Australia: NSW Government Bulletin: NSW mandatory data breach notification obligations coming soon

From 28 November 2023, amendments to the Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA) will begin, introducing mandatory data breach notification obligations. These PPIPA reforms introduce a Mandatory Data Breach Notification Scheme (MDBN scheme) which will apply to all NSW public sector agencies (agencies), including NSW agencies and departments, statutory authorities, local councils, state-owned corporations, Ministers' offices and some universities.

Under the MDBN scheme, agencies are obligated to notify the Privacy Commissioner and affected individuals of eligible data breaches. An eligible data breach is an unauthorised access, disclosure or loss of an individual's personal information which is likely to result in serious harm to the affected individual.

If an agency discovers a data breach, the MDBN scheme requires that agency to:

• immediately take all reasonable efforts to contain the breach
• assess the suspected breach within 30 days to determine if there are reasonable grounds to believe that an eligible data breach has occurred
• take all reasonable steps to mitigate the harm done by the suspected breach
• if on assessment an eligible data breach has occurred, the agency must:
  • notify the NSW Privacy Commissioner and each affected individual
  • issue a public notification on the agency's website where notifying each affected individual is not practicable.

What does your organisation need to do?

If you have not already begun preparing for the commencement of the MDBN scheme, there is still time for your agency to familiarise itself with its compliance obligations and implement changes to your data breach management practices.

The reforms require agencies to develop and publish on their website a Data Breach Policy (DBP). Agencies are also obligated to maintain and publish on their website a public notification register for any data breach notifications they have issued and keep an internal data breach incident register for their own records.

A Data Breach Response Plan is a framework that sets out the roles and responsibilities of an agency involved in managing a data breach. Implementing or updating your agency's Data Breach Response Plan will help ensure that your agency can effectively assess, manage and appropriately respond to data breaches.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.