Privacy regulation in Australia
When discussing the operation of our Federal system in Australia with overseas lawyers they are often struck by the inefficiency of our Federal, State and Local Government structure, for a relatively small population. Undoubtably this leads to inefficiency such as that evident from having a federal "Office of the Australian Information Commissioner" and the various State based agencies such as the "Information and Privacy Commission NSW".
Section 4(3) of the Privacy Act 1988 (Cth) provides: "Nothing in this Act shall be taken to have the effect of making the Crown in right of a State, of the Australian Capital Territory or of the Northern Territory an agency for the purposes of this Act."
This of course leads to differences in basic regulations and requirements for different organisations in Australia, for example:
- "small businesses" which are excluded from the Privacy Act 1988 (Cth) for most purposes where their turnover in the previous financial year was less than AUD$3M. This major carve out for small business puts Australia out of step with international trends in privacy regulation and it is worth noting that around half of the total labour market in Australia is employed in small businesses.;
- Federal Government agencies, organisations carrying on business in Australia (that are not small businesses) and private health providers, which are covered by the federal legislation; and
- State Government agencies, local Government, public hospitals and universities which are covered by State legislation.
A consequence of the duplication of regulation and regulators is inconsistency in approach which makes compliance more complicated than it ought to be. In the case of mandatory notification of data breaches, Australia was slow to catch up with Europe and most of the US States, but it started to catch up in 2017 with the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth). Now some 5 years later the NSW State Government has taken a step towards harmonisation in this area.
Privacy and Personal Information Protection Amendment Bill 2022 (NSW)receives royal assent
On 16 November 2022, the Privacy and Personal Information Protection Amendment Bill 2022 (NSW) (Bill) passed NSW Parliament and is now waiting to receive royal assent. The Bill amends the Privacy and Personal Information Protection Act 1998 (NSW) to introduce a mandatory notification of data breach scheme to apply to NSW public sector agencies, that is NSW State Government agencies, local councils and universities, bodies providing data services on behalf of these organisations (and any prescribed in regulations), as well as NSW State owned corporations who do not already have to comply with the Privacy Act 1988 (Cth) (both referred to as "public sector agencies" for the purpose of this article).
The mandatory scheme is the first of its kind for any State or Territory Government in Australia. The changes introduced will come into effect on the 28 November 2023 (first anniversary of the date of royal assent).
The mandatory scheme will replace the current voluntary reporting scheme which encourages agencies that have experienced a serious data breach to report the details of the breach to the NSW Privacy Commissioner, so that the Commissioner can assess the breach, provide advice or investigate.
Features of the NSW mandatory notification of data breach scheme
The mandatory scheme to be introduced requires public sector agencies in the event of becoming aware of a suspected data breach involving personal information to do the following:
- immediately make all reasonable efforts to contain the data breach;
- within 30 days of becoming aware of the data breach carry out an assessment of whether the data breach is, or there are reasonable grounds to believe the data breach is, an eligible data breach (that is would access or disclosure of the information be likely to result in serious harm to an individual to whom the information relates) and make all reasonable attempts to mitigate the harm done by the suspected breach;
- if the agency assesses that the breach is an eligible data
- notify the NSW Privacy Commissioner in the approved form;
- to the extent it is reasonably practicable, take steps that are reasonable in the circumstances to notify each affected individual; and
- where affected individuals cannot be identified or where it is not reasonably practical to notify them, to issue a public notification.
There are also new requirements relating to responsible handling of personal and health information, including a requirement to have a publicly available data breach management policy.
There are certain exemptions from the requirements of the scheme. For example:
- where there are breaches that involve multiple public sector agencies;
- where notification would prejudice ongoing investigations or proceedings;
- where notification would be inconsistent with secrecy provisions;
- where notification would cause risk of harm to an individual's health and safety; and
- where notification would worsen an agency's cyber security or result in more data breaches.
The NSW Privacy Commissioner is given broad powers in respect of the scheme. The Commissioner can direct certain information be provided to the Commissioner and recommend the public sector agency notify certain individuals about a suspected data breach. The Commissioner also has the ability to investigate, monitor, audit and report on the exercise of functions of public sector agencies in relation to the scheme. This includes a power to observe the systems, policies and procedures of a public sector agency, including entering the agency's premises, for the purpose of monitoring and reporting on compliance.
In the second reading speech for the Bill, Mr Mark Speakman, NSW Attorney-General, explained the rationale for introducing the scheme:
The New South Wales Government is committed to putting the people of New South Wales at the core of everything it does. That is why the scheme will introduce a legal requirement for agencies to notify individuals when their personal information has been impacted by an eligible breach. This will empower individuals who are likely to experience serious harm because of a data breach involving their personal or health information. Once notified, individuals will be able to take their own steps to mitigate the risk of harm that may arise from the breach.
Also, the NSW State Government believes the scheme is complemented by the work being done by ID Support NSW, "an Australian-first business unit providing a "no wrong doors" support service to anyone in New South Wales impacted by identity misuse", commenting that "taken together, these initiatives significantly improve the State's data breach response capability."
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.