NSW govt considers making data breach reporting mandatory

The NSW government has begun reviewing its voluntary data breach notification scheme to determine whether the state's agencies and local councils should be required to report data breaches.

The Department of Communities and Justice last month opened consultation on whether a mandatory reporting scheme along similar lines to the federal model is needed.

Under existing privacy legislation in NSW, state government organisations are not required to report data breaches. They are also not covered by the federal reporting scheme, along with local councils and organisation with a turnover of less than $3 million a year.

The consultation comes just weeks after the NSW opposition reignited its push for mandatory data breach laws that would required state agencies to notify affected individuals and the NSW Privacy Commissioner after a “serious” breach of privacy.

Previous attempts to introduce such legislation were opposed by the government last year on the grounds that more consideration was needed before such as scheme was introduced.

Former privacy commissioner Elizabeth Coombs first called for changes to require state agencies to notify affected individuals and the NSW Privacy Commissioner in 2015.

However NSW attorney-general Mark Speakman did commit to review the existing voluntary reporting scheme to determine whether it was “appropriate, and whether a mandatory breach reporting scheme should be adopted”.

“It would be premature to introduce a mandatory reporting scheme in NSW now without taking the opportunity to learn from the implementation of the Commonwealth scheme,” he said at the time.

The discussion paper [pdf] released by the department more than a year after Speakman’s pledge is seeking feedback on how the existing voluntary data breach notification scheme works and how a mandatory scheme might work.

“In response to developments at the Commonwealth level, the NSW government is considering whether a mandatory reporting regime should apply to NSW Public sector agencies,” the paper states.

“A legislated mandatory notification scheme would provide certainty for the public and government agencies regarding rights and obligations around the handling of personal information and the actions that should be taken if a privacy breach occurs.”

The department is keen to understand the extent of the legislative requirements, including the threshold for breach reports, the definition of a serious breach and how long public sector agencies will have to report.

However the paper suggests there would be benefit in taking the lead of the federal mandatory reporting scheme for some aspects such reporting threshold.

The latest figures released by the NSW Privacy Commissioner indicate that 49 voluntary notification were received in the first three quarters of the 2018-19 financial year, the majority of which were from the state government sector.

However the paper said that “Commonwealth experience suggests that underreporting may be the norm”.

The federal government’s mandatory data breach reporting scheme received 1132 notifications in its first year of operation, 964 of which were deemed “eligible data breaches”.

This represented a 712 percent increase on the 159 voluntary notification received before the scheme was introduced, according to the Office of the Australian Information Commissioner.

Submission to the discussion paper will close 23 August.