Preparing for mandatory data breach notification under NSW privacy laws: Five key actions
This is the second instalment in our For Your Information campaign, which consists of a series of useful articles, training and quick guides which deal with the handling of information in the NSW Government. Topics will include Government information, privacy, standing order 52, Data Protection, legal professional privilege and much more.
As a matter of best practice, NSW Government agencies are currently encouraged to voluntarily report data breaches to the Information and Privacy Commission (IPC) and to affected individuals.
From 28 November 2023, key amendments to the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) will commence, introducing mandatory data breach notification obligations (the MDBN Scheme).
NSW public sector agencies subject to the PPIP Act will now be required to comply with the new MNDB Scheme.
Are you impacted?
These changes will apply to all NSW state and local government agencies which are subject to the PPIP Act, as well as other entities which fall subject to the NSW privacy laws, including certain universities.
The PPIP Act definition of a public sector agency will also be expanded to expressly capture state-owned corporations (SOCs) that are not already regulated by the Commonwealth Privacy Act 1988 (Cth). Affected SOCs therefore need to ‘get ready’ to comply with the PPIP Act as a whole, in addition to the MNDB scheme.
What you need to know
We have previously provided updates in relation to the changes here.
In summary, the MNDB Scheme will require NSW public sector agencies to:
- in the event of a suspected data breach, contain the breach, assess the likely severity of harm to impacted individuals and mitigate
- if the breach is likely to result in serious harm to one or more individuals, notify the NSW Information and Privacy Commissioner (IPC) as well as the affected individuals
- where the affected individuals cannot be identified or where it is not reasonably practical to notify them, issue a public notification on the agency’s website.
The amendments will also impose obligations relating to responsible handling of personal and health information, including a requirement to implement a publicly available data breach management policy and a number of new governance obligations for agencies.
Actions to take now
The checklist below sets out the five key steps that we recommend agencies take now to get ready.
Prepare and publish your Data Breach Policy
Agencies must develop and publish a Data Breach Policy on their website. The IPC has published non-binding guidance on its website to assist agencies to understand what types of information should be included in a DBP here.
|2.||Prepare and implement a Data Breach Response Plan|
A Data Breach Response Plan can assist to assess, manage, contain and respond to suspected and real data breaches.
Data Breach Response Plans are essential in ensuring the coordinated and effective management of and response to data breaches, including compliance with notification requirements where necessary.
To ensure your plan is ‘fit for purpose’, rigorously test the plan by conducting education and training exercises.
|3.||Update your Privacy Management Plan|
As amended, the PPIP Act will require agencies to update their Privacy Management Plans to set out the agencies’ obligations with respect to data breach management and notification.
|4.||Establish and publish a Notification Register|
New requirements to maintain a public notification register containing certain mandatory information about any public data breach notifications they have made will apply.
This register should be published on the agency’s website and updated anytime the agency publishes a public notification.
|5.||Establish and maintain an internal Incident Register|
Agencies must establish and maintain an internal register containing certain mandatory information about eligible data breaches faced by the agency.
Other key tips
Ensure that agreements with third-party service providers who handle personal information include appropriate provisions regarding the management and notification of data breaches. These agreements should properly allocate responsibility under contract and outline specific steps to be followed in case of a notifiable data breach.
Remember that there is the potential that notification under both the NSW and the Commonwealth NDB scheme will be required in some limited circumstances (for example if the data breach compromises Tax File Numbers). The MNDB scheme has been designed to adopt key features of the Commonwealth NDB scheme (i.e. in terms of timing and assessment thresholds) to limit the impact of this overlap.
Require further assistance on the NSW mandatory data breach notification scheme?
Following on from our webinar during Privacy Awareness Week, we will offer a further virtual session for clients impacted by this change at the end of October. Meanwhile, please contact us if you need support or advice on how to comply with your obligations under the NSW mandatory data breach reporting scheme.
Tipping the balance – a fresh look at the impact of the 2021 defamation law reforms (Part 2)
We consider further key reforms in this area following their introduction in 2021.
Changes to the Unfair Contract Terms Regime. It’s here – Developers, are you ready?
The amendments to the laws governing UCT came into effect and apply to new contracts made at or after 9 November 2023
Navigating major state tax changes in Victoria – what property developers need to know
We break down the the State Taxation Acts Amendment Bill 2023 for property developers.
‘Jack’ and ‘Mac’ recognisably different: McDonald’s loses trade mark beef with Hungry Jack’s
McDonald’s has failed in its trade mark claim against Hungry Jack’s for the sale of its ‘Big Jack’ burger.