Navigating the New Queensland Privacy Principles: Essential Tips for Councils

Local governments have just weeks to gear up for a raft of amendments to privacy laws, including a new set of privacy principles known as the Queensland Privacy Principles (QPPs). The QPPs will replace the existing Information Privacy Principles (IPPs).

Highlights

Our Kody’s Scott’s recent article reported that the stakes have been raised by the Queensland Government with the introduction of a Mandatory Notification of Data Breach scheme for local governments commencing on 1 July 2026. However, the Information Privacy and Other Legislation Amendment Act 2023 (IPOLA Act) also contains significant reforms to the Information Privacy Act 2009 (IP Act) relating to the privacy principles applicable to local governments.

What must be done by your Council to ensure compliance with the new QPPs by 1 July 2025 is unpacked by our Michael Cerruto below.

Facts

The IPOLA Act was passed by the Queensland Parliament on 4 December 2023. The new laws enact the QPPs which are required to be complied with by local governments, a year earlier than when the Mandatory Notification of Data Breach scheme will come into effect (July 2026).

Amendments

The key amendments of relevance to local government privacy practices include:

• A new definition of “personal information” regulated by the IP Act which is in substantially the same terms as the existing definition, but which provides greater clarity to agencies and individuals.
• A new set of privacy principles to be known as the QPPs, which unlike the new definition of personal information, are in substantially different terms to the existing IPPs and significantly strengthen the privacy framework to reflect many of the privacy principles presently applicable to the Commonwealth government agencies.
• By way of example, QPP 1 prescribes the minimum content of a “QPP Privacy Policy” which an agency must make available free of charge and in an appropriate form (e.g. on a website).
• Streamlined and more detailed provisions of the IP Act relating to an individual making a privacy complaint to an agency, including the timeframes for an individual subsequently making a complaint to the OIC (if dissatisfied with an agency’s response).
• The amended privacy complaint provisions make plain the requirements and timeframes for an individual making a privacy complaint in writing to an agency, including that complaints must be made within 12 months of the individual becoming aware of the matter complained of (longer with agency agreement). The amended IP Act also imposes an obligation on agencies to provide reasonable help to a complainant to frame their privacy complaint in writing.
• In addition, amended timing provisions allow an agency to request from the Information Commissioner (OIC) further time to deal with a privacy complaint beyond the standard 45-business day timeframe for responding to complaints. The amended provisions confirm that the OIC may subsequently accept a privacy complaint from a complainant that is dissatisfied with the outcome notified by the agency, even if a period of 45 business days has not yet elapsed. The Information Commissioner may still accept any complaints that are not responded to by an agency but only after the 45-business day period for response by the agency has elapsed.
• Enhanced powers to the Information Commissioner in responding to privacy complaints, including own-motion investigations.

Implications

The amended legislation applying to privacy practices (excluding the mandatory data breach scheme) comes into effect for local governments on 1 July 2025, at which point all councils will need to be ready to comply with the new QPPs. For example, it will be necessary for councils to ensure that they have a compliant QPP Privacy Policy by this date.

Ensure your Council has a QPP Privacy Policy and procedures in compliance with these new laws. Contact Michael Cerruto or Kody Scott today on 07 3243 0000.

Email: michael.cerruto@kingandcompany.com.au or kody.scott@kingandcompany.com.au