After over two years of consultation, the government of New South Wales (NSW) has published an exposure draft of its long-awaited bill for mandatory data breach notifications. The bill specifies reporting thresholds ahead of the planned introduction of the scheme.
The exposure draft, which is open for consultation until 18 June 2021, follows over two years of work by the departments of Communities and Justice and Customer Service, as well as the privacy commissioner. NSW became the first state or territory to pledge to introduce such a scheme in February 2020, more than five years after former privacy commissioner Elizabeth Coombs first called for such laws.
The Privacy and Personal Information Protection Amendment Bill intends to fill the gap left by the Commonwealth’s notifiable data breach scheme, which applies to federal government agencies but not state government agencies or local councils. It will require all departments and agencies, state-owned corporations, local councils and some universities in NSW to report breaches likely to result in “serious harm” to affected individuals and privacy commissioner. The bill also closes a regulatory loophole by applying NSW’s Privacy and Personal Information Protection Act to state-owned corporations not already regulated by the Commonwealth Privacy Act.
According to the bill, a serious breach occurs when there is “unauthorised access to, or unauthorised disclosure of, personal information”, which is likely to result in serious harm to individuals involved. Personal information can include photos, contact details and fingerprints, as well as health information about an individual’s physical or mental health, disability or any other information related to the provision of health services.
When the agency suspects a breach has occurred, it must conduct an assessment with 30 days to determine whether it meets the threshold for notifying affected individuals and the privacy commissioner. An extension may be approved if the assessment “cannot reasonably be conducted” within that timeframe, though the agency head will need to report this to the privacy commissioner and provide updates.
In instances where an agency can identify individuals affected by a breach, it must notify them “as soon as practicable”. If the agency is unable to determine the affected individuals, it will be required to publish the notification on a public register for at least 12 months.
Agencies may be exempt from notifying the affected individuals and the privacy commissioner if doing so will prejudice an investigation or is related to matters before the court. Further exemptions exist for agencies that “take action to mitigate the harm done by the breach” before access or disclosure results in serious harm or if notification could lead to further breaches.
The bill will also give the privacy commissioner new powers to enter the premises of entities and inspect anything that may relate to compliance with the scheme, including processes and systems, and conduct audits. The NSW Digital Minister said the introduction of the scheme was supported by the Information and Privacy Commission and Cyber Security NSW “to clarify agency obligations”.
The bill is expected to be introduced to parliament later this year and if passed, will commence following a 12-month period to give agencies enough time to put in place the necessary compliance mechanisms.
The need to boost national cybersecurity
Recently, the Federal Government pledged $745,920 in funds for a new cybersecurity centre to help train and support Australian small businesses to deal with cyber-attacks. While the announcement is welcome news for Australian businesses, it also spells good news for consumers that will benefit from better data security.
The Cybersecurity Aid Centre will be located in Parramatta, NSW, and run by Western Sydney University. Funding for the program will form part of the Cyber Security Business Connect and Protect Grants Program, a government initiative that connects businesses with trusted cybersecurity companies to improve their cyber awareness.
The centre will offer businesses training seminars on cyber response, including how to deal with data breaches, ransomware attacks and email vulnerabilities. Businesses will also have access to a host of resources about cyber-attack including a Cyber Suite and Toolkit.
A hotline will be available to walk both consumers and businesses through the confusing and stressful process of what to do when they are experiencing a cyber-attack, including how to uplift defences as part of effective business operations.