The NSW Government is set to introduce mandatory data breach reporting, after a consultation found overwhelming public support for it. NSW leads the way as the first state or territory in Australia to do so.
The amendment to the Privacy and Personal Information Protection Act 1998 (PPIPA) will require public sector agencies to notify certain individuals and the Privacy Commissioner if there is an eligible data breach.
An exposure draft of the Privacy and Personal Information Protection Amendment Bill 2021 (Draft) has been released for public consultation.
For over two years, the NSW Government has considered whether a mandatory reporting scheme for data breaches should be adopted under the State’s privacy framework.
NSW is now set to become the first state or territory in Australia to introduce mandatory data breach reporting by amending the PPIPA. In a media release
, Attorney General, Mark Speakman, and Minister for Digital and Minister for Customer Service, Victor Dominello, announced the proposed scheme. The message was clear that the protection of people’s privacy is crucial to public confidence in NSW Government services.
The proposed scheme creates new standards of accountability and transparency to protect personal information. It demonstrates the NSW Government’s commitment to maintaining the highest privacy and data security standards, as the use of digital innovation and technology increases.
The move follows the updates to the Commonwealth Privacy Act which require certain entities to notify individuals and the Privacy Commissioner about data breaches that are likely to cause serious harm. The revamped New Zealand Privacy Act 2020
establishes a similar scheme with a focus on the “affected people”.
Who is impacted by the scheme?
The amendment will impact NSW public sector agencies, local councils, some universities and other organisations (including Stated-owned corporations) not subject to the Privacy Act 1988
of the Commonwealth. The proposed scheme aims to ensure those agencies and organisations notify the Privacy Commissioner and affected individuals when a data breach involving personal information is likely to result in serious harm.
What is an eligible breach?
As presently defined in the Draft, eligible data breach means:
- there is unauthorised access to, or unauthorised disclosure of, personal information, and a reasonable person would conclude that the access or disclosure of the information would be likely to result in serious harm to an individual to whom the information relates; or
- personal information is lost in circumstances where unauthorised access to, or unauthorised disclosure of, the information is likely to occur, and if the access or disclosure of the information were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates. Under the scheme, agencies will be expected to contain the breach, make an assessment within 30 days and take steps to mitigate harm before the notification provisions become relevant.
“If passed, this Bill will introduce a scheme that will ensure greater openness and accountability in relation to the handling of personal information held by NSW public sector agencies
,” Mr Speakman said.
Anyone with an interest in this area is encouraged to make a submission on the Draft. Public submissions can now be made until Friday 18 June on the Have Your Say website.
Post by Hicksons Partner, John Kell, and Solicitor, Aidan Allen