NSW govt's mandatory data breach reporting scheme unlikely before 2022

The NSW government will conduct a second round of consultations on its proposed mandatory data breach notification regime later this year, with the scheme now not expected to be up and running until 2022.

The long-sought regime would force state government agencies to report data breaches to affected individuals and the privacy commissioner, replacing a voluntary scheme under NSW's existing privacy laws.

It was first recommended by former privacy commissioner Elizabeth Coombs in 2015 – around the same time the federal government committed to such a regime at the Commonwelath level, which it subsequently introduced in February 2018.

Following several attempts by the state opposition to introduce such a scheme, the NSW government committed to introduce its own mandatory scheme in February 2020 after conducting a six-month consultation that determined overwhelming public support.

Since then, the NSW government has suffered a series of high-profile data breaches, including an email account compromise attack against Service NSW that snared 736GB of data.

But now, more than a year after making the commitment, attorney-general Mark Speakman has said that while the state's legislation could be passed this year, the scheme itself is unlikely to be in place before 2022.

“I expect that [the mandatory data breach notification scheme] will be legislated this year, but it may not be up and running operationally until next year,” he told budget estimates this week.

Department of Communities and Justice law reform and legal services deputy secretary Paul McKnight – who is overseeing the policy development – said that the legislation requires a further round of consultations later this year.

“We expect to be moving reasonably quickly now towards finalising a proposal in this area, but there is likely to be further consultation on the model involved,” he told the committee on Tuesday.

McKnight said his team is working through the details of the scheme, including the threshold trigger for notifications and whether there are situations in which notifications create more damage.

He also said that there are a range of external factors such as the ongoing review of the Commonwealth Privacy Act that the department was factoring into the consultation process.

“It is a pretty complex issue,” he added.

But with five years having passed since the privacy commissioner's original recommendation in 2015, as well as the protracted consideration of submissions, which only numbered 23, the leisurely pace has some MPs concerned.

“The problem that we have is that this was recommended by the privacy commissioner in 2015,” Labor MP Rose Jackson said.

“There is some complexity about it but it is actually pretty basic at the core – if your personal data is publically disclosed by the government, you should be told about that.

“As you say, there are federal models that go to that questions. It’s not like NSW is a first mover here.”