NSW is set to become the first Australian state or territory to introduce a mandatory data breach notification scheme, following a serious cyber incident last year.
NSW public sector entities would be required to report data breaches to the Privacy Commissioner and affected individuals when a data breach involving personal or health information is “likely to result in serious harm”, under the proposed laws.
The scheme would also require NSW government agencies to satisfy more data management requirements, including maintaining an internal data breach incident register, and have a publicly accessible data breach policy.
The state’s Privacy Commissioner would be granted additional regulatory powers, including the power of entry to monitor compliance.
The mandatory reporting would fill some of the gaps in the Commonwealth’s Notifiable Data Breach Scheme, which already makes similar requirements for Australian Government agencies, businesses and not-for profit organisations that have an annual turnover of more than $3 million.
The NSW government consulted on a breach reporting scheme in 2019, and received overwhelming support for a mandatory scheme.
Introduction of a mandatory reporting scheme was also an “urgent” recommendation from a scathing review of the state government’s cybersecurity, prompted by a massive data breach at Service NSW last year.
On Friday, NSW Attorney General Mark Speakman announced a consultation for the Privacy and Personal Information Protection Amendment Bill 2021, which would create the NSW Mandatory Notification of Data Breach Scheme.
“If passed, this Bill will introduce a scheme that will ensure greater openness and accountability in relation to the handling of personal information held by NSW public sector agencies,” Mr Speakman said.
The proposed legislation would require agencies that suspected a data breach had occurred to immediately attempt to contain the breach and assess whether it met the “serious harm” threshold. If so, the agency would need to immediately notify the NSW Privacy Commissioner with as many details as possible and provide subsequent updates as required.
However, agencies would only be required to notify individuals affected by the breach “as soon as practicable” and would have three options on how to do so.
Agencies must either notify all individuals to whom the information relates or notify only those individuals at risk of serious harm if it is “reasonably practicable” to identify them, according to the legislation.
If the agency unable to reasonably identify affected individuals it must publish a notification on the agency’s website and take “reasonable steps” to publicise it.
The new laws would also permit agencies to share citizens’ personal information with each other for the purpose of notification.
The notifications should include a description of the breach, how the agency is responding, recommendations to minimise the impact of the breach, and the agency contact details. Agencies will need to provide more detailed information to the Privacy Commissioner.
There are exceptions on law enforcement and health grounds, and for agencies that remedied the harm of the breach before it impacted individuals.
The NSW Privacy Commissioner would receive new powers under the scheme, including the ability to enter agencies’ premises and inspect anything that relates to compliance with the scheme, including physical spaces, processes and systems.
The watchdog would also be able to conduct audits in relation to the scheme and supply reports to agency heads and the responsible Minister.
The government said it intends to introduce the legislation this year and the scheme would commence 12 months from the Bill passing.
The proposed changes would also apply NSW privacy laws to all state-owned corporations that are not regulated by the Commonwealth Privacy Act.
NSW Minister for Customer Service Victor Dominello said the government is committed to digital innovation but it must not come at the expense of privacy, trust and security.
“The Information and Privacy Commission NSW and agencies such as Cyber Security NSW support the introduction of mandatory reporting to clarify agency obligations and give the NSW public greater certainty about how data breaches involving personal information will be handled,” Mr Dominello said.
The legislation was developed by the Department of Communities and Justice and the Department of Customer Service, in consultation with the state’s privacy watchdog and the Ministry of Health.