if—(a)the agency or Minister has given the applicant a written notice—(i)stating an intention to refuse to deal with the application; and(ii)advising that, for the prescribed consultation period for the notice, the applicant may consult with the agency or Minister with a view to making an application in a form that would remove the ground for refusal; and(iii)stating the effect of subsections (2) to (6); and(b)the agency or Minister has given the applicant a reasonable opportunity to consult with the agency or Minister; and(c)the agency or Minister has, as far as is reasonably practicable, given the applicant any information that would help the making of an application in a form that would remove the ground for refusal.(2)Following any consultation, the applicant may give the agency or Minister written notice either confirming or narrowing the application.(3)If the application is narrowed, section 78N applies in relation to the changed application but this section does not apply to it.(4)If the applicant fails to consult after being given notice under subsection (1), the applicant is taken to have withdrawn the application at the end of the prescribed consultation period.(5)Without limiting subsection (4), the applicant is taken to have failed to consult if, by the end of the prescribed consultation period, the applicant has not given the agency or Minister written notice under subsection (2).(6)In this section—prescribed consultation period, for a written notice under subsection (1)(a), means—(a)the period of 10 business days after the date of the notice; or(b)the longer period agreed by the agency or Minister and the applicant whether before or after the end of the 10 business days mentioned in paragraph (a).78PPrevious application for same documents
(1)This section applies if—(a)an applicant makes an amendment application to an agency or Minister (the first application); and(b)the applicant makes another amendment application (the later application) to the same agency or Minister for amendment of 1 or more of the same documents sought to be amended under the first application and the later application does not, on its face, disclose any reasonable basis for again seeking the amendment of the document or documents.(2)For subsection (1)(a), the first application—(a)does not include an amendment application taken to have been withdrawn under section 78O(4); and(b)if an amendment application has been narrowed under section 78O—means only the application as changed.(3)The agency or Minister may refuse to deal with the later application to the extent it is for amendment of a document or documents sought to be amended under the first application if—(a)when the later application was made, the agency or Minister had not decided the first application; or(b)in relation to the first application—(i)the applicant had been given notice under section 78T that amendment was to be allowed for the document sought to be amended or for some or all of the documents sought to be amended; or(ii)the agency or Minister had decided that the application was for a document to which this chapter does not apply; or(iii)the agency or Minister had decided the document or documents sought to be amended were documents amendment of which was refused under section 78Q; or(iv)the agency or Minister had refused to deal with it under this part; or(c)the agency’s or Minister’s decision on the first application—(i)is the subject of a review and the review is not complete; or(ii)has been the subject of a completed review (other than an internal review).(4)For subsection (3)(c)—(a)review means an internal review, an external review or a proceeding under chapter 3B, part 4; and(b)a review is complete if the review has ended because of an informal resolution or because of a decision of the entity conducting the review.78Q Considered decision on amendment application
If a person makes an amendment application for a document to an agency or Minister, the agency or Minister must—(a)after considering the application, make a decision (a considered decision) whether amendment of the document is to be permitted or refused; and(b)give the person written notice of the decision under section 78T.78R Deemed decision on amendment application
(1)If an applicant for an amendment application for a document is not given written notice of a decision by the end of the processing period for the application, on the last day of the processing period, the principal officer of the agency or the Minister is taken to have made a decision (a deemed decision) refusing to amend the document.(2)As soon as practicable after a deemed decision is taken to have been made, the principal officer or Minister must give prescribed written notice of the decision to the applicant.78S Grounds on which amendment may be refused
(1)Without limiting the grounds on which an agency or Minister may refuse to amend a document the subject of an amendment application, the agency or Minister may refuse to amend a document because—(a)the agency or Minister is not satisfied—(i)the personal information contained in the document is inaccurate, incomplete, out of date or misleading; or(ii)the information sought to be amended in the document is personal information of the applicant; or(iii)if the application is purportedly made by an agent—that the agent is suitably authorised to make the application; or(b)the document does not form part of a functional record.(2)In this section—functional record, of an agency or Minister, means a record available for use in the day-to-day or ordinary performance of the agency’s or Minister’s functions.78T Notification of decision and reasons
(1)An agency or Minister is to give a prescribed written notice to an applicant for an amendment application of the decision on the application.(2)If amendment of the document is to be permitted, the prescribed written notice is not required to state the reasons for the decision.(3)An agency or Minister is not required to include any exempt information, or contrary to public interest information, in the notice.(4)This section does not apply in relation to a deemed decision.78U Amendment of document by alteration or notation
(1)If an agency or Minister to whom an amendment application is made decides to amend the document in relation to the personal information contained in the document the subject of the application, the agency or Minister may make the amendment by—(a)altering the personal information; or(b)adding an appropriate notation to the personal information.(2)If an agency or Minister adds a notation to personal information, the notation must—(a)state how the information is inaccurate, incomplete, out of date or misleading; and(b)if the information is claimed to be incomplete or out of date—set out the information required to complete the information or bring it up to date.78V Particular notations required to be added
(1)This section applies if—(a)a person makes an amendment application to an agency or Minister; and(b)under section 78Q, the agency or Minister refuses to amend the document.(2)The applicant may, whether or not the applicant has applied for review of the decision under chapter 3B, part 1 or 2, by written notice, require the agency or Minister to add to the personal information included in the document a notation—(a)stating the way the applicant claims the information to be inaccurate, incomplete, out of date or misleading; and(b)if the applicant claims the information to be inaccurate or misleading—setting out the amendments the applicant claims are necessary for the information to be accurate or not misleading; and(c)if the applicant claims the information to be incomplete or out of date—setting out the information the applicant claims is necessary to complete the information or to bring it up to date.(3)The agency or Minister must—(a)comply with the requirements of a notice under subsection (2); and(b)give the applicant written notice of the nature of the notation.(4)Subsection (3)(a) does not require the agency or Minister to make a notation using the same words as the words provided by the applicant.(5)If the agency or Minister decides the information to which the notice relates is not information in relation to which the applicant was entitled to apply to the agency or Minister for amendment of the document—(a)subsection (3) does not apply; and(b)the agency or Minister must give prescribed written notice to the applicant of the decision.(6)If an agency or Minister (the document holder) discloses to a person (including an agency or Minister) any information contained in the part of the document the subject of the amendment application, the document holder—(a)must ensure the person is given, when the information is disclosed, a statement—(i)stating that the person, or eligible family member of the person, to whom the information relates claims that the information is inaccurate, incomplete, out of date or misleading; and(ii)setting out particulars of the notation added under this section; and(b)may include in the statement the reason for the document holder’s refusal to amend the document.
106Insertion of new ch 3B, hdg
After section 78V, as inserted by this Act—
insert—
107Renumbering of ch 3, pt 8 (Internal review)
Chapter 3, part 8—
renumber as chapter 3B, part 1.
108Amendment of s 79 (Definitions for pt 8)
(1)Section 79, heading, ‘pt 8’—
omit, insert—part
(2)Section 79—
insert—internal review processing period see section 82A.
109Amendment of s 80 (Internal review)
(1)Section 80(1), note 1—
omit, insert—1See schedule 4A for decisions that are reviewable decisions.(2)Section 80(1), note 2, ‘part 9’—
omit, insert—part 2
(3)Section 80(1), note 3, ‘sections 30 and 31’—
omit, insert—sections 30, 31, 78H and 78I
(4)Section 80(2), from ‘reviewer’—
omit, insert—reviewer—
(a)must make a new decision as if the reviewable decision had not been made; and(b)for an internal review of a decision relating to an access application—may review whether the agency or Minister has taken reasonable steps to identify and locate documents applied for by the applicant.
110Amendment of s 81 (Decisions that may not be reviewed)
Section 81, after ‘access’—
insert—or amendment
After section 82—
insert—82AMeaning of internal review processing period
(1)The internal review processing period, for an internal review application, is the total of—(a)a period of 20 business days from the valid application day for the application; and(b)each additional period mentioned in column 2 of the following table for a circumstance mentioned in column 1 applying to the application.
Column 1
CircumstanceColumn 2
Additional periodthe only address to be sent notices the applicant gives the agency or Minister by the valid application day is a postal address
5 business days
for an internal review application relating to an access application—the internal review application involves consultation with a relevant third party under section 37
10 business days
the agency or Minister asks for a further specified period under subsection (2)
the following period—
(a) if paragraph (b) does not apply—the further specified period;(b) if the applicant refuses the request or applies for external review under section 86B—the period starting on the day the further specified period starts and ending on the day the applicant refuses the request or applies for external review(2)Before the end of the internal review processing period for the internal review application, the agency or Minister may ask the applicant for internal review for a further specified period to consider the application.(3)A request under subsection (2) may be made more than once.(4)In this section—valid application day, for an internal review application, means the day on which the application complies with all matters set out in section 82 that are required for the application.
112Amendment of s 83 (When internal review application to be decided)
Section 83(2), from ‘within’ to ‘affirming’—
omit, insert—within the internal review processing period, the agency’s principal officer or the Minister is taken to have made a decision at the end of the internal review processing period affirming
113Renumbering of ch 3, pt 9 (External review)
Chapter 3, part 9—
renumber as chapter 3B, part 2.
114Insertion of new ss 86A and 86B
After section 86—
insert—86AExternal review during processing period
(1)This section applies if—(a)an agency or Minister has asked the applicant for an access or amendment application for a further specified period to consider the application under section 18(2); and(b)the processing period for the application disregarding the further specified period has ended; and(c)the further specified period has not ended; and(d)the agency or Minister has not given the applicant written notice of a decision on the application.(2)The applicant may apply for external review as if—(a)the processing period for the access or amendment application does not include the further specified period; and(b)the agency’s principal officer or the Minister has made a deemed decision at the end of the processing period mentioned in paragraph (a); and(c)the applicant has been given written notice of the deemed decision at the end of the processing period mentioned in paragraph (a).(3)If the applicant applies for an external review under subsection (2)—(a)the agency’s principal officer or the Minister is taken to have made a deemed decision at the end of the processing period mentioned in subsection (2)(a); and(b)this Act applies in relation to the deemed decision as if it were a deemed decision under section 46 or 78R—(i)subject to subsections (4) and (5); and(ii)with any necessary changes.(4)Any application fee paid for an access application the subject of the deemed decision must be refunded as soon as practicable after the information commissioner informs the agency or Minister of the external review application.(5)The agency’s principal officer or the Minister need not give prescribed written notice of the deemed decision to the applicant.86BExternal review during internal review processing period
(1)This section applies if—(a)an agency or Minister has asked an applicant for internal review for a further specified period to consider the applicant’s internal review application under section 82A(2); and(b)the internal review processing period for the application disregarding the further specified period has ended; and(c)the further specified period has not ended; and(d)the agency or Minister has not given the applicant written notice of a decision on the application.(2)The applicant for internal review may apply for external review as if—(a)the internal review processing period for the internal review application does not include the further specified period; and(b)the agency’s principal officer or the Minister has made a decision affirming the original decision at the end of the internal review processing period mentioned in paragraph (a); and(c)the applicant has been given written notice of the decision affirming the original decision at the end of the internal review processing period mentioned in paragraph (a).(3)If the applicant for internal review applies for an external review under subsection (2)—(a)the agency’s principal officer or the Minister is taken to have made a decision affirming the original decision at the end of the internal review processing period mentioned in subsection (2)(a); and(b)this Act applies in relation to the decision taken to have been made under paragraph (a) as if it were a decision taken to have been made under section 83(2)—(i)subject to subsection (4); and(ii)with any necessary changes.(4)The agency’s principal officer or the Minister need not give the applicant prescribed written notice of the decision taken to have been made under subsection (3)(a).
115Amendment of s 93 (Applications where decision delayed)
(1)Section 93(1)(a) and (b) and (2), after ‘access’—
insert—or amendment
(2)Section 93(2), from ‘that’ to ‘refunded or’—
omit, insert—that
(3)Section 93(3), after ‘access’—
insert—or amendment
After section 94—
insert—94AAgency or Minister authorised to give access to documents
If an agency or Minister agrees to give access to a document, or a part of a document, to a participant in an external review—(a)the agency or Minister is authorised to give access to the document or part to the participant; and(b)the external review continues as if the review did not apply in relation to the document or part.
117Replacement of s 102 (Requiring a search)
Section 102—
omit, insert—(1)In the conduct of an external review of a decision relating to an access application, the information commissioner may require the agency or Minister to conduct a particular search, or to conduct searches, for a document.(2)In this section—conduct, a search for a document, includes make inquiries to locate the document.search includes a further search.
118Amendment of s 105 (Additional powers)
Section 105(1)(a) and (b), after ‘access’—
insert—or amendment
After section 105—
insert—105A Referral of particular documents relating to external review to agency or Minister
(1)This section applies if—(a)an application is made to the information commissioner for external review of a decision relating to an access application; and(b)the commissioner becomes aware of the existence of a document that the commissioner believes may not have been considered by the agency or Minister in making the decision the subject of the external review; andExamples of ways the commissioner may become aware of the existence of a document—
•a search required under section 102 has located the document•the document is referred to in another document produced to the commissioner•the agency advises the commissioner that the agency holds additional documents(c)the commissioner considers—(i)referral of the document to the agency or Minister under this section would be a more efficient and effective way for a decision to be made about whether access is to be given to the document than the commissioner making the decision; and(ii)it is reasonably likely that the agency or Minister would be able to make a decision about whether access is to be given to the document that is consistent with the primary object of this Act.(2)The commissioner may, after consulting with the agency or Minister about the matters in subsection (1)(c), refer the document to the agency or Minister for a decision about whether access is to be given to the document.(3)On the referral of the document under subsection (2)—(a)a new access application is taken to have been made by the access applicant under section 24 in relation to the document; and(b)the external review continues as if the review did not apply in relation to the document.(4)For subsection (3)(a)—(a)the new access application is taken to have been made on the day the information commissioner refers the document to the agency or Minister under subsection (2); and(b)despite section 24(2)(a), no application fee is payable in relation to the new access application; and(c)despite section 24(2)(d)(i), the new access application need not be accompanied by evidence of identity for the access applicant; and(d)despite section 24(2)(d)(ii), if an agent is acting for the access applicant and the agent is the same agent who acted on the original access application, the new access application need not be accompanied by evidence of the agent’s authorisation; and(e)despite chapter 3, part 6, no processing charge or access charge is payable in relation to the new access application.(5)In this section—access applicant means the applicant for the access application mentioned in subsection (1)(a).
120Amendment of s 107 (Information commissioner to ensure proper disclosure and return of documents)
Section 107(1)(a)—
insert—(iv)a relevant third party under section 107A; and
After section 107—
insert—107A Information commissioner may give document to third party to obtain views
(1)This section applies if a document the subject of an external review of a decision relating to an access application contains information the disclosure of which may reasonably be expected to be of concern to a government, agency or person (the relevant third party).(2)The commissioner may—(a)give access to the document to the relevant third party to obtain the views of the relevant third party about whether—(i)the document is a document to which this Act does not apply; or(ii)the information is exempt information or contrary to public interest information; and(b)inform the relevant third party that if the commissioner decides, on the external review, to give access to the document, access may also be given to the document under a disclosure log.(3)If disclosure of information may reasonably be expected to be of concern to a person but for the fact that the person is deceased, subsections (1) and (2) apply as if the person’s representative were a relevant third party.(4)If the commissioner gives access to a document under this section, the commissioner must notify the agency or Minister for the decision the subject of the external review of the giving of the access.(5)In this section—representative, in relation to a deceased person, means the deceased person’s eligible family member, or, if 2 or more persons qualify as the deceased person’s eligible family member, 1 of those persons.
122Amendment of s 110 (Decision on external review)
Section 110(1)—
insert—(d)setting aside the decision and giving a direction under section 110A or 110B.
123Insertion of new ss 110A and 110B
After section 110—
insert—110A Direction to decide whether access to be given
(1)This section applies in relation to an external review of a relevant decision made by an agency or Minister in relation to an access application (the original access application) if—(a)the information commissioner would, other than for this section, have decided to set aside the relevant decision and make a decision in substitution for the relevant decision under section 110(1)(c); and(b)the commissioner believes it would be more efficient and effective for the agency or Minister to consider whether access is to be given to the subject documents than for the commissioner to make a decision in substitution for the relevant decision under section 110(1)(c); and(c)the commissioner believes that if the agency or Minister were to consider whether access is to be given to the subject documents, it is reasonably likely the agency or Minister would be able to make a decision that is consistent with the primary object of this Act.(2)The commissioner may, after consulting with the agency or Minister about the matters mentioned in subsection (1), set aside the relevant decision and give a notice to the agency or Minister—(a)stating that the relevant decision is set aside; and(b)directing the agency or Minister to decide whether access is to be given to the subject documents as if the ground for making the relevant decision did not apply in relation to the documents.(3)If an agency or Minister is given a notice under subsection (2), a new access application is taken to have been made by the access applicant under section 24 in relation to the subject documents.(4)For subsection (3)—(a)the new access application is taken to have been made on the day that is 21 business days after the information commissioner gives the notice to the agency or Minister under subsection (2); and(b)despite section 24(2)(a), no application fee is payable in relation to the new access application; and(c)despite section 24(2)(d)(i), the new access application need not be accompanied by evidence of identity for the access applicant; and(d)despite section 24(2)(d)(ii), if an agent is acting for the access applicant and the agent is the same agent who acted on the original access application, the new access application need not be accompanied by evidence of the agent’s authorisation; and(e)for section 43, the original access application is taken never to have been made in relation to the subject documents.(5)In this section—access applicant means the applicant for the original access application.relevant decision, in relation to an access application, means a decision—(a)that the application or a part of the application is outside the scope of this Act under section 32(1)(b); or(b)that the application does not comply with all relevant application requirements under section 33(6); or(c)to refuse to deal with the application under chapter 3, part 4; or(d)to refuse access to a document under section 47(3)(f) because other access to the document is available; or(e)to refuse access to a document containing prescribed information by giving written notice under section 55(2).subject documents means documents the subject of the original access application to which access is not given because of the relevant decision.110B Direction to decide whether documents to be amended
(1)This section applies in relation to an external review of a relevant decision made by an agency or Minister in relation to an amendment application (the original amendment application) if—(a)the information commissioner would, other than for this section, have decided to set aside the relevant decision and make a decision in substitution for the relevant decision under section 110(1)(c); and(b)the commissioner believes it would be more efficient and effective for the agency or Minister to consider whether amendment of the subject documents is to be permitted or refused than for the commissioner to make a decision in substitution for the relevant decision under section 110(1)(c); and(c)the commissioner believes that if the agency or Minister were to consider whether amendment of the subject documents is to be permitted or refused, it is reasonably likely the agency or Minister would be able to make a decision that is consistent with the primary object of this Act.(2)The commissioner may, after consulting with the agency or Minister about the matters mentioned in subsection (1), set aside the relevant decision and give a notice to the agency or Minister—(a)stating that the relevant decision is set aside; and(b)directing the agency or Minister to decide whether amendment of the subject documents is to be permitted or refused as if the ground for making the relevant decision did not apply in relation to the documents.(3)If an agency or Minister is given a notice under subsection (2), a new amendment application is taken to have been made by the amendment applicant under section 78E in relation to the subject documents.(4)For subsection (3)—(a)the new amendment application is taken to have been made on the day that is 21 business days after the information commissioner gives the notice to the agency or Minister under subsection (2); and(b)despite section 78E(4)(d)(i), the new amendment application need not be accompanied by evidence of identity for the amendment applicant; and(c)despite section 78E(4)(d)(ii), if an agent is acting for the amendment applicant and the agent is the same agent who acted on the original amendment application, the new amendment application need not be accompanied by evidence of the agent’s authorisation; and(d)for section 78P, the original amendment application is taken never to have been made in relation to the subject documents.(5)In this section—amendment applicant means the applicant for the original amendment application.relevant decision, in relation to an amendment application, means a decision—(a)that the application or a part of the application is outside the scope of this Act under section 78J(1)(b); or(b)that the application does not comply with all relevant application requirements under section 78K(6); or(c)to refuse to deal with the application under chapter 3A, part 4.subject documents means documents the subject of the original amendment application amendment of which was neither permitted nor refused because of the relevant decision.
124Amendment of s 113 (Disciplinary action)
(1)Section 113(2)(a), after ‘section 31’—
insert—or 78I
(2)Section 113(3), definition responsible Minister, paragraph (c), ‘another’—
omit, insert—a
(3)Section 113(3), definition responsible Minister, paragraph (e), ‘section 16(1)(a), (c)(ii) or (ca)’—
omit, insert—section 16(1)(a) or (ca) or declared under section 16A on the basis of the Minister being satisfied under section 16A(2)(a)(iii)
125Renumbering of ch 3, pt 10 (Vexatious applicants)
Chapter 3, part 10—
renumber as chapter 3B, part 3.
126Amendment of s 114 (Vexatious applicants)
(1)Section 114(2)(a), ‘access actions’—
omit, insert—access or amendment actions
(2)Section 114(2)(b), ‘access action’—
omit, insert—access or amendment action
(3)Section 114(5), ‘access application’—
omit, insert—access or amendment application
(4)Section 114(8), definition abuse of process, ‘access action’—
omit, insert—access or amendment action
(5)Section 114(8), definition abuse of process, paragraph (c), after ‘access to’—
insert—or amendment of
(6)Section 114(8), definition access action—
omit, insert—access or amendment action means any of the following—(a)an access application;(b)an amendment application;(c)an internal review application;(d)an external review application.(7)Section 114(8), definition engage, ‘access action’—
omit, insert—access or amendment action
127Renumbering of ch 3, pt 11 (References of questions of law and appeals)
Chapter 3, part 11—
renumber as chapter 3B, part 4.
128Amendment of s 119 (Appeal to Queensland Civil and Administrative Tribunal on question of law)
(1)Section 119—
insert—(1A)Also, a person affected by a judicial function decision may appeal to the appeal tribunal against a judicial function decision.(2)Section 119(3)(b)—
omit, insert—(b)be served as soon as possible—(i)for a participant in an external review—on all participants in the external review; or(ii)for a person affected by a judicial function decision—on the entity that made the decision.(3)Section 119(5)—
omit, insert—(5)For an appeal against a decision of the information commissioner under subsection (1), the participants in the external review, other than the information commissioner, are parties to the appeal.(4)Section 119(1A) to (5)—
renumber as section 119(2) to (6).
129Amendment of s 131 (Performance monitoring functions)
Section 131(1), ‘and the Information Privacy Act, chapter 3’—
omit.
130Amendment of s 178 (Failure to produce documents or attend proceedings)
Section 178—
insert—(2)If the person is an individual and is given notice to give information or produce a document, it is a reasonable excuse for the person to fail to give the information or produce the document if complying with the requirement might tend to incriminate the person or expose the person to a penalty.
131Amendment of s 179 (Disclosure or taking advantage of information)
(1)Section 179(b), ‘himself or herself’—
omit, insert—themself
(2)Section 179—
insert—(2)Subsection (1)(a) does not apply if the person reasonably believes that the disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of an individual or to public health or safety.
132Amendment of s 184 (Reports of information commissioner)
Section 184(1), after ‘on’—
insert—matters relating to the performance of the commissioner’s functions, including
133Replacement of s 185 (Report to Assembly on Act’s operation)
Section 185—
omit, insert—185Report to Assembly on Act’s operation
(1)An agency or Minister must, as soon as practicable after the end of each financial year, give the information commissioner the information prescribed by regulation about the operation of this Act in relation to the agency or Minister during that year.(2)The information commissioner must, as soon as practicable after receiving the information mentioned in subsection (1), prepare a report on the operation of this Act during that year and give the report to the parliamentary committee.(3)A report under subsection (2) must include, in relation to the financial year to which it relates, details of the matters prescribed by regulation.(4)The chair of the parliamentary committee must table a report received under subsection (2) in the Assembly within 3 sitting days after the committee receives the report.
After section 191—
insert—191A Corporations legislation displacement
(1)A regulation may declare a provision of this Act that applies in relation to a prescribed corporation to be a Corporations legislation displacement provision for the purposes of the Corporations Act, section 5G.(2)A regulation under subsection (1) may be declared to apply in relation to—(a)the whole of the Corporations legislation or a particular provision of the Corporations legislation; or(b)all prescribed corporations or a particular prescribed corporation.(3)In this section—prescribed corporation means a corporation, within the meaning of the Corporations Act, that is declared under section 16A to be a public authority for this Act.
135Insertion of new ch 7, pt 9
Chapter 7—
insert—In this part—amendment Act means the Information Privacy and Other Legislation Amendment Act 2023.former, for a provision of this Act, means the provision as in force from time to time before the commencement of the provision in which the term is used.former IP Act means the Information Privacy Act 2009 as in force from time to time before the commencement of the provision in which the term is used.new, for a provision of this Act, means the provision as in force from the commencement of the provision in which the term is used.206K Existing access applications
(1)This section applies if an application or purported application under former chapter 3 has been made, but not finalised, before the commencement.(2)This Act as in force from time to time before the commencement continues to apply in relation to the application or purported application as if the amendment Act had not been enacted.(3)For subsection (1), an application or purported application under former chapter 3 has not been finalised until—(a)a decision on the application or purported application has been made or taken to have been made; and(b)either—(i)the time for exercising any review rights or appeal rights in relation to the decision has ended without any rights being exercised; or(ii)any review or appeal in relation to the decision has ended.(4)This section is subject to section 206L.(1)New chapter 3, part 7, division 2 applies in relation to an access application, regardless of when the application was made.(2)Also, a reference in this Act to publication of information or a document in a disclosure log under section 78A is taken to include a reference to publication of the information or document in a disclosure log under former section 78.(3)In this section—publication, of information or a document in a disclosure log, includes inclusion of, or the giving of access to, information or a document in a disclosure log.206M Refusal to deal with access application—previous application for same documents
(1)In section 43, a reference to a first application is taken to include a reference to an access application under the former IP Act.(2)If a first application under section 43 is an access application under the former IP Act—(a)a reference in section 43 to a provision of this Act is taken to include a reference to the corresponding former IP Act provision for the provision of this Act; and(b)a reference in section 43 to a review is taken to include a reference to a former IP Act review.(3)In this section—corresponding former IP Act provision, for a provision of this Act, means a provision of the former IP Act that is substantially the same as or equivalent to the provision of this Act.former IP Act review means—(a)an internal review under the former IP Act; or(b)an external review under the former IP Act; or(c)a proceeding under the former IP Act, chapter 3, part 11.206N Refusal to deal with amendment application—previous application for same documents
(1)In section 78P, a reference to a first application is taken to include a reference to an amendment application under the former IP Act.(2)If a first application under section 78P is an amendment application under the former IP Act—(a)a reference in section 78P to a provision of this Act is taken to include a reference to the corresponding former IP Act provision for the provision of this Act; and(b)a reference in section 78P to a review is taken to include a reference to a former IP Act review.(3)In this section—corresponding former IP Act provision, for a provision of this Act, means a provision of the former IP Act that is substantially the same as or equivalent to the provision of this Act.former IP Act review means—(a)an internal review under the former IP Act; or(b)an external review under the former IP Act; or(c)a proceeding under the former IP Act, chapter 3, part 11.206O Existing delegations or subdelegations under former IP Act relating to amendment applications
(1)This section applies to a delegation or subdelegation made by an agency’s principal officer that—(a)relates to amendment applications under the former IP Act, section 50; and(b)was still in effect immediately before the commencement.(2)The delegation or subdelegation continues to have effect for amendment applications under section 78H.206P Existing directions under former IP Act relating to amendment applications
(1)This section applies to a direction made by a Minister that—(a)relates to amendment applications under the former IP Act, section 51; and(b)was still in effect immediately before the commencement.(2)The direction continues to have effect for amendment applications under section 78I.206Q Performance monitoring functions
(1)Former section 131 continues to apply in relation to—(a)an existing review in relation to the operation of the former IP Act, chapter 3; and(b)the operation of the former IP Act, chapter 3 under the Information Privacy Act 2009, section 217.(2)In this section—existing review means a review started under former section 131 before the commencement if the information commissioner has not given a report about the outcome of the review to the parliamentary committee before the commencement.206R Report to Assembly on Act’s operation
(1)This section applies in relation to a financial year ending before the commencement if the report for the financial year has not been tabled in the Assembly under former section 185.(2)Former section 185 continues to apply in relation to the financial year as if the amendment Act had not been enacted.(3)New section 185 does not apply in relation to the financial year.
136Amendment of sch 3, s 2 (Cabinet information brought into existence on or after commencement)
Schedule 3, section 2—
insert—(3A)To remove any doubt, it is declared that—(a)a document mentioned in subsection (3)(a) or (f)—(i)is not comprised exclusively of exempt information if some information in the document has been officially published by decision of Cabinet; but(ii)continues to be comprised of exempt information to the extent information in the document has not been published; and(b)a document mentioned in subsection (3)(b) to (e) or (g) is taken to be comprised exclusively of exempt information despite any publication of a document mentioned in subsection (3)(a) or (f).
137Amendment of sch 3, s 12 (Information disclosure of which prohibited by Act)
Schedule 3, section 12(1)—
insert—•Ombudsman Act 2001, section 92
138Amendment of sch 4 (Factors for deciding the public interest)
Schedule 4, note before part 1—
omit, insert—1Access to a document may be refused to the extent the document comprises information the disclosure of which would, on balance, be contrary to the public interest under section 49—see section 47(3)(b).2Factors for deciding the public interest may include factors other than the factors mentioned in this schedule.
After schedule 4—
insert—schedule 5, definition reviewable decision
1Decisions relating to access applications
Each of the following decisions relating to an access application is a reviewable decision—(a)a decision that the application or a part of the application is outside the scope of this Act under section 32(1)(b), other than a judicial function decision;(b)a decision that the application does not comply with all relevant application requirements under section 33(6);(c)a decision—(i)to disclose a document contrary to the views of a relevant third party obtained under section 37; or(ii)to disclose a document if an agency or Minister should have taken, but has not taken, steps to obtain the views of a relevant third party under section 37;(d)a decision refusing to deal with the application under chapter 3, part 4;(e)a decision refusing access to all or part of a document under section 47;(f)a decision deferring access to a document under section 72;(g)a decision giving access to documents subject to the deletion of information under section 73;(h)a decision about whether access is to be given to documents that purports to, but may not, be a decision on all documents the subject of the application;Example of when decision may not be on all documents the subject of an access application—
an agency has not taken reasonable steps to identify and locate documents applied for by an applicant(i)a decision giving access to documents in a form different to the form applied for by the applicant, unless access in the form applied for would involve an infringement of the copyright of a person other than the State;(j)a decision about whether a processing charge or access charge is payable in relation to access to a document (including a decision not to waive charges);(k)a deemed decision.2Decisions relating to amendment applications
Each of the following decisions relating to an amendment application is a reviewable decision—(a)a decision that the application or a part of the application is outside the scope of this Act under section 78J(1)(b), other than a judicial function decision;(b)a decision that the application does not comply with all relevant application requirements under section 78K(6);(c)a decision refusing to deal with the application under chapter 3A, part 4;(d)a decision refusing amendment of a document under section 78Q;(e)a decision under section 78V(5) that information to which a notice under section 78V(2) relates is not information in relation to which the applicant was entitled to apply to the agency or Minister for amendment of the document;(f)a deemed decision.
140Amendment of sch 5 (Dictionary)
(1)Schedule 5, definitions considered decision, decision-maker, deemed decision, Information Privacy Act, narrow, personal information, reviewable decision, revision period, schedule of relevant documents and transfer period—
omit.(2)Schedule 5—
insert—amendment application means an application by an individual under chapter 3A to amend a document in relation to the individual’s personal information contained in the document.considered decision—(a)for an access application—see section 45; or(b)for an amendment application—see section 78Q.decision-maker means—(a)for an access or amendment application to an agency—the person with power in relation to all or part of the application under section 30 or 78H; or(b)for an access or amendment application to a Minister—the Minister or the person with power in relation to all or part of the application under section 31 or 78I.deemed decision—(a)for an access application—see section 46; or(b)for an amendment application—see section 78R.evidence of identity, in relation to an access or amendment application, means the evidence of identity prescribed under a regulation.internal review processing period see section 82A.judicial function decision means a decision by an entity under section 32(1)(b) or 78J(1)(b) that an access or amendment application or part of an access or amendment application is outside the scope of this Act under any of schedule 2, part 2, items 1 to 8.narrow—(a)for an access application, means change the application by reducing the part of a document or the number of documents to which access is sought under the application; or(b)for an amendment application, means change the application by reducing the part of a document or the number of documents sought to be amended under the application.personal information see the Information Privacy Act 2009, section 12.reviewable decision means a decision mentioned in schedule 4A.(3)Schedule 5, definitions appeal tribunal and judicial member, ‘chapter 3, part 11’—
omit, insert—chapter 3B, part 4
(4)Schedule 5, definition privacy commissioner, ‘Information Privacy Act’—
omit, insert—
Schedule 1 amends the legislation it mentions.
omit, insert—copy
omit, insert—copy
1Section 72A(3), note, from ‘See the’—
omit, insert—See QPP 6.2(b) in schedule 3 of that Act.
omit, insert—58Authorisation of disclosure of personal information to particular entities outside Australia
omit, insert—disclose
3Section 58(2), ‘transferred’—
omit, insert—disclosed
1Schedule 1, part 1, under heading ‘Criminal Code’, entry for 408E(1), column 2, ‘Computer hacking and misuse’—
omit, insert—Misuse of restricted computer
2Schedule 1, part 2, under heading ‘Criminal Code’, entry for 408E, column 2, ‘Computer hacking and misuse’—
omit, insert—Misuse of restricted computer
1Section 275A(4), from ‘or’ to ‘chapter 3’—
omit.
1Section 273(1), from ‘and the’ to ‘apply’—
omit, insert—applies
1Section 552BB, table, entry for section 408E, column 2, ‘Computer hacking and misuse’—
omit, insert—Misuse of restricted computer
1Section 169K(4)(b), from ‘comply’—
omit, insert—comply with the QPPs under the Information Privacy Act 2009—complies with the QPPs under that Act; or
omit, insert—7
omit.
omit, insert—the QPPs
2Section 25B(2)(b), ‘any IPP’—
omit, insert—any QPP
1Section 132(3), from ‘or’ to ‘chapter 3’—
omit.
1Section 161B(2), ‘chapter 2, part 4’—
omit, insert—chapter 2, part 3
omit.
2Chapter 2, heading, ‘Privacy’—
omit, insert—Queensland privacy
3Chapter 2, pt 1, heading, ‘IPPs’—
omit, insert—QPPs
4Section 36, heading, ‘principles’—
omit, insert—principle requirements
5Chapter 6, note before part 1—
omit.
omit.
7Schedule 1, heading, ‘principles’—
omit, insert—principle requirements
8Schedule 1, section 7(c), ‘under the Public Records Act 2023’—
omit.
9Schedule 2, heading, ‘principles’—
omit, insert—principle requirements
10Schedule 2, authorising provision, ‘section 19’—
omit, insert—section 18(4)
11Schedule 2, part 1, heading, ‘principles’—
omit, insert—principle requirements
12Schedule 2, part 2, heading, ‘principles’—
omit, insert—principle requirements
13Schedule 5, definition bound contracted service provider, paragraphs (a) and (b), ‘principles’—
omit, insert—principle requirements
14Schedule 5, definition disclose, ‘for the application of the privacy principles’—
omit.
1Section 95(3), from ‘or’ to ‘chapter 3’—
omit.
omit.
renumber as section 676(a) and (b).
1Schedule 1, part 1, under heading ‘Criminal Code’, entry for 408E(1), column 2, ‘Computer hacking and misuse’—
omit, insert—Misuse of restricted computer
2Schedule 1, part 2, under heading ‘Criminal Code’, entry for 408E, column 2, ‘Computer hacking and misuse’—
omit, insert—Misuse of restricted computer
1Section 255(4), from ‘or’ to ‘chapter 3’—
omit.
1Section 112(3), from ‘or’ to ‘chapter 3’—
omit.
1Section 12(3), ‘subsection (2)(b), (c)’—
omit, insert—subsection (2)(c)
omit.
renumber as section 12(3)(a) and (b).
1Schedule 2, section 4, last dot point, ‘(Computer hacking and misuse)’—
omit, insert—(Misuse of restricted computer)
2Schedule 3, section 6, eighth dot point, ‘(Computer hacking and misuse)’—
omit, insert—(Misuse of restricted computer)
3Schedule 5, part 1, section 1, fourth dot point, ‘(Computer hacking and misuse)’—
omit, insert—(Misuse of restricted computer)
4Schedule 5, part 2, section 5, first dot point, ‘(Computer hacking and misuse)’—
omit, insert—(Misuse of restricted computer)
1Section 107(1), from ‘and the’ to ‘apply’—
omit, insert—applies
1Section 213AE(2), ‘chapter 2, part 4’—
omit, insert—chapter 2, part 3
1Section 177(3), note, second dot point, ‘sections 140’—
omit, insert—sections 134, 140
1Section 41(4), from ‘(1)(b)’—
omit, insert—(1)(d), a reference in the Right to Information Act 2009, section 113 to the responsible Minister is a reference to the Minister administering the Land Title Act 1994.
omit, insert—See QPP 6.2(b) in schedule 3 of the Information Privacy Act 2009.
1Section 23(2), from ‘even’ to ‘Act’—
omit, insert—regardless of when the documents came into existence
omit, insert—the principal officer
3Section 42(5), ‘named officer or member’—
omit, insert—agency or Minister
4Section 50(3)(b), ‘his or her’—
omit, insert—the child’s
omit.
6Section 55(4), note, from ‘schedule’ to ‘paragraph (e)’—
omit, insert—schedule 4A, section 1(e)
renumber as section 55(3).
8Section 59, from ‘to the’ to ‘that is’—
omit, insert—containing
9Section 68(2) and (3), ‘to 75’—
omit, insert—to 75B
10Section 69(3)(d), ‘part 11’—
omit, insert—chapter 3B, part 4
11Section 84, heading, ‘pt 9’—
omit, insert—part
12Section 85, heading, after ‘review’—
insert—of reviewable decision
omit, insert—1See schedule 4A for decisions that are reviewable decisions.
14Section 85, note 2, ‘part 8’—
omit, insert—part 1
15Section 95(1)(c), ‘himself or herself’—
omit, insert—themself
16Section 101(1)(a), after ‘made’—
insert—in relation to an access application
17Section 108(1), after ‘review’—
insert—of a decision relating to an access application
18Section 116, heading, ‘pt 11’—
omit, insert—part
19Section 130(1), ‘chapter 3, part 9’—
omit, insert—chapter 3B, part 2
omit.
renumber as section 132(3)(c) to (i).
22Sections 140(1) and 143(3), ‘he or she’—
omit, insert—they
omit.
24Section 171(1)(a)(i) and (ii), ‘78 or’—
omit.
omit.
26Section 173(a)(i) and (ii), ‘78 or’—
omit.
27Schedule 5, definition eligible family member, item 1(e) and (f), ‘Aboriginal person or Torres Strait Islander’—
omit, insert—Aboriginal or Torres Strait Islander person
1Section 94(3), from ‘or’ to ‘chapter 3’—
omit.
© State of Queensland 2023