The NSW Labor Party has introduced a bill that would force state government agencies to report if they suffer data breach.
The Privacy and Personal Information Protection Amendment (Notification of Serious Violations of Privacy by Public Sector Agencies) Bill was introduced to the NSW parliament by shadow attorney general Paul Lynch yesterday.
The bill calls for a model similar to the federal mandatory data breach notification scheme that will come into force on February 22 next year.
It would require state agencies to report to affected individuals and the NSW Privacy Commissioner within 15 days of a serious breach of privacy occurring. Agencies would also be given 30 days to complete an assessment.
State government organisations and local councils, as well as organisations with a turnover of less than $3 million a year, are not required to comply with the federal reporting scheme.
The bill also gives the NSW privacy commissioner powers to request information from agencies if there are reasonable grounds to believe an agency has caused or contributed to a serious breach.
Former NSW privacy commissioner Elizabeth Coombs first recommended changes to the state's privacy laws in 2015 [pdf].
Lynch said the NSW government had not acted on mandatory reporting despite a series of serious breaches including health records being found in a Gosford carpark.
He said the current laws, which date from 1998, "had not kept pace with the change in technology”.
“When the current privacy laws were introduced, there was no idea of how technology would develop. Smartphones didn’t exist and warrantless mass CCTV facial recognition technologies hadn’t been thought of. The law should be modernised and introduced to the world of big data,” Lynch said.
He said the proposal would bring consistency between the NSW and federal governments.
“Mandatory notification increases the transparency of government operation. It is also a useful way of reducing the likelihood of further breaches,” he said.