NSW gets first state-based data breach notice scheme

NSW gets first state-based data breach notice scheme

Justin Hendry
Editor

17 November 2022
Share
New South Wales will have Australia’s first mandatory data breach notification scheme for public sector entities in place within a year after state government legislation passed Parliament.

The Privacy and Personal Information Protection Amendment Bill underpinning the long-promised regime sailed through the Legislative Council last night without amendment, having passed the Legislative Assembly with the backing of the Opposition a day earlier.

Public sector agencies, state-owned corporations, local councils and some universities will now be required to report breaches “likely to result in serious harm” to both affected individuals and the Privacy Commissioner.

A similar scheme exists at the federal level through the Mandatory Data Breaches scheme, which is currently subject to proposed changes, but it does not extend to state agencies, state-owned corporations and local councils.

However, the New South Wales scheme — which replaces a voluntary reporting program — will only “commence on the first anniversary of the date of assent”, giving the public sector “adequate” preparation time, according to a statement of public interest.

The bill also extends the Privacy and Personal information Protection (PPIP) Act to state-owned corporations in energy, water, ports and forestry not already covered by the Commonwealth Privacy Act.



Privacy advocates and Labor have been calling for such a mandatory reporting scheme in New South Wales since it was recommended by former Privacy Commissioner Elizabeth Coombs in 2015, with private members bills introduced in both 2017 and 2019.

The government, which opposed Labor’s bill to review the voluntary reporting scheme in mid-2019, committed to introducing a mandatory scheme in March 2020, making it the first state or territory government to do so.

The Department of Communities and Justice began consulting on the scheme in July 2019, released a draft exposure bill that set out the reporting thresholds in May 2021 and, last week, introduced the legislation to Parliament.

In a debate last night, Labor MLC and shadow minister for the environment Penny Sharpe said that significant “digitisation of our information over the past decade” meant the need for a mandatory scheme “is now a serious matter”.

She recalled being “completely shocked” when she first learnt that agencies were not required to report data breaches of personal and health information under the PPIP Act when she first came into Parliament year ago.

“The Opposition has been calling for legislation of this kind to be brought forward for years, though there have been long and inexplicable delays on the part of the government,” Ms Sharpe said.

“We are pleased that the government has finally brought a proposal before the House to deal with this serious issue, and I indicate at the outset that we do not oppose the bill.”

Greens MP Abigail Boyd said the “long overdue” legislation is a “small part of a much wider body of work that needs to be done regarding our digital rights and data sovereignty”.

“Australia is lagging a long way behind other jurisdictions. We have weak data protection laws, meaning big corporations and organisations hoard our personal information in poorly protected, poorly encrypted servers and repositories—a honeypot for would‑be bad actors,” she said.

“The bill does not do anything to keep our information safer from theft. It merely imposes a mandatory obligation on State‑owned corporations and public sector agencies to disclose to people impacted by a breach of data held by that corporation or agency.

“Frankly, it is astonishing that the obligation does not already exist and that it requires legislating at all.”

The Queensland government is also considering a mandatory data breach notification scheme as part of proposed privacy and right to information reforms at the recommendation of the Office of the Information Commissioner.

In September, the Office of the Victorian Information Commissioner recommended a mandatory data breach scheme after a government department failed to tell people their data had been exposed in a serious breach.