Exposing breaches of privacy – mandatory notification of data breach scheme approaching for NSW

Key Points:

  • The NSW Government is set to introduce mandatory data breach reporting, after a consultation found overwhelming public support for it. NSW leads the way as the first state or territory in Australia to do so.
  • The amendment to the Privacy and Personal Information Protection Act 1998 (PPIPA) will require public sector agencies to notify certain individuals and the Privacy Commissioner if there is an eligible data breach.
  • An exposure draft of the Privacy and Personal Information Protection Amendment Bill 2021 (Draft) has been released for public consultation.
For over two years, the NSW Government has considered whether a mandatory reporting scheme for data breaches should be adopted under the State’s privacy framework.

NSW is now set to become the first state or territory in Australia to introduce mandatory data breach reporting by amending the PPIPA. In a media release, Attorney General, Mark Speakman, and Minister for Digital and Minister for Customer Service, Victor Dominello, announced the proposed scheme. The message was clear that the protection of people’s privacy is crucial to public confidence in NSW Government services.

The proposed scheme creates new standards of accountability and transparency to protect personal information. It demonstrates the NSW Government’s commitment to maintaining the highest privacy and data security standards, as the use of digital innovation and technology increases.

The move follows the updates to the Commonwealth Privacy Act which require certain entities to notify individuals and the Privacy Commissioner about data breaches that are likely to cause serious harm. The revamped New Zealand Privacy Act 2020 establishes a similar scheme with a focus on the “affected people”.
Who is impacted by the scheme?
The amendment will impact NSW public sector agencies, local councils, some universities and other organisations (including Stated-owned corporations) not subject to the Privacy Act 1988 of the Commonwealth. The proposed scheme aims to ensure those agencies and organisations notify the Privacy Commissioner and affected individuals when a data breach involving personal information is likely to result in serious harm.
What is an eligible breach?
As presently defined in the Draft, eligible data breach means:
  1. there is unauthorised access to, or unauthorised disclosure of, personal information, and a reasonable person would conclude that the access or disclosure of the information would be likely to result in serious harm to an individual to whom the information relates; or
  2. personal information is lost in circumstances where unauthorised access to, or unauthorised disclosure of, the information is likely to occur, and if the access or disclosure of the information were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates. Under the scheme, agencies will be expected to contain the breach, make an assessment within 30 days and take steps to mitigate harm before the notification provisions become relevant.
If passed, this Bill will introduce a scheme that will ensure greater openness and accountability in relation to the handling of personal information held by NSW public sector agencies,” Mr Speakman said.

Anyone with an interest in this area is encouraged to make a submission on the Draft.  Public submissions can now be made until Friday 18 June on the Have Your Say website.

Post by Hicksons Partner, John Kell, and Solicitor, Aidan Allen

Most Popular Articles

Blog

Service of Notices by Registered Post

Where service of a notice is authorised or required by post, unless the contrary intention appears, service will be deemed to be effected at the time when the notice would be delivered in the ordinary course of post: see the various Acts Interpretation acts of the States and Commonwealth.
Blog

When can the unqualified be qualified? Non-lawyers engaging in legal practice - when is it OK and when is the law broken

Only lawyers can provide legal advice, but anyone can provide legal information. When thinking of the difference, you might ask your friend or colleague to provide information about a serious illness; however you would seek out a qualified medical professional in relation to its treatment.
Blog

Thanks, but no thanks – I don’t want to inherit

It seems odd that anybody would reject an inheritance, but for some beneficiaries, there are valid reasons they do not wish to receive their inheritance.

Subscribe to Our Blog

Keeping you connected, Hicksons regularly publishes articles to keep you up to date on the latest developments. To receive these updates via email, please subscribe below and indicate which areas of law you would like to receive information on.

Top