New mandatory data breach notification laws for NSW local governments
On 28 November 2023, reforms enacted last year to the Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA) will come into effect. These reforms introduce a Mandatory Notification of Data Breach Scheme (MNDB Scheme) that applies to all NSW government agencies – including universities, local governments and state-owned corporations.
The MNDB Scheme replaces the previous voluntary data breach notification scheme and is the first state-based mandatory data breach notice scheme.
MNDB Scheme obligations
The MNDB Scheme requires agencies to notify the NSW Privacy Commissioner and affected individuals if an “eligible data breach” occurs. An eligible data breach occurs if there is unauthorised access, disclosure or loss of an individual’s personal information which is likely to cause serious harm to the affected individual.
Under the MNDB Scheme, if an agency discovers a data breach it must:
- immediately make all reasonable efforts to contain the data breach;
- assess within 30 days whether it is reasonably likely an eligible data breach occurred;
- during the assessment period, take all reasonable steps to mitigate the harm done by the breach; and
- if an eligible data breach has occurred (or there are reasonable grounds to believe so):
- notify the NSW Privacy Commissioner;
- notify each affected individual (to the extent reasonably practicable); and
- where not practicable to notify each affected individual, issue a public notice.
Responsible data handling obligations
The reforms also introduce new responsible data handling obligations for agencies, which support and supplement the MNDB Scheme. These obligations include:
- Data Breach Policy: agencies must prepare and publish a data breach policy which outlines their response strategy and procedures in case of a data breach;
- Incident Register: agencies must establish and maintain an internal register of eligible data breaches; and
- Public Notification Register: agencies must maintain a public notification register of any notifications made. The information recorded in the register must be publicly available for at least 12 months after the date of publication and include certain specified information.
NSW Privacy Commissioner’s powers
The reforms grant the NSW Privacy Commissioner enhanced enforcement powers. Notably, the Privacy Commissioner has the ability to investigate, monitor, audit, and report on the functions of agencies subject to the PPIPA. This includes the power to enter premises to observe an agency’s data handling practices and inspect data handling policies.
Consequences of non-compliance
There are currently no monetary penalties for non-compliance with the MNDB Scheme. However, individuals affected by the conduct of an agency may seek review of that conduct. The agency can decide to take appropriate remedial action but if the aggrieved individual is not satisfied with the outcome, the individual may apply to the NSW Civil and Administrative Tribunal (NCAT) for administrative review. NCAT may order the agency to pay the affected individual up to $40,000 for loss or damage suffered.
What should you do now?
The MNDB Scheme represents a significant step forward in privacy protection in NSW. With the reforms fast approaching, it is time for agencies to understand the extent to which they are impacted by the changes, and to prepare accordingly.
Agencies should:
- familiarise themselves with the MNDB Scheme and how it will impact them;
- review their existing data management practices;
- develop or revise their data breach management policy;
- train staff to understand the importance of data privacy and the agency’s procedures in case of a data breach;
- review contracts with service providers who hold data on behalf of or access data of agencies, to ensure data breaches are reported in a timely and responsible manner;
- establish processes to identify, assess and notify eligible data breaches, including having in place a robust data breach response plan;
- establish and maintain an internal data breach incident register; and
- establish and maintain a public notification register.
The NSW Information and Privacy Commission has released guidance on preparing a data breach policy (available here) and managing data breaches (available here), and is expected to release further guidance on assessing an eligible data breach in August.
In light of recent high-profile data breaches, all eyes will be on NSW agencies to comply with the MNDB Scheme. As public concern over personal data security grows, NSW agencies bear a significant responsibility to uphold robust privacy standards, demonstrating they can be trusted custodians of personal information. Compliance with the MNDB Scheme isn’t just a legal requirement — it’s a critical component of public trust and a reflection of an agency’s commitment to the principle of privacy.
For more information on privacy related issues that NSW government agencies face, or if you require assistance in understanding your obligations under the MNDB Scheme, please contact our Digital and Intellectual Property team.
With thanks to Sebastian Galetto for his contribution to the article.
This publication covers legal and technical issues in a general way. It is not designed to express opinions on specific cases. It is intended for information purposes only and should not be regarded as legal advice. Further advice should be obtained before taking action on any issue dealt with in this publication.