New South Wales has become the first Australian state or territory to legislate mandatory notifications for public sector data breaches, but the scheme won’t be up and running for another year.
The Privacy and Personal Information Protection Amendment Bill 2022 passed the NSW Parliament last week with bipartisan support.
The bill establishes a mandatory data scheme for NSW government agencies and departments, statutory authorities, local councils, bodies whose accounts are subject to the Auditor-General, and some universities.
The scheme requires these agencies to notify the NSW Privacy Commissioner of a suspected data breach involving personal information which is “likely to result in serious harm”.
These agencies will also have to establish a number of data management requirements, such as maintaining an internal data breach incident register and a publicly accessible data breach policy.
The introduction of such a scheme comes after a number of significant data breaches involving NSW government agencies and departments, and after the major Optus and Medibank breaches in recent months.
While the scheme won’t be properly in place for another year, the passing of the legislation makes NSW the first Australian state or territory to have one in place.
It largely mirrors the federal Mandatory Data Breach Notification scheme, which does not include state government agencies.
NSW Attorney-General Mark Speakman said the passing of the bill fulfils the government’s commitment to improving privacy protections for personal data held by the public sector.
“This scheme establishes new standards of accountability and transparency around the protection of citizens’ personal information,” Speakman said.
“It will create greater openness while also enhancing consistency across all public sector agencies. Importantly, it will give individuals information they need to reduce their risk of harm following a serious data breach and help agencies respond properly.
“Every day, the people of NSW offer their personal information to government agencies which is a significant undertaking of trust.
“In return, the government recognises it has a responsibility to effectively and proactively protect and respect that personal information.
“These reforms will make that responsibility law.”
The scheme, which was backed by the NSW Opposition, replaces a similar voluntary one, and includes state-owned corporations in energy, water, ports and forestry.
NSW Minister for Digital Government Victor Dominello said the state government has gotten the balance right on the scheme.
“The NSW government consulted extensively on these reforms to ensure the scheme strikes the right balance between improving privacy protections for NSW citizens and being practical enough for government agencies to take appropriate steps in a potential data breach response,” Dominello said.
There have been a series of significant data breaches related to NSW government departments and agencies in recent years.
In 2020 more than 50,000 drivers licences were exposed as part of a breach at Service NSW, while NSW Health and the NSW Department of Education experienced data breaches in the following year.
In February this year, the addresses of more than 500,000 businesses were leaked from a NSW government database after they were collected for the purpose of COVID-19 contact tracing.
The federal Notifiable Data Breaches scheme requires organisations and agencies covered by the Privacy Act to notify impacted individuals and the Office of the Australian Information Commissioner when a data breach is “likely to result in serious harm to an individual whose personal information is involved”.
In Victoria, the state Information Commissioner earlier this year called for the introduction of data breach notification laws after a government department did not disclose a data breach to the impacted individuals.
Victorian agencies are currently not legally obligated to notify individuals or the regulator when they are hit by a data breach.
The Queensland government is also considering introducing its own data breach notification scheme, with a consultation paper released in June.