Legislation to establish NSW’s long-promised mandatory data breach notification scheme for public sector entities has been introduced to Parliament, bringing Australia’s first state-based reporting regime closer to reality.
Attorney-General Mark Speakman introduced the Privacy and Personal Information Protection Amendment Bill to the Legislative Assembly on Wednesday, following more than three years of consultation.
The bill will require public sector agencies, state-owned corporations, local councils and some universities to report breaches “likely to result in serious harm” to both affected individuals and the Privacy Commissioner.
It will be a first mandatory notification scheme among state and territory governments, with New South Wales agencies currently only encouraged to report data breaches to individuals and Privacy Commissioner under a voluntary scheme.
State agencies, as well as local councils and organisations with a turnover of less than $3 million each year, are not covered by the Commonwealth’s mandatory Notifiable Data Breaches (NDB) scheme that is currently subject to proposed changes.
Where impacted individuals cannot be identified, or it is “not reasonably practical to notify them”, the bill requires entities to issue a public notification, allowing individuals to “take their own steps to mitigate the risk of harm”.
The bill also “resolves a significant gap in privacy regulation” by extending the Privacy and Personal information Protection (PPIP) Act to state-owned corporations in energy, water, ports and forestry not already covered by the Commonwealth Privacy Act.
Mr Speakman said the bill – which comes less than two months after the Optus data breach that served as a wake-up call to organisations – would “empower individuals who are likely to experience serious harm because of a data breach”.
“Agencies hold sensitive information about citizens, including personal, health and financial information,” he said introducing the bill to Parliament on Wednesday.
“High-profile data breaches in recent times in the private sector have demonstrated the potential harm to individuals that can result from unauthorised access to or unauthorised disclosure of personal information.”
Privacy advocates and the state Opposition have been calling for a mandatory data breach notification scheme in New South Wales since the recommendation by former Privacy Commissioner Elizabeth Coombs in 2015.
NSW Labor began pushing for such a scheme through two private members bills in 2017 and 2019 that were opposed by the government, which opted instead to review the voluntary reporting scheme in mid-2019.
That review ultimately found there was “overwhelming public support” for a mandatory reporting scheme, leading the state government to pledge to introduce one once it determined the best approach.
Since then, the Department of Communities and Justice has been consulting on the scheme. It released an issued paper in July 2019 and a draft exposure bill that set out the reporting thresholds in May 2021.
Mr Speakman said the final bill “strikes the right balance between the need to protect individuals who are impacted by data breaches and what is appropriate and workable for agencies”.
He said the “likely to result in serious harm” threshold for the mandatory data breach reporting scheme had received support during public consultations, including from the state’s Privacy Commissioner.
“This must occur within 30 days of the officer or employee becoming aware of the breach. While the bill does not define the threshold ‘likely to result in serious harm”, it provides factors that may be considered by the assessor,” Mr Speakman said.
To support the scheme, the regulatory responsibilities of the Privacy Commissioner will be expanded to support compliance, as well as “investigate and enforce the MNDB scheme in the case of agency non-compliance”.
“The bill will expand the existing powers of the Privacy Commissioner to specifically enable the commissioner to investigate, monitor, audit and report on the functions of an agency under the MNDB scheme,” Mr Speakman said.
According to its latest annual report, the Information and Privacy Commissioner (IPC) received 189 data breach notifications under the voluntary scheme during the 2021-22 financial year – 14 per cent less than in 2020-21.
Of the 189 notifications, 176 were made by state government agencies. Local governments made nine reports, while public and private universities made four.
Digital Government minister Victor Dominello said the bill seeks to “provide greater certainty for the public and government agencies regarding personal information and the steps required if a data breach occurs”.
He said it builds on the “significant investments to protect citizen data” through the Digital Restart Fund, which set aside $315 million to uplift the cyber security resilience of agencies across government.
The government also launched identity recovery unit ID Support NSW last year to help streamline the process of replacing credentials if they are compromised. The unit has recently been assisting NSW residents impacted by the Optus data breach.
“The protection of people’s privacy is crucial to ensure public confidence in NSW government agencies. It is imperative that the highest standards of privacy and security prevail to safeguard data,” Mr Dominello added.
The Queensland government is also considering a mandatory data breach notification scheme as part of proposed privacy and right to information reforms at the recommendation of the Office of the Information Commissioner.
In September, the Office of the Victorian Information Commissioner recommended a mandatory data breach scheme after a government department failed to tell people their data had been exposed in a serious breach.
Do you know more? Contact James Riley via Email.