The introduction of a mandatory data breach notification scheme under the Privacy and Personal Information Protection Act 1988 (NSW) (PPIP Act) is back on the agenda, with indications that new data breach notification obligations may be legislated and in force as early as next year.

The proposed introduction of a mandatory data breach notification scheme has the potential to significantly impact the ways in which NSW Government agencies handle personal information. We recommend agencies start to consider their internal processes and practices now, in light of the expected new notification obligations.

In brief

• As a matter of best practice, NSW Government agencies are currently encouraged to voluntarily report data breaches to the Information and Privacy Commission (IPC) and to affected individuals.
• Following on from an initial recommendation in 2015, consultation by the Department of Communities and Justice (DCJ) during 2019 revealed overwhelming public support in favour of introducing mandatory data breach reporting obligations for NSW Government agencies.
• During budget estimates in March 2021, the Government indicated that an exposure draft bill amending the PPIP Act to introduce a mandatory data breach notification obligation would be released for public comment in the first half of 2021.

Key considerations in developing the NSW model

Alignment with the Commonwealth notifiable data breach (NDB) scheme

Commonwealth Government agencies and organisations regulated by the Privacy Act 1988 (Cth) (APP entities) are already subject to mandatory data breach notification requirements. These generally require notification to individuals and to the Office of the Australian Information Commissioner (OAIC) within strict timeframes where there is a risk of ‘serious harm’ to affected individuals.

In some limited circumstances (for example, where the breach relates to tax file numbers), NSW Government agencies may also be required to comply with the mandatory reporting obligations which arise under the Commonwealth NDB scheme.

It will therefore be essential to ensure that any new notification obligations under the NSW model are closely aligned with those obligations which may already apply to NSW Government agencies under the Commonwealth NDB scheme, to reduce any unnecessary duplication or regulatory burden on NSW Government agencies.

In her submission to the recently announced review of the Commonwealth Privacy Act, the NSW Privacy Commissioner confirmed that any mandatory reporting scheme introduced in NSW would need to complement the Commonwealth NDB scheme, particularly in areas of jurisdictional overlap.

We note, however, that the IPC has previously indicated a preference for aspects of the NSW model to go beyond the Commonwealth NDB scheme. In a submission made in response to the 2019 consultation process, the IPC stated that exemptions to the obligation on an APP entity to report data breaches due to the exercise of remedial action should not be replicated in NSW. Instead, it was suggested that reporting obligations under the NSW model should apply irrespective of whether remedial action had been taken.

It is therefore possible that NSW Government agencies will need to comply with requirements which are more onerous than those which currently apply under the Commonwealth scheme.

Alignment with the Information Privacy Principles (IPPs)

The NSW model will also need to take into account the manner in which any notification obligations interact with existing provisions of the PPIP Act, including the IPPs.

In our experience, challenges commonly arise in the context of voluntary notification due to structural impediments in the IPPs, particularly where notification may require the disclosure of certain information between agencies (which may in and of itself represent a breach of the IPPs).

Where to from here?

The NSW Government has indicated that an exposure draft of legislation amending the PPIP Act to introduce a mandatory reporting scheme in NSW will be released shortly for public comment.

This means that now is the time for NSW Government agencies to start considering their data handling practices in anticipation of these changes. In particular, we recommend that NSW Government agencies:

• Use this opportunity to consider the existing requirements of the IPPs and the Commonwealth NDB scheme and be ready to make submissions in response to any further requests for consultation on the proposed NSW model.
  
• Consider their existing data handling practices in anticipation of changes which will likely require swift identification and notification of data breaches. Agencies may need to consider the implementation of a data breach response plan, to the extent they do not already have one in place. In our experience, data breach response plans which are actively followed and enforced by the appropriate internal stakeholders have proven essential in ensuring the coordinated and effective management of data breaches, including compliance with notification requirements where necessary.
  
• Ensure that agreements with service providers who handle personal information include appropriate provisions regarding the management of data breaches, to properly allocate responsibility under the contract for the identification of data breaches with specific steps to be followed in case of a notifiable data breach.

Given strong indications that the introduction of a mandatory data breach notification scheme is back on the agenda in NSW, we recommend that agencies take steps now to prepare.

Once implemented, a mandatory data breach notification scheme under the PPIP Act is expected to replace voluntary notification recommendations, by mandating the reporting of data breaches to both affected individuals and the IPC. Agencies will need to ensure they have the necessary procedures in place to respond to and notify data breaches quickly and effectively, in accordance with the law.

The NSW Government has indicated that an exposure draft of legislation amending the PPIP Act to introduce a mandatory reporting scheme in NSW will be released shortly for public comment. Once released, agencies should consider the proposed changes to the legislation with a view to making submissions in response.

We will provide further updates on the NSW mandatory data breach notification scheme as they arise.