NSW govt opposes mandatory data breach reporting

The NSW government will oppose a bill that would force state government agencies to report data breaches, arguing more consideration is needed before such a scheme is introduced.

The Privacy and Personal Information Protection Amendment (Notification of Serious Violations of Privacy by Public Sector Agencies) Bill was introduced by NSW Labor last November to bring about model similar to the federal mandatory data breach notification scheme.

The bill would require state agencies to notify affected individuals and the NSW Privacy Commissioner.

Such action was first called for by former privacy commissioner Elizabeth Coombs in 2015.

State government organisations and local councils, as well as organisations with a turnover of less than $3 million a year, are not required to comply with the federal reporting scheme.

The bill would also give the NSW privacy commissioner the power to request information from agencies if there were reasonable grounds to believe it had caused or contributed to a serious breach.

But yesterday the NSW Attorney-General Mark Speakman said the government “does not support the bill”, and that research and consultation was needed to determine whether the bill was “a proportionate, or even necessary, policy response”.

“It appears the bill... has been developed without evaluating the adequacy and efficacy of the existing voluntary breach reporting scheme, or whether serious breaches are currently going unreported...”, he said.

“If there is no significant underreporting at present, the opposition bill’s scheme will be of limited utility, and alternative options such as reform to the existing voluntary reporting scheme may achieve the objective of encouraging more reporting with less regulatory burden and resource implications.”

He also said no other state or territory government had developed a mandatory breach reporting scheme, and that the Commonwealth’s scheme was only introduced after extensive consultation.

“The Commonwealth scheme was adopted after more than two years of extensive consultation and development, and the commencements of the Act was delayed for a full year to February 22 this year to ensure that affected agencies and organisations would have time to prepare for its commencement,” he said.

“It would be premature to introduce a mandatory reporting scheme in NSW now without taking the opportunity to learn from the implementation of the Commonwealth scheme.”

The bill would also cause “potentially significant regulatory impact and resource implications” for the Privacy Commissioner and the Information and Privacy Commission, as well as public sector agencies, he said.

Speakman said the government would instead review the existing voluntary reporting scheme to determine whether it was “appropriate, and whether a mandatory breach reporting scheme should be adopted”.

The review – to be conducted by the Department of Justice – would also consider and learn from the Commonwealth scheme, which Speakman said “may take some time to look at thoroughly”.

“The Government agrees it is important that NSW public sector agencies have appropriate systems in place to protect personal information they hold and to ensure the privacy of individuals to whom that information relates is not violated or unlawfully interfered with,” he said.