Are your Council’s data breach practices ready for major privacy law changes?

Mandatory reporting of local government data breaches to the Information Commissioner are among critical privacy law amendments kicking in next year.

While local governments are alive to their existing obligations under the Information Privacy Act 2009, the stakes have been raised by the Queensland Government with the introduction of the Mandatory Notification of Data Breach scheme commencing from 1 July 2026. What must be done by your Council to ensure compliance with this new data breach scheme is unpacked by our Kody Scott below.

Facts: The Information Privacy and Other Legislation Amendment Act 2023 (IPOLA Act) was passed by the Queensland Parliament on 4 December 2023 and includes major reforms to Queensland’s information privacy framework. In addition to implementing a new suite of Queensland Privacy Principles, these new laws increase the stakes for local governments in not only ensuring that personal information is protected against unauthorised access, use and disclosure, but also to respond appropriately when things go wrong.

Amendments: The IPOLA Act inserts a new Chapter 3A into the Information Privacy Act 2009. This new chapter imposes additional obligations on local governments regarding data breaches, including to notify the Information Commissioner and affected individuals when an eligible data breach occurs, as well as to take all reasonable steps to contain a data breach and to mitigate any resultant harm.

Implications: The amended legislation comes into effect for local governments on 1 July 2026, at which point all Councils will be legally required to have published on their website a data breach policy. This policy must include, at a minimum, information about how the local government will respond to a data breach; but it’s likely that the proper protection of a local government’s interests will require the inclusion of further information for a tailored and robust data breach policy. It will also be necessary from 1 July 2026 for local governments to keep an internal register of eligible data breaches including eight classes of information relevant to each breach.

Ensure your Council has developed a policy in compliance with these tightened new laws. Contact Michael Cerruto or Kody Scott about preparing the necessary data breach policy.

Phone: 07 3243 0000. Email: michael.cerruto@kingandcompany.com.au or kody.scott@kingandcompany.com.au