Last month we highlighted the proposed introduction of a mandatory data breach notification scheme under the Privacy and Personal Information Protection Act 1988 (NSW) (PPIP Act). The draft Privacy and Personal Information Protection Amendment Bill 2021 (the PPIP Amendment Bill) has now been released for public consultation, together with an accompanying Factsheet. As expected, the PPIP Amendment Bill proposes key changes for New South Wales public sector agencies including the introduction of a mandatory data breach notification (MDBN) scheme. It also proposes extending the application of NSW privacy laws to state-owned corporations that are not already regulated by the Commonwealth Privacy Act 1988 (Cth).

What is changing?

The PPIP Amendment Bill proposes the following key changes to the PPIP Act:

• The introduction of a MDBN scheme. The scheme will require public sector agencies to notify the NSW Privacy Commissioner and affected individuals of data breaches involving their personal or health information which are likely to result in serious harm.
  
• New governance requirements for public sector agencies, including obligations to prepare and publish a data breach policy, keep a register of breach notifications, establish and maintain an internal register of eligible data breaches and update Privacy Management Plans to include references to MDBN scheme obligations.
• Enhanced regulatory powers for the NSW Information Commissioner in relation to enforcement of the MDBN scheme.
• Extending the application of the PPIP Act to state-owned corporations that are not regulated by the Commonwealth Privacy Act 1988 (Cth), being:
  • Transport Asset Holding Entity of NSW
  • Forestry Corporation of NSW
  • Hunter Water
  • Port Authority of NSW
  • Sydney Water
  • Landcom
  • Water NSW

Affected state-owned corporations may therefore need to implement internal processes to ensure they can comply with the PPIP Act as a whole, in addition to the MDBN scheme.

Key considerations

Health information

For the purpose of the MDBN scheme, personal information under the PPIP Act will expressly include ‘health information’ as defined in s6 of the Health Records and Information Privacy Act 2002 (NSW). Consequently, the MDBN scheme will extend to breaches involving health information.

Alignment with the Commonwealth notifiable data breach (NDB) scheme

The proposed MDBN scheme has the potential to require notification under both the NSW and the Commonwealth schemes in limited circumstances (for example if the data breach compromises tax file numbers).

The potential for overlap has been noted in the Fact Sheet, which states the MDBN scheme has been designed to adopt key features of the Commonwealth NDB scheme (i.e. in terms of timing and assessment thresholds) to limit the impact of this overlap.

However, in practice, we anticipate there may be occasions where a data breach gives rise to separate obligations to notify each of the affected individual, the NSW Privacy Commissioner, the Office of the Australian Information Commissioner and the Australian Taxation Office. This has the potential to impose a significant regulatory burden on public sector agencies.

Alignment with the Information Privacy Principles (IPPs)

As we have previously highlighted , the NSW model will also need to take into account the manner in which notification obligations interact with existing provisions of the PPIP Act, including the IPPs, to ensure that the process of notifying affected individuals is as straightforward as possible. This is particularly important given the timeframes involved.

The PPIP Amendment Bill addresses the interaction of the notification obligations under the MDBN scheme with existing provisions of the PPIP Act, including the IPPs to some degree, by proposing a public sector agency will not be required to comply with an IPP or a privacy code of practice for the purposes of sharing personal information within the agency or with an officer or employee of another public sector agency if this is reasonably necessary for the purposes of either:

• confirming the name and contact details of a notifiable individual
• confirming whether a notifiable individual is deceased.

Where to from here?

The NSW government has invited feedback on the PPIP Amendment Bill by Friday 18 June 2021, with an expectation that the PPIP Amendment Bill will be introduced this year.

The PPIP Amendment Bill allows for a 12-month transition period. NSW government agencies (including state-owned corporations captured by the PPIP Act as a result of the changes) and the IPC will need to use the 12-month transition period to prepare and implement appropriate systems and processes to ensure they can comply with their new obligations.

Summary of the changes to NSW privacy laws

The attached table sets out a high level summary of the proposed MDBN scheme.

Now is the time for public sector agencies in NSW to start considering their data handling practices in anticipation of these changes. In particular, we recommend that NSW Government agencies:

• Consider the PPIP Amendment Bill and have their say on the proposed changes.
• Review their existing data handling practices to ensure they have the necessary procedures in place to respond to and notify data breaches quickly and effectively, in accordance with the law.
• Prepare a data breach response plan, to the extent they do not already have one in place. In our experience, data breach response plans which are actively followed and enforced can prove essential in ensuring the coordinated and effective management of data breaches, including compliance with notification requirements where necessary.
• Ensure that agreements with third party service providers who handle personal information include appropriate provisions regarding the management and notification of data breaches, properly allocate responsibility under contract and outline specific steps to be followed in case of a notifiable data breach.