As a matter of best practice, NSW Government agencies are currently encouraged to voluntarily report data breaches to the Information and Privacy Commission (IPC) and to affected individuals.

From 28 November 2023, key amendments to the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) will commence, introducing mandatory data breach notification obligations (the MDBN Scheme).

NSW public sector agencies subject to the PPIP Act will now be required to comply with the new MNDB Scheme.

Are you impacted?

These changes will apply to all NSW state and local government agencies which are subject to the PPIP Act, as well as other entities which fall subject to the NSW privacy laws, including certain universities.

The PPIP Act definition of a public sector agency will also be expanded to expressly capture state-owned corporations (SOCs) that are not already regulated by the Commonwealth Privacy Act 1988 (Cth). Affected SOCs therefore need to ‘get ready’ to comply with the PPIP Act as a whole, in addition to the MNDB scheme.

What you need to know

We have previously provided updates in relation to the changes here.

In summary, the MNDB Scheme will require NSW public sector agencies to:

• in the event of a suspected data breach, contain the breach, assess the likely severity of harm to impacted individuals and mitigate the impacts
  
  
• if the breach is likely to result in serious harm to one or more individuals, notify the NSW Information and Privacy Commissioner (IPC) as well as the affected individuals
  
  
• where the affected individuals cannot be identified or where it is not reasonably practical to notify them, issue a public notification on the agency’s website.

The amendments will also impose obligations relating to responsible handling of personal and health information, including a requirement to implement a publicly available data breach management policy and a number of new governance obligations for agencies.

Actions to take now

The checklist below sets out the five key steps that we recommend agencies take now to get ready.

1.	Prepare and publish your Data Breach Policy Agencies must develop and publish a Data Breach Policy on their website. The IPC has published non-binding guidance on its website to assist agencies to understand what types of information should be included in a DBP here.
2.	Prepare and implement a Data Breach Response Plan A Data Breach Response Plan can assist to assess, manage, contain and respond to suspected and real data breaches. Data Breach Response Plans are essential in ensuring the coordinated and effective management of and response to data breaches, including compliance with notification requirements where necessary. To ensure your plan is ‘fit for purpose’, rigorously test the plan by conducting education and training exercises.
3.	Update your Privacy Management Plan As amended, the PPIP Act will require agencies to update their Privacy Management Plans to set out the agencies’ obligations with respect to data breach management and notification.
4.	Establish and publish a Notification Register New requirements to maintain a public notification register containing certain mandatory information about any public data breach notifications they have made will apply. This register should be published on the agency’s website and updated anytime the agency publishes a public notification.
5.	Establish and maintain an internal Incident Register Agencies must establish and maintain an internal register containing certain mandatory information about eligible data breaches faced by the agency.

Other key tips

Ensure that agreements with third-party service providers who handle personal information include appropriate provisions regarding the management and notification of data breaches. These agreements should properly allocate responsibility under contract and outline specific steps to be followed in case of a notifiable data breach.

Remember that there is the potential that notification under both the NSW and the Commonwealth NDB scheme will be required in some limited circumstances (for example if the data breach compromises Tax File Numbers). The MNDB scheme has been designed to adopt key features of the Commonwealth NDB scheme (i.e. in terms of timing and assessment thresholds) to limit the impact of this overlap.