NSW privacy watchdog wants to make govt suppliers culpable for breaches

NSW’s privacy watchdog is on a mission to patch gaps in the state’s data protection laws that haven’t caught up with an accelerating trend towards government outsourcing.

Privacy commissioner Elizabeth Coombs says as more state government duties are placed in private hands, her ability follow up on complaints if and when privacy rules are breached becomes challenged.

The NSW Privacy Act applies only to public sector agencies.

But unlike equivalent laws in Queensland and the Commonwealth, the statute does not offer agencies a way to hand off those obligations (and liability to be investigated) to suppliers who are handling the government’s data.

Coombs wants the laws to be amended with a new clause that will allow the government to specify in supplier contracts where the burden of responsibility lies with when it comes to privacy compliance: the government or the supplier and its subcontractors.

“The amendments are not novel; they are working successfully in other laws, and their adoption will make provision for reparation by individuals who have been aggrieved by incursions into their privacy,” she wrote in a recent report to parliament.

As the government outsources more work to contractors and third parties, she said the risks of "data systems failures and intentional privacy violations now lie with the private sector”.

“It follows that the private sector’s responsibilities must be recognised in our law in a way that allows individuals to have a right to complain about alleged privacy breaches," she wrote.

The privacy commissioner is also asking for new powers to take action against individual government employees who intentionally abuse government databases and customer details.

Coombs says she has observed everything from officials using obtained health data for family law, inheritance, or neighbourhood disputes, to government workers switching in other people’s personal identifiers to get out of paying parking fines.

In Queensland, the Crime and Corruption Commission says unlawful access to government systems - including police databases -  makes up 11.5 percent of all its complaints and is on the rise.

Currently the NSW privacy commissioner can only take action against an organisation for having weak systems and processes for protecting personal information. She wants changes that will make an employee liable for the breach if they intentionally carried it out.

Coombs urged NSW to keep up with the privacy protections of other jurisdictions.

“It is unclear why privacy laws have not been treated equally and their coverage aligned with these other similar laws," she said.

“This lack of alignment and absence of coverage is particularly concerning in light of the advances in technology that have increased both the frequency and extent of privacy breaches.”