NSW opposition reignites push for mandatory data breach laws

The NSW opposition has reignited its push to force state government agencies to report data breaches after its last attempt to introduce legislation was scuttled by the government.

Shadow attorney general Paul Lynch on Thursday reintroduced a bill that would establish a mandatory data breach notification scheme in NSW similar to that of the federal government.

The Privacy and Personal Information Protection Amendment (Notification of Serious Violations of Privacy by Public Sector Agencies) Bill would require state agencies to notify affected individuals and the NSW Privacy Commissioner after a “serious” breach of privacy.

The bill would also empower the NSW privacy commissioner to request information from agencies if there were grounds to believe it had caused or contributed to a serious breach.

State government organisations and local councils, as well as organisations with a turnover of less than $3 million a year, are currently not required to comply with the federal reporting scheme.

However, changes to the existing Privacy and Personal Information Protection Act (PIPPA) was first recommended by former privacy commissioner Elizabeth Coombs in 2015.

The private members bill is almost identical to another bill introduced by the opposition in November 2017, which was opposed by the government on the grounds that further research and consultation was needed.

“That opposition at the time was unpersuasive and the effluxion of time has made the case for the bill even stronger,” NSW shadow attorney general Paul Lynch said reintroducing the bill on Thursday.

He cited recent events around the supposed leaking of personal details of motorists by the office of the Customer Service Minister Victor Dominello, which has been referred to the state’s corruption watchdog.

Lynch said the bill would amend the state’s PIPPA act “in a small but significant way that is entirely unobjectionable albeit now quite topical”.

“As is frequently noted our legislation protecting privacy in this State dates from a time before the invention of the iPhone,” he said.

“It is no surprise that the legislation needs amendment and rejuvenation.”

Lynch noted there had been “some minor updates” to the bill, though the “substance and legal aspects” had not been altered.

The federal government’s mandatory data breach reporting scheme received 1132 notifications in its first year of operation, 964 of which were deemed “eligible data breaches”.

This represented a 712 percent increase on the 159 voluntary notification received before the scheme was introduced, according to the Office of the Australian Information Commissioner.