Queensland is considering a mandatory data breach reporting scheme. 

The state is looking at new laws that would require companies in Queensland report incidents to the state's privacy commissioner when they suffer data breaches. 

The Office of the Information Commissioner says laws for protecting personal information are out of date.

Privacy Commissioner Philip Green is seeking changes to the Information Privacy Act 2009 to create a mandatory reporting requirement.

“I'm trying to get a law in place because I think the public expects that my office would be told about a breach, and also that they would be told if it was a serious breach,” Mr Green says.

“The Crime and Corruption Commission in Queensland recommended in its Operation Impala that we should have that sort of a law because it helps drive good privacy practices, and also people can learn from the mistakes as well.”

Currently, the public sector is subject to mandatory reporting of breaches, and Commonwealth legislation only covers businesses with a turnover of more than $3 million.

Mr Green says it is time to fill the gap. 

“Worldwide, these sorts of laws are coming into place,” Mr Green said.

“Quite a few jurisdictions in the US, Canada has adopted it, the UK, all through Europe, Japan and New Zealand — have already got those laws in place.

“If we did it tomorrow, we would be the first state to legislate for it, and I would like to see [that happen] because I think it sets the right sort of environment for digital service delivery.”