Whilst the main purpose of the Information Privacy and Other Legislation Amendment Bill 2023 (Privacy Amendment Bill) introduced to the Queensland Parliament on the 13th October 2023 is to introduce a mandatory data breach notification scheme to Queensland Government Departments and Agencies, hidden amongst the amendments is a subtle change to section 33 of the IPA which regulates the transfer of personal information to entities outside of Australia.
This is relevant if personal information is stored on computer networks and servers outside Australia (eg some cloud-based service providers are located overseas).
Under the IPA, an agency may transfer personal information outside Australia only if it complies with the various requirements set out in section 33 including:
- the person has agreed to the transfer of their personal information, or
- the transfer is authorised or required under a law, or
- the department is satisfied that the information will be subject to privacy protections that are substantially similar to the IPPs.
The use of the word ‘transfer’ in section 33 has caused difficulty in understanding precisely what is meant by this term. The Federal Privacy Act 1988 (Cth) does not use the term ‘transfer’, rather the more precise term ‘disclose’ is used.
The Privacy Amendment Bill will replace the word ‘transfer’ in section 33 with the word ‘disclose’.
This is helpful in many ways, but also changes the way Departments and Agencies must manage disclosure of Personal Information overseas.
Following the amendment, the IPA will have a precise definition of what it means to disclose personal information at section 23(2) being:
An entity (the first entity) discloses personal information to another entity (the second entity) if—
(a) the second entity does not know the personal information, and is not in a position to be able to find it out; and
(b) the first entity gives the second entity the personal information, or places it in a position to be able to find it out; and
(c) the first entity ceases to have control over the second entity in relation to who will know the personal information in the future.
This will allow Departments and agencies to distinguish between ‘disclosure’ and ‘use’ of personal information, where use means use that is not a disclosure, which may include for example use by overseas service providers in support of cloud-based software.
One other consequence of the amendment is that in addition to the requirements of section 33 of the IPA, Departments and Agencies will need to ensure that disclosure of personal information overseas will also comply with IPP 11 (to be renamed QPP 11 under the Bill).
Under QPP 11 an agency must not disclose personal information to a third party, unless:
- the individual is reasonably likely to be aware that it is the agency’s usual practice to disclose that type of personal information to the third party;
- the individual has expressly or impliedly agreed to the disclosure;
- the disclosure is necessary to lessen or prevent a serious threat to the life, health, safety or welfare of an individual, or to public health, safety or welfare;
- the disclosure is authorised or required under law;
- the disclosure is necessary for law enforcement purposes (see below);
- The Australian Security Intelligence Organisation (ASIO) has asked the agency to disclose the information; or
- the disclosure is necessary for research or statistical purposes.
This article was written by Bill Singleton, Partner.
