1. Policy Statement
The Queensland Pharmacy Business Ownership Council (Council) is committed to protecting your privacy by protecting the personal information you provide to us.
2. Purpose
The purpose of this policy is to explain our framework for responding to data breaches in accordance with the Information Privacy Act 2009 (IP Act).
Information on how the Council manages and protects your personal information is outlined separately in the Council’s Privacy Policy.
3. Scope
This policy applies to:
- Council members
- The Chief Executive Officer (CEO)
- Council staff
- Council inspectors, and
- Contractors to the Council.
It covers all data breaches, whether accidental or deliberate, that occur within the Council’s information technology (IT) systems, physical records or third-party services.
4. Roles and responsibilities
Term | Meaning |
|---|---|
Chief Executive Officer |
|
Director, Finance and Corporate Services |
|
Council members, employees and contractors |
|
Third-party service providers |
|
5. Policy
5.1 Background
The Council is an independent statutory body established under the Pharmacy Business Ownership Act 2024 (PBO Act). Our role is to regulate pharmacy business ownership in Queensland. We do this by administering the pharmacy business ownership licensing scheme and monitoring and enforcing compliance with the PBO Act.
Our approach to handling your personal information is governed by the requirements of the IP Act, and associated Queensland Privacy Principles (QPP), which set the rules for how Queensland government agencies, including the Council, handle personal information (including sensitive information). The only sensitive information we routinely collect is criminal history information for the purpose of deciding whether a person is fit and proper to own a pharmacy business. In addition to the IP Act, we also have obligations under the PBO Act regarding the disclosure of confidential information.
The terms ‘personal information’, ‘sensitive information’ and ‘confidential information’ are defined in the ‘Definitions’ section of this policy.
For simplicity, in this policy we will use the term ‘personal information’ to collectively refer to personal information, sensitive information and confidential information.
5.2 Mandatory notification of data breach scheme
Chapter 3A of the IP Act creates a MNDB scheme for Queensland Government agencies, including the Council. Under the MNDB scheme, the Council is required to develop and publish a data breach policy and keep an internal register of eligible data breaches. The Council is also required to take the following actions if it knows, or reasonably suspects, that it has experienced an eligible data breach:
- immediately, and continue to, take all reasonable steps to contain the data breach and mitigate the harm caused by the breach
- if the Council does not know whether the data breach is an eligible data breach, it must assess within 30 days, whether there are reasonable grounds to believe that the data breach is an eligible data breach
- if the Council knows or assesses the data breach as an eligible data breach it must, as soon as practicable unless a notification exemption applies, notify the Office of the Information Commissioner (OIC) and any affected individual, and
- if, at any time, the Council becomes aware that the data breach may affect another agency, the Council must notify the other agency of the data breach.
5.2.1 What is an eligible data breach?
A data breach occurs when information held by the Council is lost or subject to unauthorised access or disclosure. For the purpose of the IP Act, a data breach involves any information held by the Council whereas an eligible data breach only involves personal information. Data breaches can result from human error, malicious acts or IT system failures (including failures of IT security).
Not all data breaches will be an eligible data breach as defined by the IP Act. An eligible data breach occurs where:
- there has been unauthorised access to, or unauthorised disclosure of personal information held by the Council, and the access or disclosure is likely to result in serious harm to any of the individuals to whom the information relates, or
- there has been a loss of personal information held by an agency that is likely to result in unauthorised access to, or unauthorised disclosure of the personal information, and the loss is likely to result in serious harm to any of the individuals to whom the information relates.
Examples of eligible data breaches include:
- accidentally losing or misplacing documents containing personal information
- disclosure of personal information to external parties
- an online portal or database being accidentally made publicly available
- a cyberattack, phishing, malware or hacking incident into an agency’s database allowing access by external parties, and
- inappropriate access to a restricted internal file containing personal information.
Examples of less serious data breaches that would not meet the definition of an eligible data breach include:
- accidentally accessing a secure database
- leaving an encrypted USB or computer containing contact details, such as email addresses, in a train, bus or taxi
- accidentally disclosing contact details to a trusted contractor or another government agency
- disclosing agency information to third parties on an unauthorised basis, and
- sending a generic email to the wrong recipient.
5.2.2 When does a data breach result in serious harm?
The harms that can potentially arise from a data breach will vary based on the nature of the personal information involved and the context of the breach. Serious harm to an individual, in relation to the unauthorised access or disclosure of the individual’s personal information, includes, for example:
- serious physical, psychological, emotional or financial harm to the individual because of the access or disclosure, or
- serious harm to the individual’s reputation because of the access or disclosure.
Examples of harms include:
- identity theft
- financial loss
- threats to personal safety
- loss of business or employment opportunities
- humiliation and embarrassment
- damage to reputation or relationships
- discrimination, bullying or other forms of disadvantage or exclusion.
To be considered serious harm, the effect on an individual must be more than mere irritation, annoyance or inconvenience. In determining whether a data breach is likely to result in serious harm, section 47(2) of the IP Act requires the Council to consider the following matters:
- the kind of personal information accessed, disclosed or lost
- the sensitivity of the personal information
- whether the personal information is protected by one or more security measures
- if the personal information is protected by one or more security measures, the likelihood that any of those security measures would be overcome
- the persons, or the kind of persons, who have obtained, or could obtain, the personal information
- the nature of harm likely to result from the data breach, and
- any other relevant matter.
Other relevant matters the Council can consider may include (but not be limited to):
- the type of personal information accessed, disclosed or lost, and whether a combination of types of personal information might lead to increased risk
- the amount of time the information was exposed or accessible, including the amount of time information was exposed prior to the Council discovering the breach
- the circumstances of the individuals affected and their vulnerability or susceptibility to harm (that is, if any individuals are at heightened risk of harm or have decreased capacity to protect themselves from harm)
- the circumstances in which the breach occurred, and
- actions taken by the agency to reduce the risk of harm following the breach.
5.3 Reporting a data breach
5.3.1 Internal reporting
Council members and employees must immediately report all suspected or known data breaches to the CEO.
5.3.2 External reporting
Members of the public can report a suspected data breach to the Council. If you wish to report to a suspected data breach, please contact us as soon as possible via telephone: (07) 3325 6200 or email: privacy@pboc.qld.gov.au.
5.4 Council data breach response
The Council’s response to a data breach will be determined on a case-by-case basis having regard to the nature of the breach. However, all responses will be undertaken in accordance with the following six stage process:
- Preparation
- Identification
- Containment and mitigation
- Assessment
- Notification
- Post-breach review and remediation
The key high-level actions that will be undertaken under each stage are outlined below.
5.4.1 Preparation
- Maintain an up-to-date Data Breach Policy and Data Breach Response Plan.
- Ensure robust data security measures are in place, including encryption/secure digital processing platforms, access controls, and proactive risk management activities.
- Ensure employees and contractors undertake regular training on privacy and data security.
5.4.2 Identification
- Identify and report suspected data breaches immediately to the CEO.
- Conduct an initial assessment to determine whether an actual data breach has occurred.
- Document the details of the incident, including (as a minimum) the date, time and nature of the breach.
5.4.3 Containment and mitigation
- Take immediate steps to contain the breach and prevent further unauthorised access and/or disclosure; and implement measures to mitigate harm resulting from the breach.
5.4.4 Assessment
- Conduct a full assessment of the scope and impact of the breach including the type of data involved, number of individuals affected, and the potential for serious harm.
- Determine whether the breach is an eligible breach as defined by the IP Act.
5.4.5 Notification
- If the breach is an eligible breach, notify the OIC, affected individuals and any other impacted agencies as soon as possible.
- If notification is not required, document the reasons for this decision.
5.4.6 Post data breach review and remediation
- Conduct a post-incident review and evaluation to identify the cause of the breach, evaluate the effectiveness of the Council response, and identify recommendations for corrective actions to prevent future breaches of that nature.
- Document the findings and recommendations in a post-review report.
- Implement the review recommendations as soon as practicable.
5.5 Data breach register
In accordance with section 72 of the IP Act, the Council will maintain an internal register of eligible data breaches that contains the following information:
- a description of the breach
- details of the steps taken by the Council to contain and mitigate the breach
- details of statements made, and information provided to, the Information Commissioner, including the date that the statement and/or information was provided
- details of notifications made to affected individuals, including the date that the notifications were made and the notification method used
- any exemptions under part 3, division 3 of the IP Act relied on by the Council, and
- actions taken by the Council to prevent future data breaches of a similar kind.
5.6 Record keeping
The Council will document its management of all actual or suspected data breaches. Records of all data breaches will be documented and retained in accordance with the Public Records Act 2022.
6. Definitions
For the purpose of this policy, the following definitions apply:
Term | Meaning |
|---|---|
Affected individual | An individual whose personal information is the subject of a data breach and who is likely to suffer serious harm because of that breach. |
Chief Executive Officer | The Chief Executive Officer of the Council |
Confidential information | Confidential information is personal information, information about an individual’s commercial activities, and criminal history information. It does not include information that is publicly available. |
Data breach | The unauthorised access to, or unauthorised disclosure of information or the loss information in circumstances where unauthorised access to, or unauthorised disclosure of, the information is likely to occur in accordance with schedule 5 of the IP Act. |
Held or hold (in relation to personal information) | Personal information is held by the Council, or the Council holds personal information, if the personal information is contained in a document in the possession, or under the control of, the Council. |
Notification exemption | An exemption to the notification obligations in chapter 3A, part 3, division 2 of the IP Act. The notification exemptions are outlined in chapter 3A, part 3, division 3 of the IP Act. |
Personal information | Information or an opinion about an identified individual or an individual who is reasonably identifiable from the information or opinion (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not”. Put simply, personal information is any information or opinion about you that can identify you or lead to you being identified. Personal information includes sensitive information |
Sensitive information | Sensitive information includes:
|
Unauthorised access | Access to data by an individual or entity without permission. |
Unauthorised disclosure | Disclosure of data to an unauthorised party. |
7. Legislation
- Information Privacy Act 2009 (Qld)
- Pharmacy Business Ownership Act 2024 (Qld)
- Public Records Act 2022 (Qld)
- Public Sector Act 2022 (Qld)
- Right to Information Act 2009 (Qld)
8. Authority
The Chief Executive Officer is responsible for this data breach policy.
The Director, Finance and Corporate Services is responsible for reviewing and evaluating the effectiveness of the policy on an annual basis.
9. Supporting documents
- Queensland Pharmacy Business Ownership Council Privacy Policy
- Queensland Pharmacy Business Ownership Council Data Breach Response Plan
- Queensland Government Information and Cyber Security Policy (IS18:2025)