NSW will become the first Australian state or territory to introduce a mandatory scheme that requires state public sector agencies to notify the Privacy Commissioner and affected individuals of data breaches.
Background
Unlike the Privacy Act 1988 (Cth) (Privacy Act), there are currently no requirements under the Privacy and Personal Information Protection Act 1988 (NSW) (PPIP Act) for NSW public sector agencies to notify individuals who are affected by data breaches. Rather, the Information and Privacy Commission encourages a voluntary policy where NSW public sector agencies voluntarily report data breaches to the Privacy Commissioner.
In July 2019, the NSW Department of Communities and Justice opened consultation to consider whether a mandatory reporting scheme should be implemented in NSW. The consultation found “overwhelming public support” in favour of such a scheme in NSW. Two years after the consultation, Attorney General, Mark Speakman has proposed a mandatory data breach scheme in NSW’s privacy framework (MNDB Scheme).
On 7 May 2021, the NSW Government announced that the MNDB scheme will create new standards of accountability and transparency to protect personal information. The response is prompted by the increasing number of reported data breaches such as the Service NSW data breach in May 2020, which was heavily criticised in the NSW Auditor-General’s Report to Parliament.
How will the MNDB Scheme work?
The Privacy and Personal Information Protection Amendment Bill 2021 (The PPIP Amendment Bill) creates the MNDB scheme and extends the PPIP Act to include NSW state-owned corporations that are not regulated by the Privacy Act. It is intended that the MNDB Scheme will fill in the gaps of the Commonwealth Notifiable Data Breaches Scheme (NDB Scheme) which was introduced in early 2018.
Public sector agencies that are regulated by the PPIP Act will be required to immediately notify the Privacy Commissioner of an eligible data breach that would likely result in serious harm to an individual.
The PPIP Amendment Bill defines an eligible data breach where:
1. there is unauthorised access or unauthorised disclosure of personal information, and a reasonable person would conclude that it would lead to serious harm to an individual; or
2. personal information is lost where unauthorised disclosure or information is likely to occur and a reasonable person would conclude that it would lead to serious harm to an individual.
The PPIP Amendment Bill Factsheet defines serious harm as financial, psychological physical and reputational harm and intends to apply the serious harm threshold in the NDB Scheme to the MDNB Scheme.
Implications
Following public consultation on 18 June 2021, it is anticipated that the PPIP Amendment Bill will be introduced in the NSW Parliament in 2021. The MNDB Scheme will commence 12 months following the passing of the PPIP Amendment Bill. Considering the above, we recommend that public sector agencies should begin review of their internal processes to ensure compliance with the proposed notification obligations.
The content of this article is intended to provide a general guide to the subject matter. Specific advice should be sought about your specific circumstances.