In a nutshell

The Bill establishes a scheme that will require New South Wales public sector agencies to:

• in the event of a suspected data breach (access, disclosure or loss of personal information held by public sector agency), contain the breach and assess the likely severity of harm to impacted individuals
• if the breach is likely to result in serious harm to an individual, notify the NSW Privacy Commissioner as well as impacted individuals
• where impacted individuals cannot be identified or where it is not reasonably practical to notify them, issue a public notification.

The Bill will also impose obligations relating to responsible handling of personal and health information, including a requirement to implement a publicly available data breach management policy.

In introducing the Bill, NSW Attorney General, Mr Mark Speakman indicated these reforms have the support of the NSW Privacy Commissioner, saying:

the New South Wales Government is confident the bill strikes the right balance between the need to protect individuals who are impacted by data breaches and what is appropriate and workable for agencies

Behind the scenes

In July 2019, public submissions were invited in response to the question of whether MDBN should be implemented in New South Wales. The responses overwhelmingly favoured the introduction of such a scheme.

The PPIP Amendment Bill 2021 was subsequently released for public consultation on 7 May 2021.

At that time we highlighted the proposed introduction of a NSW specific MDBN scheme and considered how that scheme would be aligned with the existing Commonwealth NDB scheme, as well as the existing Information Privacy Principles (IPPs) under the PPIP Act.

Submissions in response to the 2021 Bill again indicated overwhelming support for a MDBN scheme and proposed a number of improvements to the Bill.

Key takeaways

The current Bill proposes the following key changes to the PPIP Act:

• A requirement for Public sector agencies to notify the NSW Privacy Commissioner and affected individuals of data breaches involving their personal or health information which are likely to result in serious harm.
  
• New governance requirements which will apply to NSW public sector agencies, including obligations to prepare and publish a data breach policy, keep a register of breach notifications, establish and maintain an internal register of eligible data breaches and update their Privacy Management Plans to include references to MDBN scheme obligations.
• The NSW Privacy Commissioner will be granted enhanced regulatory powers to enforce the MNDB scheme, including to investigate, monitor, audit and report on the functions of an agency under the MNDB scheme.
  
• The PPIP Act definition of a public sector agency will be expanded to capture state-owned corporations (SOCs) that are not already regulated by the Commonwealth Privacy Act 1988 (Cth). Affected SOCs therefore need to ‘get ready’ to implement processes internally to ensure they can comply with the PPIP Act as a whole, in addition to the MNDB scheme.
  
• The proposed NSW MNDB scheme has the potential to require notification under both the NSW and the Commonwealth NDB scheme in limited circumstances (for example if the data breach compromises Tax File Numbers). The MNDB scheme has been designed to adopt key features of the Commonwealth NDB scheme (i.e. in terms of timing and assessment thresholds) to limit the impact of this overlap.

Where to from here?

The Bill allows for a 12-month transition period. This period is intended to allow enough time for agencies to prepare appropriate systems and processes to fulfil their new compliance obligations.

The NSW Information and Privacy Commission is expected to develop guidelines outlining agencies' obligations under the MNDB scheme including guidance key threshold questions such as how to assess whether a data breach would be likely to result in serious harm to an individual.

What you need to know

Once enacted, the PPIP Amendment Act will provide for a 12-month transition period before new obligations commence. NSW government agencies (including SOCs captured by the PPIP Act as a result of the changes) will need to use this time to prepare appropriate systems and processes to fulfil the PPIP Act and the MNDB scheme requirements.

In particular, agencies will need to ensure they have the necessary procedures in place to respond to and notify data breaches quickly and effectively, in accordance with the law.

Now is the time for public sector agencies in NSW to start considering their data handling practices in anticipation of these changes. In particular, we recommend that agencies take steps to:

• Review existing data handling practices to ensure they have the necessary procedures in place to respond to and notify data breaches quickly and effectively.
• Prepare a data breach response plan, to the extent they do not already have one in place. In our experience, data breach response plans which are actively followed and enforced prove essential in ensuring the coordinated and effective management of data breaches, including compliance with notification requirements where necessary.
• Ensure that agreements with third party service providers who handle personal information include appropriate provisions regarding the management and notification of data breaches, properly allocate responsibility under contract and outline specific steps to be followed in case of a notifiable data breach.