The New South Wales Opposition won’t stand in the way of Australia’s first mandatory data breach notification scheme for state public sector entities, after having its own attempts knocked back by the government for years.
In the New South Wales Parliament on Tuesday, Labor MPs supported the government’s Privacy and Personal Information Protection Amendment Bill. It passed the Legislative Assembly with Labor calling for its urgent passage through the Upper House amid high-profile data breaches across the country.
The bill will require public sector agencies, state-owned corporations, local councils and some universities to report breaches “likely to result in serious harm” to both affected individuals and the Privacy Commissioner.
A similar scheme exists at the Commonwealth level but does not capture state entities. New South Wales agencies and state-owned corporations are currently only encouraged to report data breaches to individuals and Privacy Commissioner under a voluntary scheme.
Privacy advocates and the state Opposition have been calling for a mandatory data breach notification scheme in New South Wales since it was recommended by former Privacy Commissioner Elizabeth Coombs in 2015.
With recent high-profile data breaches in the private sector and the New South Wales government suffering its own major breaches, a mandatory reporting scheme is long overdue shadow attorney general Michael Daley said during debate on the bill.
“The laws are well overdue,” Mr Daley said.
“I want the Attorney General to say that Cabinet has already determined that urgency will be sought in the Legislative Council so it can get this business done finally in this term of Parliament. It should have been done in the previous term of Parliament.”
NSW Labor began pushing for such a scheme through two private members bills in 2017 and 2019 that were opposed by the government, which opted instead to review the voluntary reporting scheme in mid-2019.
That review ultimately found there was “overwhelming public support” for a mandatory reporting scheme, leading the state government to pledge to introduce one once it determined the best approach.
The Department of Communities and Justice began consulting on the scheme in July 2019 and released a draft exposure bill that set out the reporting thresholds in May 2021.
Three years after the consultation began, the legislation was introduced to the New South Wales Parliament last week.
In debate on Tuesday, Attorney General Mark Speakman said the timeframe was a result of extensive consultation that led to several amendments from the exposure draft.
“It is certainly our intention to see the supported legislation passed in this term of Parliament,” he said.
The New South Wales Legislative Council has only a handful of sitting days left this week and next week.
The Queensland government is also considering a mandatory data breach notification scheme as part of proposed privacy and right to information reforms at the recommendation of the Office of the Information Commissioner.
In September, the Office of the Victorian Information Commissioner recommended a mandatory data breach scheme after a government department failed to tell people their data had been exposed in a serious breach.
Do you know more? Contact James Riley via Email.