Queensland is considering creating a mandatory data breach reporting scheme. 

The Queensland Government may force its agencies to report data breaches to affected individuals and the state’s privacy commissioner as part of proposed reforms.

The Department of Justice and Attorney-General has released a consultation paper calling for feedback on the proposed mandatory data breach (MDB) notification scheme and new privacy principles. 

It says that an eligible data breach would be one where “a reasonable person would conclude the unauthorised access or disclosure would be likely to result in serious harm to the affected individuals”. Serious harm could include “serious physical, psychological, emotional, financial or reputational harm”.

The scheme was first recommended by the Office of the Information Commissioner (OIC) in response to a review of the IP Act in 2016, and again by the Crime and Corruption Commission (CCC) in 2020.

The consultation paper says an MDB scheme would “not only be good privacy practices but would enhance and protect the privacy rights of individuals”, but improve transparency and accountability for agencies as well.

“Consistency with the Commonwealth scheme would give individuals who deal with Queensland agencies the same protections as those individuals have when dealing with federal government agencies,” it says.