NSW Privacy Law update - Privacy and Personal Information Protection Amendment Bill 2022 - new mandatory notification of data breach scheme

In brief - On 16 November 2022, the NSW Parliament passed the Privacy and Personal Information Protection Amendment Bill 2022 (the Bill). It is now awaiting assent in order to take effect as law

The Bill will amend the Privacy and Personal Information Protection Act 1998 (NSW) (the PIPP Act) by introducing a mandatory notification of data breach scheme (MNDB scheme). 

A similar scheme has existed at the federal level in Australia since 2017, whereby any organisation or agency regulated by the Privacy Act 1988 (Cth) must notify the OAIC Commissioner and impacted individuals if a data breach is likely to result in serious harm to individuals. 

Public sector agencies must now report a data breach to the NSW Privacy Commissioner

In NSW, the Bill is intended to adopt the key features of the Commonwealth scheme in respect of the mandatory notice of data breaches. 

The Bill will update the PIPP Act to extend the definition of public sector agencies to incorporate state-owned corporations which are not subject to the Privacy Act 1988 (Cth). At present, public sector agencies in NSW are encouraged but not required to report a data breach to the NSW Privacy Commissioner. 

The MNDB scheme, once enacted, will be the first state or territory-based scheme in Australia. It will ensure that all agencies and corporations in NSW have a mandatory obligation to report and notify data breaches, under either federal or state legislation. There may be some limited instances where an agency is required to assess and notify of a data breach under the Commonwealth scheme and MNDB scheme. 

Key takeaways of the Bill are:

Creation of a mandatory notification of data breach scheme

1. The Bill introduces a scheme for the mandatory notification of certain data breaches under a new Part 6A:

• eligible data breaches which must be notified are of three types: unauthorised disclosure, unauthorised access, or loss of information
• affected individuals who must be notified are those at risk of serious harm as a result of the data breach involving their personal information
• if an agency has reasonable grounds to suspect that an eligible data breach has occurred, the agency is required to take steps to contain the breach
• the agency must assess the breach to determine whether the breach is an eligible data breach within 30 days of becoming aware of the breach. This assessment involves consideration of factors such as the types of personal information involved in the breach, the sensitivity of the personal information, or any security measures protecting the personal information
• if an eligible data breach has occurred, the agency must provide information to the Privacy Commissioner such as whether the breach is a cyber incident, the estimated cost of the breach, and the total number of individuals affected by the breach
• the agency must notify affected individuals of the breach, including the date of the breach, description of the breach, how the breach occurred and the type of breach that occurred
• if the agency is unable to notify each individual or it is not reasonably practicable to do so, the agency must issue a public notification by way of a notice on a webpage, an announcement on social media, or a print or online advertisement
• agencies may collect, use and disclose information to confirm particular information about individuals affected by certain data breaches such as the name and contact details of an individual and whether the individual is deceased
• there are exemptions from mandatory notification in particular circumstances such as: where multiple agencies are affected, where ongoing investigations and certain proceedings could be prejudiced, where notification poses a serious risk to health and safety, and where cyber security could be compromised. 

Expanded regulatory powers of the Privacy Commissioner in NSW

The Bill will give the Privacy Commissioner additional powers relating to the MNDB scheme including the power to:

• investigate, monitor, audit and report on compliance with the scheme by agencies. For the purpose of monitoring compliance, the Privacy Commissioner can observe the systems, policies and procedures of an agency; and
• give directions to agencies and establish guidelines, recommendations and reports in relation to data breaches for agencies.

Requirements for agencies to publish a data breach policy, keep a data breach register and implement a privacy management plan

The Bill will require public sector agencies in NSW to:

• prepare and publish a data breach policy and establish and maintain an internal register for eligible data breaches to support the requirements of the MNDB scheme; and
• establish and implement a privacy management plan which is to include the procedures and practices used by the agency to ensure compliance with the MNDB scheme.

Once enacted, the Bill provides for a 12-month transition period, thereby allowing public sector agencies in NSW time to prepare appropriate systems and processes to comply with the MNDB scheme.