New bill proposes mandatory privacy breach notification regime for NSW – again

On 20 June 2019, shadow attorney general Paul Lynch reintroduced a bill that seeks to establish a mandatory data breach notification scheme in NSW.

The Privacy and Personal Information Protection Amendment (Notification of Serious Violations of Privacy by Public Sector Agencies) Bill would require state agencies to notify affected individuals and the NSW Privacy Commissioner after a "serious" breach of privacy.

This bill is almost identical to another introduced by the opposition in November 2017, of the same name which was opposed by the government and lapsed.

If passed the bill would introduce a mandatory data breach notification scheme similar to the current federal regime which does not apply to state government agencies or local councils.

Currently notification in NSW is voluntary and to assist NSW public sector agencies, the Information and Privacy Commission NSW (IPC) has developed a suite of resources to support NSW's voluntary data breach reporting scheme, available here.

In reintroducing the bill the shadow attorney general cited recent events around the alleged leaking of personal details of motorists by the office of the Customer Service Minister Victor Dominello, which has been referred to the state's corruption watchdog.

It is interesting to note that the quarterly statistics published by the IPC for voluntarily reported data breaches in NSW are a small fraction of the number reported to the OAIC under the mandatory scheme.

The OAIC recorded a significant increase in reports once it was mandatory. A key benefit of mandatory reporting is that it forces organisations to critically assess the risk of serious harm to individuals and this means there is likely to be more notifications to individuals, empowering them to take action to prevent harm arising from breaches.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.