Everything you need to know about the new NSW mandatory data breach notification scheme

New data breach notifications coming into effect this month will bind NSW public sector agencies, statutory authorities, local councils and state owned corporations, writes Lyn Nicholson.

Lyn Nicholson

The protection of personal information is being strengthened in NSW with privacy law changes based on amendments to the Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA) coming into force on November 28 which will bind NSW public sector agencies, statutory authorities, some universities, local councils, state-owned corporations and Ministers’ offices.

The key reform in the PPIPA is the introduction of a Mandatory Data Breach Notification Scheme (MDBN scheme).

Some agencies may be bound by both the Commonwealth Privacy Act and the Notifiable Data Breaches scheme overseen by the Office of the Australian Information Commissioner (OAIC), as well as the NSW scheme. The two regimes, while similar, are not identical and reporting under the NSW scheme is to the NSW Privacy Commissioner.

What are your obligations under the NSW scheme?

Under the MDBN scheme, agencies are obligated to notify the Privacy Commissioner and affected individuals of eligible data breaches, which are defined as unauthorised access, disclosure or loss of an individual’s personal information and which are likely to result in serious harm to the affected person.

So, what happens when an agency discovers a data breach? According to the new scheme, the agency must:

  • immediately take all reasonable efforts to contain the breach
  • assess the suspected breach within 30 days to determine if there are reasonable grounds to believe an eligible data breach has occurred
  • take all reasonable steps to mitigate the harm done by the suspected breach.

If the agency assesses the breach and concludes it’s an eligible breach under PPIPA, it must inform the Privacy Commissioner and each affected individual, as well as issue a public notification on its website if notifying each affected individual is not achievable.

What your agency needs to do right away

If you have not already begun preparing for the beginning of the MDBN scheme, there is still time for your agency to familiarise itself with its compliance obligations and implement changes to your data breach management practices.

One of the key preparations an agency must make is to develop and publish on its website a Data Breach Policy (DBP). This is in addition to fulfilling their obligations under the PPIPA to maintain and publish on their website a public notification register for any data breach notifications they have issued, as well as keep an internal data breach incident register for their own records.

Agencies must also develop a Data Breach Response Plan (DBRP), which is a framework setting out the roles and responsibilities of an agency involved in managing a data breach. Implementing or updating your DBRP will help ensure your agency can effectively assess, manage and appropriately respond to data breaches.

Inter-relationship with cyber security

Importantly, there is an exemption where the head of an agency reasonably believes that notification of an eligible data breach would worsen the agency’s cyber security or lead to further data breaches. The head of the agency may decide to exempt the agency from the requirement to notify affected individuals or make a public notification for a period.

The Privacy Commissioner has prepared a number of resources to assist agencies here

Big changes are also coming for the national privacy laws

Along with getting ready for the NSW MDBN scheme, agencies should also be aware of forthcoming changes to the Privacy Act in response to the Privacy Act Review Report published in February this year and the government’s response which was issued in October.

The response confirms the government’s agreement, or agreement in principle with the vast majority of the 116 proposals in the report. This means change is coming – it is merely a matter of timing and the exact details of the changes.

Key changes expected in response to the Review include the strengthening of individuals’ rights under the Privacy Act, along with:

  • the extension of the definition of ‘personal information’
  • the strengthening of obligations around policies and collection notice
  • the introduction of a requirement for the processing of personal information to be ‘fair and reasonable’.

Next steps

Agencies need to begin, or complete preparing for the introduction of the NSW MDBN scheme. Irrespective of any penalties that might apply, if a breach occurs and an agency is not well prepared, it is likely to suffer a loss of trust which we all know is extremely costly to rebuild.

*Lyn Nicholson a General Counsel with Holding Redlich

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.  

Sign up to the Government News newsletter

Leave a comment:

Your email address will not be published. All fields are required