NSW adds mandatory breach notification

NSW is set to become the first state or territory in Australia to have a mandatory notification scheme for its government agencies to respond to breaches of NSW citizens’ personal data.

Attorney General Mark Speakman said the Privacy and Personal Information Protection Amendment Bill 2022, introduced by the NSW Government into Parliament, would create new standards of accountability and transparency for government bodies and introduce a mandatory notification of data breach scheme in NSW.

“Every day, the people of NSW offer their personal information to government agencies, which is a significant undertaking of trust,” Mr Speakman said.

“In doing so, they enable the government to provide them with quality, connected services, and the information required to continually improve these services to best meet their needs.

“In return, the government has a responsibility to effectively and proactively protect and respect that personal information.

“Once passed, this new law will provide consistency across public sector agencies by making it mandatory for public sector agencies to notify the Privacy Commissioner and those impacted by a data breach involving personal information which is likely to result in serious harm.

“Agencies will also have to satisfy a number of data management requirements, including making reasonable attempts to mitigate the harm done by a data breach, maintaining an internal data breach incident register, and have a publicly accessible data breach policy.”

Minister for Customer Service and Digital Government Victor Dominello said the NSW Government has taken a number of steps to protect customer privacy and personal information.

“The protection of people’s privacy is crucial to ensure public confidence in NSW Government agencies. It is imperative that the highest standards of privacy and security prevail to safeguard data,” Mr Dominello said.

“The NSW Government has made significant investments to protect citizens’ data, including funding $A315 million to bolster our cyber systems and by launching ID Support NSW to help those impacted by identify theft.

“The bill will provide greater certainty for the public and government agencies regarding personal information and the steps required if a data breach occurs.

“A mandatory notification scheme also ensures that the ability for an affected citizen to take their own protective action is a primary consideration in any data breach response.”

The scheme would apply to all NSW ‘public sector agencies’ as defined in the Privacy and Personal Information Protection Act 1998, including all NSW agencies and departments, statutory authorities, local councils, bodies whose accounts are subject to the Auditor General and some universities.

The bill will also expand the Privacy and Personal Information Protection Act 1998, including the new scheme, to cover all NSW state-owned corporations not subject to Commonwealth privacy law