Posted on November 28, 2022 by Lindsay Taylor and 3

Privacy Bill Passed to Introduce Mandatory Data Breach Notification Scheme for Public Sector Agencies

On 16 November 2022, the NSW Parliament passed the Privacy and Personal Information Protection Amendment Bill 2022 (‘Bill‘). The Bill is awaiting assent and will come into effect on the first anniversary of the date of assent.

Amendments to the Privacy and Personal Information Protection Act 1998 (‘PPIP Act’)

The Bill proposes the following main amendments to the PPIP Act:

• to insert a new ‘Part 6A‘ into the PPIP Act to establish a mandatory notification of data breach scheme (‘Mandatory Notification Scheme‘), and
• to extend the PPIP Act’s application to all state-owned corporations that are not subject to the Privacy Act 1988 (Cth) by amending the current definition of ‘public sector agency‘ in s3(1) of the PPIP Act.

Under the PPIP Act as amended by the Bill, New South Wales is set to become the first Australian state to have a Mandatory Notification Scheme for its public sector agencies (including local councils) to respond to breaches of citizens’ personal data ‘held’ (as defined by proposed s59C) by the agencies.

The amended PPIP Act will require a public sector agency’s privacy management plan must also include provisions relating to, in addition to the existing mandated matters, ‘the procedures and practices used by the agency to ensure compliance with the obligations and responsibilities set out in Part 6A for the mandatory notification of data breach scheme‘ (see Schedule 1[6] and [7] of the Bill).

The NSW Privacy Commissioner (‘Privacy Commissioner‘) will also be given additional functions under the amended PPIP Act including ‘to investigate, monitor, audit and report on a public sector agency’s compliance with Part 6A, including the agency’s data handling systems, policies and practices‘ (see Schedule 1[10] of the Bill), and additional related powers under Division 5 of the new Part 6A.

Mandatory Notification Scheme – Part 6A

Central to the operation of the new Part 6A is the term ‘eligible data breach‘, which is defined in proposed s59D(1) to mean:

‘(a)  there is unauthorised access to, or unauthorised disclosure of, personal information held by a public sector agency and a reasonable person would conclude that the access or disclosure of the information would be likely to result in serious harm to an individual to whom the information relates, or

(b)  personal information held by a public sector agency is lost in circumstances where—

(i)  unauthorised access to, or unauthorised disclosure of, the information is likely to occur, and

(ii)  if the unauthorised access to, or unauthorised disclosure of, the information were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates.‘

Duty to report data breaches to head of agency

Under the new Part 6A, if a public sector agency officer or employee is aware that ‘there are reasonable grounds to suspect there may have been an eligible data breach of the agency, the officer or employee must report the data breach to the head of the public sector agency‘ (see proposed ss 59E(1) and (2)).

For the purposes of Part 6A, a ‘head of a public sector agency‘ means:

‘(a)  for a Public Service agency—the person who is the head of the Public Service agency within the meaning of the Government Sector Employment Act 2013, or

(b)  otherwise—the person who is the chief executive officer, however described, of the agency or otherwise responsible for the agency’s day to day management.’

For a local council, the relevant head as defined above is its general manager appointed under s334 of the Local Government Act 1993.

Duty to contain and assess data breaches

Once a data breach has been reported, the head of a public sector agency must:

• ‘immediately make all reasonable efforts to contain the data breach‘, and
• within 30 days after the officer or employee of the agency becomes aware of the data breach, ‘carry out an assessment of whether the data breach is, or there are reasonable grounds to believe the data breach is, an eligible data breach (an assessment)’, which must be carried out in an expeditious way subject to an extension approved under proposed s59K (see proposed ss 59E(2) and (3)).

During an assessment under s59E, the head of the agency the subject of the suspected breach must ‘make all reasonable attempts to mitigate the harm done by the suspected breach‘ (see proposed s59F).

For the purposes of carrying out the assessment, the head of that agency may direct one or more eligible persons to be an assessor who so directed must take all reasonable steps to ensure the assessment is completed as required by s59E(2)(b), and at a minimum by taking into account the factors specified in s59H (see proposed s59G).

Decision about data breaches

Following an assessment, the assessor must advise the head of the public sector agency whether the assessment found that the data breach is, or there are reasonable grounds to believe it is, an eligible data breach (see proposed s59J(1)). After receiving such advice, the head of that agency must decide whether the data breach is, or there are reasonable grounds to believe the data breach to be, an eligible data breach (see proposed s59J(2)).

Duty to notify data breaches

Once a data breach is determined to be an eligible data breach, the head of the agency must immediately take the following actions:

• notify the Privacy Commissioner of the eligible data breach in the approved form specified in s59M(2) unless it is not reasonably practicable for the information to be provided (see proposed s59M),
• notify any further information that was not given to the Commissioner as part of the immediate notification under s59M (see proposed s59Q),
• to the extent that it is reasonably practicable, take the steps that are reasonable in the circumstances to notify each individual to whom the personal information the subject of the data breach relates or each affected individual (see proposed s59N(1)), and such a notification must include the information in relation to each eligible data breach specified in proposed s59O,
• if the head of the agency is unable to notify, or if it is not reasonably practicable for him or her to notify, any or all of the individuals specified in s59N(1), the head of the agency must publish a public notification under s59P and take reasonable steps to publicise the notification (see proposed s59N(2)).

For the purposes of the Mandatory Notification Scheme, a public sector agency the subject of an eligible data breach is given the power to collect, use and disclose relevant personal information from or to another public sector agency, but only if it is reasonably necessary for the purpose of confirming the name and contact details of a ‘notifiable individual‘ (as defined by s59R(7)) or whether a notifiable individual is deceased (see proposed s59R).

It should be noted that the head of a public sector agency is exempt from the requirements of the Mandatory Notification Scheme under circumstances specified in Division 4 of the proposed Part 6A.

Data breach policy

Part 6A further requires that the head of a public sector agency must prepare and publish (by making it publicly available) a data breach policy (see proposed s59ZD), and establish and maintain an internal register for eligible data breaches (see proposed s59ZE).

A copy of the Bill that was passed by the Parliament can be accessed via this link.

Last year, the NSW Government undertook a consultation process for a draft version of the Bill, which we discussed in a previous blog (see here).

For more information on the implications of the Bill, please contact Dr Lindsay Taylor or Ming Gu.