iTnews
  • Home
  • News
  • Business
  • Strategy

NSW govt pledges to introduce mandatory data breach reporting

By Justin Hendry on Mar 10, 2020 6:55AM
NSW govt pledges to introduce mandatory data breach reporting

Becomes first state or territory to do so.

NSW is set to become the first state or territory in Australia to force government agencies to report data breaches to affected individuals and the privacy commissioner.

Attorney-General Mark Speakman committed to introducing a mandatory notification data breaches scheme in the state last month after a review found there was “overwhelming public support”.

It comes five years after former privacy commissioner Elizabeth Coombs first called for changes to privacy laws to require state agencies to notify the commission and affected persons.

Under the existing Privacy and Personal Information Protection Act, agencies are not required to report data breaches to the commission or individuals, though they are encouraged to do so.

Agencies, as well as local councils and organisations with a turnover of less than $3 million a year, are similarly not covered under the Commonwealth's mandatory notifiable data breaches.

But the review, conducted by the Department of Communities and Justice in the second half of last year, determined there was “overwhelming public support” for a mandatory data breaches scheme.

Speakman told parliament that the government “shared the view” that a mandatory data breaches scheme should be introduced, but that it was still working to determine the best approach.

“The department found that there is overwhelming public support for a mandatory notification of data breaches scheme to be introduced in NSW and that is a view shared by the Government,” he said.

“The consultation did however identify differing views on what that scheme should look like.”

He said the department’s of Communities and Justice and Customer Service were “working closely to develop an appropriate model for NSW” in consultation with the privacy commissioner.

“I look forward to working with the Minister for Customer Service on this model and to bringing forward the required legislative amendments to support this reform,” Speakman said.

The government’s pledge follows two previous attempts by the NSW opposition to pass mandatory data breach laws in 2017 and 2019.

The laws would have required state agencies to notify affected individuals and the NSW Privacy Commissioner after a “serious” breach of privacy.

The 2017 attempt was opposed by the government on the grounds that further research and consultation was needed, while its most recent attempt is still before parliament and unlikely to progress.

Likely to mimic the Commonwealth

While the Department of Communities and Justice has already determined that a future mandatory data breaches reporting scheme would likely mimic some aspects of the Commonwealth scheme, submissions have more or less supported this approach.

NSW's Information and Privacy Commission (IPC), which supports a mandatory data breach in principle, said such a scheme “should be triggered in the same way” as the Commonwealth NDB scheme and have the same “serious harm” threshold.

“The adoption of a mandatory data breach scheme would assist in supporting and promoting public confidence and trust in the government’s use of technology and data to improve outcomes and services for the public,” the submission states.

But the IPC believes any mandatory scheme in NSW should go beyond the Commonwealth scheme by requiring state agencies to report a data breach even if the entity acts quickly to remediate it.

It said if this feature was not introduced, NSW would “compound under-reporting of breaches and delayed reporting of breaches” – a view that was not shared by the Department of Customer Service.

Both the IPC and the Department of Customer Service, however, agreed the notification timeframe for reporting data breaches should be 10 working days, compared with 30 working days under the Commonwealth scheme.

The Department of Customer Service recommended an even stricter timeframe for “breaches where the serious harm threshold is met”, with a compulsory notification to occur within 24 hours.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
datadata breachnswnsw governmentprivacysecuritystrategy

Partner Content

Accenture and Google Cloud team up to create a loveable, Australian-first, renewable energy product
Promoted Content Accenture and Google Cloud team up to create a loveable, Australian-first, renewable energy product
The Great Resignation has intensified insider security threats
Promoted Content The Great Resignation has intensified insider security threats
How to turn digital complexity into competitive advantage
Promoted Content How to turn digital complexity into competitive advantage
Why rethinking your CMS is crucial for customer retention
Promoted Content Why rethinking your CMS is crucial for customer retention

Sponsored Whitepapers

Free eBook: Digital Transformation 101 – for banks
Free eBook: Digital Transformation 101 – for banks
Why financial services need to tackle their Middle Office
Why financial services need to tackle their Middle Office
Learn: The latest way to transfer files between customers
Learn: The latest way to transfer files between customers
Extracting the value of data using Unified Observability
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see

Events

  • Forrester Technology & Innovation Asia Pacific 2022
By Justin Hendry
Mar 10 2020
6:55AM
0 Comments

Related Articles

  • NSW govt requests to privacy watchdog climb 171 percent
  • NSW launches whole-of-gov ID recovery service
  • NSW Electoral Commission gets $4.8m to secure IT systems
  • NSW Treasury, Department of Customer Service to merge cyber security teams
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Services Australia sets changeover date for myGov

Services Australia sets changeover date for myGov

Google Cloud IoT Core goes on the end-of-life list

Google Cloud IoT Core goes on the end-of-life list

NBN Co proposes to axe CVC across all plans by mid-2026

NBN Co proposes to axe CVC across all plans by mid-2026

NSW Police dumps Bezos-backed Mark43 from core systems overhaul

NSW Police dumps Bezos-backed Mark43 from core systems overhaul

Digital Nation

Crypto losses to crime surge to $1.9 B in first half of 2022: Chainalysis
Crypto losses to crime surge to $1.9 B in first half of 2022: Chainalysis
Save the Date — Digital Nation Live launches on October 25
Save the Date — Digital Nation Live launches on October 25
CommBank’s mobile banking app beats ANZ, NAB, Suncorp and Westpac: Forrester
CommBank’s mobile banking app beats ANZ, NAB, Suncorp and Westpac: Forrester
Edge and IoT critical to Web3 infrastructure
Edge and IoT critical to Web3 infrastructure
Stakes are higher for cybersecurity in Web3: Gal Tal-Hochberg, CTO at Team8
Stakes are higher for cybersecurity in Web3: Gal Tal-Hochberg, CTO at Team8
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.