The NSW privacy commissioner has been grilled over why the state still has no mandatory data breach reporting requirements almost 18 months after consultation first began.

Under the existing system, it’s recommended that public sector agencies notify the Privacy and Information Commission, as well as individuals involved, if there’s been a breach that risks serious harm.

However, there’s no specific requirement for them to do so.

The Department of Communities and Justice in July 2019 released a discussion paper on a proposed mandatory reporting regime and the government committed to its introduction last year.

“DCJ is now developing the proposed scheme in conjunction with the IPC,” Ms Gavel said, after being questioned by a parliamentary inquiry into cybersecurity on Wednesday about the time being taken.

She said the two agencies are continuing to work on scoping and putting together a model, but added it was up to the government to make announcements of upcoming developments.

Ms Gavel told the committee there’s been significant consultation with DCJ and with Department of Customer Service in regard to the proposed scheme, including the appropriate threshold for reporting.

She said the NSW model would probably look like Commonwealth scheme, which is the only legislated mandatory reporting scheme in the country and which excludes state government agencies and local councils.

“It makes sense to look to that as a model because it’s in place and we can look at how it’s working,” she said.

“NSW also shares information with the Commonwealth and so we would have similar schemes in place.”

Notifications on the increase

Ms Gavel told the committee her office received 79 voluntary notifications about breaches of government-held data last year, most of which were caused by human error, representing a 23 per cent increase over the previous 12 months.

She said this was probably the result of more reporting rather than more breaches.

Government News reported on the latest national data breach notification figures here.

Ms Gavel said she remained a strong advocate for mandatory reporting.

“Noting the increase in the role of digital service provision and the growth in data that accompanies this, I am a strong advocate for the implementation of a mandatory data breach notification scheme …. where a data breach results in or is likely to result in a serious risk of harm to the individual.”

Threshold questioned

MP David Shoebridge suggested to Ms Gavel that “serious risk of harm” was a subjective and ‘extremely high’ threshold.

Ms Gavel said the threshold was a “complexity of the scheme” that has to be worked through, however she said it would have covered the massive data breach that affected Services NSW last year.

Service NSW CEO Damon Rees said he supported mandatory reporting.

“My personal view is anything that will strengthen assurance of privacy outcomes is a good thing, and it’s something that Service NSW would benefit from as well as other government agencies and organisations,” he told the committee.

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.  

Sign up to the Government News newsletter