Posted on May 16, 2021 by Sophia Urlich and Carlo Zoppo

ALERT: Proposed Changes to NSW Privacy Laws – Release of Consultation Draft of Privacy and Personal Information Protection Amendment Bill 2021 including introduction of proposed mandatory notification of data breaches scheme

On 7 May 2021, the State Government released for public consultation a draft of the Privacy and Personal Information Protection Amendment Bill 2021 (‘Draft Bill‘), which proposes to amend the Privacy and Personal Information Protection Act 1998 (‘PPIP Act‘) namely by way of inserting a new Part 6A regarding the mandatory notification of data breaches.

The Draft Bill has been developed by the Department of Communities and Justice and the Department of Customer Service in consultation with the Information and Privacy Commission (‘IPC‘) and the Ministry of Health, and acknowledges community feedback received in response to the earlier release of a discussion paper entitled ‘Mandatory Notification of data breaches by NSW Public Sector Agencies’ in July 2019, which supported the introduction of a mandatory notification of data breach scheme in NSW.

Proposed reforms

The Draft Bill aims to strengthen privacy protection in NSW by:

  • establishing a mandatory notification of data breach scheme (‘MNDB Scheme‘),
  • extending the application of the PPIP Act to the 7 state-owned corporations (‘SOCs‘) that are not already regulated by the federal Privacy Act 1988 (‘Privacy Act‘),
  • repealing s117C of the Fines Act 1996 to ensure that all NSW public sector agencies, including Revenue NSW, are regulated by the same MNDB Scheme, and
  • adding auditing and monitoring functions to the office of Privacy Commissioner under Schedule 2 to the Government Information (Public Access) Act 2009, which concerns excluded information of particular agencies.

The MNDB Scheme 

The MNDB Scheme will replace the IPC’s voluntary data breach reporting policy that presently encourages public sector agencies to report data breaches to the NSW Privacy Commissioner on a voluntary basis.

Agency obligations under the MNDB Scheme 

The MNDB Scheme will require all NSW public sector agencies that are bound by the PPIP Act, including local councils (and the SOCs not already regulated by the Privacy Act, if the proposal to extend the application of the PPIP Act to them is enacted), to contain and assess any suspected data breaches, and notify the NSW Privacy Commissioner and affected individuals of any data breaches involving personal or health information that are likely to result in serious harm.

The MNDB Scheme will also require such agencies to satisfy other data management requirements, including to maintain internal data breach incident registers and to have publicly accessible data breach policies and notification registers.

A number of exemptions from certain eligible data breach requirements are also set out in the Draft Bill (see Division 4, Part 6A).

Information to which the MNDB Scheme will apply 

In the Draft Bill, ‘personal information‘ is defined to include health information within the meaning of the Health Records and Information Privacy Act 2002 (‘HRIP Act‘).

The MNDB Scheme is therefore proposed to apply to personal information as defined in s4 of the PPIP Act and health information as defined in s6 of the HRIP Act, although such health information is otherwise excluded from the application of PPIP Act.

The MNDB Scheme  is proposed to apply to health information as there is presently no mandatory reporting scheme for breaches involving health information under the HRIP Act.

Eligible data breaches and serious harm

In the Draft Bill, an ‘eligible data breach‘ is defined to include unauthorised access, unauthorised disclosure and the loss of information (where the loss is likely to result in unauthorised access or unauthorised disclosure), where a reasonable person could conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates.

Eligible data breaches can occur within an agency, between agencies, and external to agencies where external persons or entities access data held by or on behalf of agencies without authorisation.

A Fact Sheet published by NSW Communities & Justice states that serious harm can include financial, psychological, physical and reputational harm. However, what constitutes serious harm in a given case will depend on the circumstances of the breach and the Draft Bill prescribes a number of factors to be considered when assessing whether an eligible breach is likely to cause serious harm. The factors for consideration in assessing an eligible data breach include:

  • the types of personal information involved in the breach,
  • the sensitivity of the personal information involved in the breach,
  • whether the personal information is protected by security measures,
  • the persons who have obtained, or who could obtain, the personal information,
  • the likelihood that persons who have obtained, or could obtain, the personal information have the intention of causing harm or could circumvent security measures,
  • the nature of the harm that has or may occur, and
  • any other matters specified in guidelines issued by the NSW Privacy Commissioner about whether the disclosure is likely to result in serious harm to an individual to whom the information relates.

Regulation and compliance 

Compliance with the MNDB Scheme will be monitored by the NSW Privacy Commissioner. The NSW Privacy Commissioner’s existing powers are proposed to apply to the MNDB Scheme, however the MNDB Scheme will also confer new regulatory powers on the NSW Privacy Commissioner in relation to the MNDB Scheme, including to:

  • enter premises and inspect anything that may relate to compliance with the MNDB Scheme (after providing notice and where an agency unreasonably refuses an inspection),
  • conduct audits in relation to the MNDB Scheme, and
  • furnish a report on the head of agency and responsible minister.

Public consultation

Public submissions on the Draft Bill can be made until Friday, 18 June 2021, here.

Following public consultation, it is anticipated that a bill will be introduced in the NSW Parliament later in 2021 and if passed, the MNDB scheme will commence 12 months following the passage of legislation, to allow SOCs and the IPC sufficient time to prepare appropriate systems and processes to fulfil PPIP Act and MNDB Scheme requirements.

The Draft Bill can be viewed here. The NSW Communities & Justice Fact Sheet regarding the Draft Bill can be viewed here.

To discuss this blog, please contact Carlo Zoppo, Partner on 8235 9705 or Sophia Urlich, Lawyer on 8235 9708.