NSW is set to become the first state or territory in Australia to force government agencies to report data breaches to affected individuals and the privacy commissioner.
Attorney-General Mark Speakman committed to introducing a mandatory notification data breaches scheme in the state last month after a review found there was “overwhelming public support”.
It comes five years after former privacy commissioner Elizabeth Coombs first called for changes to privacy laws to require state agencies to notify the commission and affected persons.
Under the existing Privacy and Personal Information Protection Act, agencies are not required to report data breaches to the commission or individuals, though they are encouraged to do so.
Agencies, as well as local councils and organisations with a turnover of less than $3 million a year, are similarly not covered under the Commonwealth's mandatory notifiable data breaches.
But the review, conducted by the Department of Communities and Justice in the second half of last year, determined there was “overwhelming public support” for a mandatory data breaches scheme.
Speakman told parliament that the government “shared the view” that a mandatory data breaches scheme should be introduced, but that it was still working to determine the best approach.
“The department found that there is overwhelming public support for a mandatory notification of data breaches scheme to be introduced in NSW and that is a view shared by the Government,” he said.
“The consultation did however identify differing views on what that scheme should look like.”
He said the department’s of Communities and Justice and Customer Service were “working closely to develop an appropriate model for NSW” in consultation with the privacy commissioner.
“I look forward to working with the Minister for Customer Service on this model and to bringing forward the required legislative amendments to support this reform,” Speakman said.
The government’s pledge follows two previous attempts by the NSW opposition to pass mandatory data breach laws in 2017 and 2019.
The laws would have required state agencies to notify affected individuals and the NSW Privacy Commissioner after a “serious” breach of privacy.
Likely to mimic the Commonwealth
While the Department of Communities and Justice has already determined that a future mandatory data breaches reporting scheme would likely mimic some aspects of the Commonwealth scheme, submissions have more or less supported this approach.
NSW's Information and Privacy Commission (IPC), which supports a mandatory data breach in principle, said such a scheme “should be triggered in the same way” as the Commonwealth NDB scheme and have the same “serious harm” threshold.
“The adoption of a mandatory data breach scheme would assist in supporting and promoting public confidence and trust in the government’s use of technology and data to improve outcomes and services for the public,” the submission states.
But the IPC believes any mandatory scheme in NSW should go beyond the Commonwealth scheme by requiring state agencies to report a data breach even if the entity acts quickly to remediate it.
It said if this feature was not introduced, NSW would “compound under-reporting of breaches and delayed reporting of breaches” – a view that was not shared by the Department of Customer Service.
Both the IPC and the Department of Customer Service, however, agreed the notification timeframe for reporting data breaches should be 10 working days, compared with 30 working days under the Commonwealth scheme.
The Department of Customer Service recommended an even stricter timeframe for “breaches where the serious harm threshold is met”, with a compulsory notification to occur within 24 hours.