NSW agencies face mandatory data breach notification scheme

NSW has introduced the country’s first state-based mandatory data breach notification scheme.

The Privacy and Personal Information Protection Amendment Bill will require state-owned corporations issue notifications. Currently, those organisations are not subject to the Commonwealth Privacy Act.

The amendment will also introduce a data breach assessment scheme, provide limited exemptions from mandatory notifications, and give the Privacy Commissioner the power to “investigate, monitor audit and report on” public sector agency data breaches.

The state’s privacy commissioner will have enforcement powers, and public sector agencies will have to publish a data breach policy and keep a data breach register.

Attorney general Mark Speakman said the bill will create new standards of “accountability and transparency” for government bodies.

NSW has been an enthusiastic adopter of digital government capabilities, and in doing so, has expanded its collection of citizens’ data.

“In return, the government has a responsibility to effectively and proactively protect and respect that personal information,” Speakman said.

“Once passed, this new law will provide consistency across public sector agencies by making it mandatory for public sector agencies to notify the [NSW] Privacy Commissioner and those impacted by a data breach involving personal information which is likely to result in serious harm.”

The scheme would apply to all NSW agencies and departments, statutory authorities, local councils, bodies whose accounts are subject to the Auditor-General, and some universities.