IPOLA Act: How councils can stay ahead of new privacy obligations

Published on 12 November 2025

By Kathryn Dalley, Manager - Procurement

In Queensland, the Information Privacy and Other Legislation Amendment Act 2023, or IPOLA Act, has officially been introduced, bringing some important changes that councils need to be aware of. These changes are aimed at modernising the way personal information is protected, improving transparency, and streamlining how access requests are handled. But while the reforms will help protect privacy and build trust, they also introduce new responsibilities for councils, particularly in relation to Freedom of Information (FOI) and data privacy.

One of the biggest changes is the introduction of a Mandatory Notification of Data Breach requirement (MNDB). From 1 July 2026, councils will need to report any data breach that could cause serious harm. This means that councils will need to act quickly to identify and report breaches to the Office of the Information Commissioner and to affected individuals. It’s also important to have detailed records and processes in place to manage breach notifications and staff will need to be trained to recognise and respond to potential incidents in real time.

Another change to be aware of is the introduction of the Queensland Privacy Principles (QPPs). These replace the old Information Privacy Principles (IPPs), and they bring higher standards for privacy protections. Councils will need to update their policies, ensure that privacy is considered at every step of service delivery, and train staff on the expanded definition of "personal information," which now includes almost any identifiable information - whether it's correct or not. It’s a big shift, but it also strengthens the protection of personal data and ensures better privacy practices across the board.

Lastly, there's a more consolidated approach to access requests. All requests for personal information or amendments now fall under the Right to Information (RTI) Act, which means that councils will likely see an increase in requests and will need to manage them more efficiently. This means having clear workflows in place to track and respond to requests on time, ensuring compliance with the new legislation.

So, what does all of this mean for councils? First of all, it’s a great idea to start preparing now. Councils should review their existing privacy and RTI policies, audit their systems for data management, and train staff on what these changes will mean in practice. The new data breach notification requirements and privacy principles are crucial, and getting ahead of these changes can help ensure a smoother transition as the law takes effect over time.

To make compliance easier, VendorPanel offers a Freedom of Information Management Module designed to help councils manage these processes more effectively. The module automates and digitises key workflows like FOI requests, privacy incidents, and complaints.

IPOLA Act - Information Request (Intext screen 1)

One of the standout features of the module is its tracking and reporting system, which gives you real-time visibility of the progress of requests and helps you stay on top of deadlines. The live dashboards allow managers to see at a glance how many requests are pending, who's working on them, and where bottlenecks might be happening. Automated reminders, email notifications, and mail merge documents are all built in, so your team doesn’t have to worry about missing a deadline or a key communication. Plus, the compliance and audit features ensure all actions are logged for security and transparency, giving peace of mind that legislative requirements are being met.

Ipola Act - Info Request (intext image 2)

If you’d like more information on this module, don’t hesitate to reach out to your VendorPanel senior account manager - Ainslie Magness on 0401 070 540 or email ainslie.m@vendorpanel.com.