It will be compulsory for NSW government departments, state owned corporations and local councils to notify people affected by cyberattacks or privacy breaches under planned changes to state laws.

The move will make NSW the first Australian state or territory to introduce a mandatory data breach notification scheme, although Commonwealth agencies have been required to make notifications since 1918.

It comes after the government came under pressure earlier this year for dragging its feet on the legislation.

Risk of serious harm

Attorney General Mark Speakman says the scheme means NSW public sector agencies will have to notify the Privacy Commissioner, and anyone affected, when a data breach involving personal information is likely to result in serious harm.

If passed, this Bill will introduce a scheme that will ensure greater openness and accountability in relation to the handling of personal information held by NSW public sector agencies.

NSW Attorney General Mark Speakman

 A draft of the Privacy and Personal Information Protection Amendment Bill 2021, which creates the scheme, has been released for public consultation until June 18.

 “The protection of people’s privacy is crucial to public confidence in NSW Government services,” Mr Speakman said.

“If passed, this Bill will introduce a scheme that will ensure greater openness and accountability in relation to the handling of personal information held by NSW public sector agencies.”

Digital and customer services minister Victor Dominello said it was important to safeguard  privacy as government services became increasingly digitised.

“The NSW Government is committed to enhancing services through digital innovation, but it is vital the use of technology and data embodies the highest privacy, trust and security standards,” he said.

Boosting trust in government

The NSW Information and Privacy Commission (IPC), which will be involved in implementing and administering the scheme, has welcomed the decision.

Mandatory reporting obligations would give the NSW public greater certainty about how data breaches involving personal information will be handled, the IPC said.

Privacy Commissioner Samantha Gavel said the introduction of a Mandatory Notification Data Breach scheme would increase citizen trust in the way government handles personal information and increase transparency and accountability.

It would also make agencies more aware of the importance of risk management.

Based on Commonwealth scheme

The proposed NSW MNDB scheme is based on the Commonwealth Government’s Notifiable Data Breaches scheme, which was introduced in early 2018.

Ms Gavel said she backed the decision to adopt a similar system scheme.

However she encouraged government agencies to continue reporting breaches to the IPC under the voluntary data breach scheme that is currently in place in NSW.

“I also encourage agencies to voluntarily notify people affected by a data breach and provide information about their right to seek an internal review under the Privacy and Personal Information Protection Act 1998 (PPIP Act) in relation to the breach,” she said.

Ms Gavel told a parliatmentary committee in February that her office had received 79 voluntary notifications about breaches of government-held data last year, most of which were caused by human error, representing a 23 per cent increase over the previous 12 months.

She said this was probably the result of more reporting rather than more breaches.

The opposition has also welcomed the introduction of a mandatory reporting regime but said the horse had already bolted following a series of data breaches in government departments.