16 March 2026
6 min read
#Queensland Government, #Administrative Law
Published by:
The Information Privacy and Other Legislation Amendment Act 2023 (Qld) (IPOLA Act) made substantial changes to both the Right to Information Act 2009 (Qld) (RTI Act) and the Information Privacy Act 2009 (Qld) (IP Act), seeing substantial law reforms happening over the course of 2025-26 relating to information in Queensland.
Key changes include a Mandatory Notification of Data Breach (MNDB) scheme for Queensland government agencies (delayed for local government until 1 July 2026), a single set of Queensland Privacy Principles (QPPs) and broader control requirements for agencies including a QPP Privacy Policy, Data Breach Policy and publication scheme change.
A significant development affecting local government lawyers in 2026 is the staggered commencement of obligations under the IPOLA Act, some of which do not take effect until 1 July 2026. The consequence is that local councils are now entering their compliance window for the most significant reform to Queensland's information law regime in over a decade.
Similarly, government owned corporations (GOCs), whilst generally being subject to the RTI Act, have a nuanced position worth exploring.
The RTI Act applies to ‘agencies’, which include departments, local government, public authority, government owned corporation or subsidiary of a government owned corporation.
This deliberately broad definition catches entities that may not appreciate or have tested their RTI exposure, particularly GOC subsidiaries and local government bodies.
The fundamental threshold question for any entity uncertain about its status is whether it is established for a public purpose by or under an Act (section 16(1)(a)(i) – (ii) RTI Act). Most government boards in Queensland are established for a public purpose by or under an Act. This means that under the RTI Act, members of the public have a right to access documents that government boards have control or possession of.
Uncertainty about whether a body is an ‘agency’ is not a safe harbour, and entities that have historically operated as though they are outside the RTI regime may find themselves exposed if they have never tested that assumption.
The classification of GOCs under the RTI Act is one of the more nuanced areas of Queensland information law. The basic position is clear: a GOC or its subsidiary is an agency under the RTI Act. However, the position for some GOCs is materially qualified.
Schedule 2, Part 2 of the RTI Act lists functions of entities to which the RTI Act does not apply. Several GOCs are included. For these GOCs, the RTI Act only applies in relation to their community service obligations. A GOC listed in Schedule 2, Part 2 may not have any community service obligations. Any community service obligations a GOC performs must be included in the GOC's statement of corporate intent, which is prepared each financial year.
A GOC that is listed in Schedule 2, Part 2 is largely shielded from RTI access applications, but only in respect of its commercial functions. Where it has community service obligations, those remain subject to the Act.
The RTI Act also provides protection in relation to the disclosure of commercial-in-confidence information. This is important as GOCs that operate in competitive markets are entitled to resist disclosure of pricing strategies, contract terms and proprietary operational information on public interest grounds.
Beyond responding to individual access applications, GOCs have a proactive disclosure obligation administered through publication schemes. On their website, each GOC must develop and publish the details of the information it is making available to the public (section 21 RTI Act). As a guide, the level of disclosure in the publication scheme should be similar to the types of information that private sector public companies publish, for example, information which ASX-listed companies publish on their website.
Accountability now does not sit exclusively with the legal team. Boards and CEOs are responsible for compliance.
Local councils are unambiguously agencies for RTI purposes. Core obligations apply: making access decisions within statutory timeframes, maintaining a publication scheme, operating a disclosure log, and providing internal and external review rights.
Councils that have not appointed a dedicated RTI officer are at risk particularly given the volume of community and media-generated applications that flow through local government.
For local governments, the countdown is on. The MNDB scheme commenced on 1 July 2025 for all other agencies and will begin to apply to local government from 1 July 2026. Councils that have not already begun implementing an MNDB-compliant data breach response framework have less than three months to do so.
Queensland government agencies will be required to undertake an assessment of an eligible data breach within 30 days and notify affected individuals and the Information Commissioner. An eligible data breach arises where there is unauthorised access to or disclosure of personal information held by the agency. This 30-day assessment clock begins from the moment the council has reasonable grounds to believe an eligible data breach may have occurred, and not from confirmation of the breach.
Agencies should also be aware that federal privacy reforms introduced a statutory tort for serious invasions of privacy. For local councils, which routinely hold sensitive personal information, this tort creates a new litigation angle.
A further IPOLA change affecting all agencies is the consolidation of access and amendment processes into a single regime under the RTI Act. Applications for access to documents of an agency and to amend personal information are now made under the RTI Act. There continues to be no application fee for amendment applications or for access applications limited to documents containing the applicant's personal information.
The list of reviewable decisions has been expanded to include one that purports to, but may not, cover all documents in scope of an application. This makes sufficiency of search a specific reviewable decision, which means internal reviews can be made solely on sufficiency of search grounds. Agencies must be able to demonstrate not only that they made a decision, but that they searched comprehensively for all documents in scope.
In light of the above, local councils, GOCs and lawyers advising them should be pressing the following:
For local governments (with the 1 July 2026 MNDB deadline approaching):
For GOCs:
The window for preparation is closing. Local government lawyers should be treating the 1 July 2026 MNDB commencement as a firm deadline requiring active project management.
If you have any questions, please contact us here.
Disclaimer
The information in this article is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.
Published by:
