NSW readies its own data breach notification scheme for state agencies
The New South Wales government is preparing a new Bill that will require public sector and state-owned entities to report a data breach to the Privacy Commissioner as well as any affected individuals.
The Privacy and Personal Information Protection Amendment Bill 2021 aims to strengthen privacy protection in NSW and extends the federal breach reporting requirements mandated by the Notifiable Data Breaches (NDB) Scheme, which came into effect in February 2018.
The NDB scheme requires agencies and organisations in Australia that are covered by the Commonwealth Privacy Act 1988 to notify individuals, whose personal information is involved in a data breach that is likely to result in "serious harm", as soon as practicable after becoming aware of a breach.
The proposed NSW mandatory notification of data breach (MNDB) scheme shares the same notification threshold as the NDB scheme, but differs in application and enforcement. Although the NDB scheme has coverage Australia-wide, the NSW scheme aims to fill the gap it leaves regarding state entities.
"Any mandatory data breach notification scheme introduced in NSW would be designed to complement the existing Commonwealth Notifiable Data Breach (NDB) Scheme under the Privacy Act, particularly in areas of jurisdictional overlap," the Information and Privacy Commission New South Wales said previously.
The draft exposure Bill [PDF] proposes to establish an MNDB scheme to require public sector agencies bound by the NSW Privacy and Personal Information Protection Act 1998 (PPIP Act) to notify the Privacy Commissioner and affected individuals of data breaches of personal or health information, which are likely to result in serious harm.
It also applies the PPIP Act to all state-owned corporations that are not regulated by the Privacy Act.
"The MNDB scheme will require public sector agencies to notify the Privacy Commissioner and affected individuals if a data breach affecting personal or health information that is likely to result in serious harm occurs," the fact sheet [PDF] details.
"The MNDB scheme will require agencies to satisfy other data management requirements, including to maintain an internal data breach incident register, and have a publicly accessible data breach policy."
The state government said a mandatory scheme is being proposed to improve agency data management, reduce underreporting, and reduce the occurrence of data breaches that cause serious harm.
"Mandatory schemes enable individuals to take action to protect themselves in the event of breaches, and can increase public trust in government," it adds.
As detailed in January, in 2019-20, the commission received 41 voluntary breach notifications.
State government was accountable for 28, local government for 10, and public universities for three.
The proposed MNDB scheme requires an agency to contain and assess a suspected data breach to determine whether it is an eligible breach under the scheme, and, if so, to notify the Privacy Commissioner and any affected individuals.
It specifies the timeframes in which an agency must assess a data breach, notify the Privacy Commissioner, and notify affected individual/s of the breach.
Agencies will also have other information handling requirements, including maintenance of an internal data breach incident register and creation of a publicly accessible data breach policy.
The scheme will permit limited information sharing -- such as contact details and dates of birth and death of the affected individual -- between agencies for the purpose of notifying affected individual/s of an eligible data breach.
In the notification, it is anticipated the entity will be required to provide a description of the breach, including when and how it occurred, what data was affected, how long the data was affected, and what type of breach it was, such as loss, disclosure, or unauthorised access. It will also contain detail of what the agency is doing to control or reduce the harm.
Additionally, the entity will be required to provide recommendations to affected individuals about the steps they should take to minimise the impact of the breach, as well as their right to seek an internal review.
The agency will not be allowed to make reports anonymously to the commissioner and it must list any other affected agencies.
Peripheral information the commissioner would like to receive includes whether it was a cyber incident, the estimated cost of the breach to the agency, the total number, or estimated total number, of individuals affected or likely to be affected by the breach, and whether they have been notified.
There are exemptions to the proposed scheme, such as where notification would prejudice law enforcement activities, that the exception would prevent or reduce a serious risk to an individual's health or safety, the notification is likely to result in more breaches or deteriorate the agency's cybersecurity, and the agency has remedied the harm of the breach successfully, for example, if an email was sent to the incorrect recipient, but was recalled successfully and deleted prior to the recipient opening the email.
A further exception applies where notification to the commissioner would contravene a secrecy provision contained in other legislation.
The proposed MNDB scheme would grant the commissioner new powers regarding the MNDB scheme, including to enter premises and inspect anything that may relate to compliance with the MNDB scheme.
They will also be given powers to conduct audits in relation to the MNDB scheme and produce a report to the head of agency and responsible minister.
Following public consultation, which closes 18 May 2021, it is anticipated that a Bill will be introduced in the NSW Parliament before the end of the year. If passed, the MNDB scheme will commence 12 months following the passage of legislation.