The NSW government has published an exposure draft of its long-awaited bill for mandatory data breach notifications, specifying reporting thresholds ahead of the planned introduction of the scheme.
The exposure draft [pdf], which is open for consultation until June 18, follows more than two years of work by the departments of Communities and Justice and Customer Service, as well as the privacy commissioner.
NSW became the first state or territory to pledge to introduce such a scheme in February 2020, more than five years after former privacy commissioner Elizabeth Coombs first called for such laws.
The Privacy and Personal Information Protection Amendment Bill intends to fill the gap left by the Commonwealth’s notifiable data breach scheme, which applies to federal government agencies but not state government agencies or local councils.
It will require all departments and agencies, state-owned corporations, local councils and some universities in NSW to report breaches likely to result in “serious harm” to affected individuals and privacy commissioner.
The bill also closes a regulatory loophole by applying NSW's Privacy and Personal Information Protection Act to state-owned corporations not already regulated by the Commonwealth Privacy Act.
According to the bill, a serious breach occurs when there is “unauthorised access to, or unauthorised disclosure of, personal information”, which is likely to result in serious harm to individuals involved.
Personal information can include photos, contact details and fingerprints, as well as health information about an individual's physical or mental health, disability or any other information related to the provision of health services.
When the agency suspects a breach has occurred, it must conduct an assessment with 30 days to determine whether it meets the threshold for notifying affected individuals and the privacy commissioner.
An extension may be approved if the assessment “cannot reasonably be conducted” within that timeframe, though the agency head will need to report this to the privacy commissioner and provide updates.
In instances where an agency is able to identify individuals affected by a breach, it must notify them “as soon as practicable”.
If the agency is unable to determine the affected individuals, it will be required to publish the notification on a public register for at least 12 months.
Agencies may be exempt from notifying the affected individuals and the privacy commissioner if doing so will prejudice an investigation or is the related to matters before court.
Further exemptions exist for agencies that “take action to mitigate the harm done by the breach” before access or disclosure results in serious harm or if notification could lead to further breaches.
The bill will also give the privacy commissioner new powers to enter the premises of entities and inspect anything that may relate to compliance with the scheme, including processes and systems, and conduct audits.
Announcing the draft exposure on Friday, attorney-general Mark Speakman said the scheme will ensure agencies notify the privacy commission when breaches likely to result in serious harm occur.
“The protection of people’s privacy is crucial to public confidence in NSW government services. I encourage anyone with an interest in this area to make a submission,” he said in statement.
He added that the scheme would “ensure greater openness and accountability in relation to the handling of personal information held by NSW public sector agencies”, which was criticised in an audit report late last year.
The audit related to Service NSW, the government's one-stop shop for services, which was hit by an email compromise attack in March 2020 that exposed a staggering 736GB of data from the accounts of 47 staff members.
Digital minister Victor Dominello the introduction of the scheme was supported by the Information and Privacy Commission and Cyber Security NSW “to clarify agency obligations”.
The bill is expected to be introduced to parliament later this year and if passed, will commence following a 12-month period to give agencies enough time to put in place the necessary compliance mechanisms.
NSW Labor, which has been pushing for a mandatory data breach notification scheme since 2017, welcomed the release of exposure draft, noting that the government had initially resisted introducing such a scheme.
“Every time Labor has introduced legislation to enact these changes the Berejiklian Government has opposed it,” shadow attorney general Paul Lynch said in a statement on Friday.
“There has been breach after breach compromising the private information of thousands of people and many of them still haven’t been notified.”
Shadow public services minister Sophie Cotsis added that although she was glad Labor's position on mandatory reporting had been adopted, the government was “shutting the door after the horse has bolted”.