Getting ready for the NSW mandatory notification of data breaches scheme and other new privacy reforms

Dr Ashley Tsacalos, Monique Azzopardi, Emily Costello and Grace Scanlon CLAYTON UTZ

NSW privacy reforms

NSW has recently ushered in a number of significant privacy reforms through the passing of the Privacy and Personal Information Protection Amendment Act 2022 (NSW) (Amending Act).

As part of these reforms, the NSW Government has followed the Commonwealth and introduced a scheme for the mandatory notification of eligible data breaches (MNDB) scheme. The MNDB scheme will apply to NSW public sector agencies, including state-owned corporations (SOCs) that are not regulated by the Privacy Act 1988 (Cth) (Commonwealth Privacy Act).

What changes have been enacted following the passing of the Privacy and Personal Information Protection Amendment Act 2022? What can organisations do to mitigate risk and protect themselves in the future?

This article comes from the experts behind the Privacy Law Bulletin. This bulletin is written by expert lawyers, academics, and legal experts covering the rapidly changing legal landscape around privacy laws and cases that continue to shape Australia's privacy framework. The Privacy Law Bulletin features articles on topical local and international legal issues impacting on privacy law and provides insights on the practical implications of the latest legal developments.

Subscribers to the Privacy Law Bulletin can access the full article HERE.

In addition to the introduction of the MNDB scheme, the privacy reforms also expand the powers of the NSW privacy commissioner and broaden the scope of the definition of a “public sector agency” under the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) to include SOCs that are not subject to the Commonwealth Privacy Act. Accordingly, these SOCs will have to comply with the existing requirements under the PPIP Act as well as where relevant, the new requirements under the Amending Act.

The Amending Act reforms will come into effect on 28 November 2023 (that is, the first anniversary of the Amending Act’s date of assent).

Mandatory notification of data breaches

Under the Amending Act, an “eligible data breach” includes where:

1. (a) there is unauthorised access to, or unauthorised disclosure of, personal information held by a public sector agency and a reasonable person would conclude that the access or disclosure of the information would be likely to result in serious harm to an individual to whom the information relates, or
2. (b) personal information held by a public sector agency is lost in circumstances where
   1. unauthorised access to, or unauthorised disclosure of, the information is likely to occur, and
   2. if the unauthorised access to, or unauthorised disclosure of, the information was to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates.

An eligible data breach could range from a large-scale cyberattack on a public sector agency where personal information is unlawfully obtained to a public sector agency employee accidentaly leaving a hard copy file containing personal information on the bus.

What are the key features of the MNDB scheme?

The Amending Act prescribes steps that public sector agencies must take if they have reasonable grounds to suspect that an eligible data breach has occurred including (among others):

• officers and employees of public sector agencies must report suspected eligible data breaches to the head of the public sector agency
• the head of the public sector agency must immediately make “all reasonable efforts” to contain the breach and within 30 days after the officer or employee becomes aware of the breach, carry out an assessment about whether the data breach is, or there are reasonable grounds to believe the data breach is an eligible data breach. Such assessments must be carried out in an “expeditious way”
• immediately notify the NSW privacy commissioner of the eligible data breach in the form set out in the Amending Act
• take steps that are reasonable in the circumstances to notify affected individuals about the eligible data breach (subject to certain exceptions) and
• publish required details about the eligible data breach on the public sector agency’s public notification register

Exemptions

It is important to note that subject to conditions, the Amending Act includes several exemptions from compliance with some provisions of the Amending Act, for example (among others), if the head of a public sector agency reasonably believes that notification of an eligible data breach would create a serious risk of harm to an individual’s health and safety or if notification of the breach would “worsen the agency’s cybersecurity” or “lead to further data breaches”.

Further, similar to the data breach regime under the Commonwealth Privacy Act, public sector agencies may, in certain circumstances, be exempt from some of the above steps if they can mitigate the harm done by the breach and take action before serious harm to an individual results.

Expansion of the powers of the NSW privacy commissioner

The Amending Act also expands the powers of the NSW privacy commissioner, enabling the privacy commissioner to (among other powers):

• direct public sector agencies to prepare a statement about a suspected eligible data breach
• make guidelines to exercise the privacy commissioner’s functions in respect of eligible data breaches
• investigate, monitor, audit or report on the functions of public sector agencies, and access the premises of a public sector agency to observe its systems, policies and procedures to monitor compliance

Consequential amendments

The Amending Act also makes some consequential amendments to other legislation, including the Government Information (Public Access) Act 2009 (NSW) (GIPA Act). For the purposes of the GIPA Act, it will now be conclusively presumed that there is an overriding public interest against the disclosure of information contained in a document prepared for the assessment of an eligible data breach under the PPIP Act if the information could worsen a public sector agency’s cybersecurity or lead to further data breaches.

How public sector agencies can prepare for the reforms

Public sector agencies should review their privacy compliance frameworks to prepare for the MNDB scheme and the other reforms introduced by the Amending Act. In particular, public sector agencies will need to undertake the following key activities:

• Data breach policy and register — under the new privacy reforms, public sector agencies must prepare and publish a publicly available “data breach policy” and establish and maintain an internal register for eligible data breaches. The register for eligible data breaches must contain certain information, including details about the type of breach, details of the actions taken to prevent future breaches and the estimated cost of the breach.
• Privacy management plans and data breach procedures — it is important that public sector agencies are well-positioned to take the necessary operational steps to identify and contain any eligible data breaches and then to comply with the legal compliance requirements under the Amending Act. In particular, the Amending Act imposes obligations on all officers and employees to report a suspected eligible data breach to the head of the public sector agency. Therefore, we recommend that public sector agencies develop internal policies and procedures to provide officers and employees with clear steps to take if there is a suspected or confirmed eligible data breach. Further, public sector agencies will need to ensure that they have in place and implement privacy management plans in accordance with the requirements under the Amending Act.
• Review and update contracts — the MNDB scheme applies in respect of personal information that is “held” by a public sector agency. The Amending Act applies a broad definition of when personal information is deemed to be “held” by a public sector agency. Possession of personal information is not the sole indicator of whether personal information is held. Relevantly, under Sch 1, s 59C of the Amending Act, personal information is also considered to be held by a public sector agency if it controls the information or if the information is contained in a “state record” in respect of which the agency is responsible under the State Records Act 1998 (NSW). Given this broad definition, public sector agencies should review and update contracts with suppliers that have access to personal information held by a public sector agency to ensure that suppliers are under an obligation to notify, assess and mitigate data breaches in a responsive and expeditious manner, including so that public sector agencies can discharge their obligations under the MNDB scheme. As the determination of whether or not an eligible data breach has occurred may take additional time, suppliers’ contractual obligations should extend to data breaches more generally, and not only to eligible data breaches.
• Audit personal information holdings — the adverse effects of a privacy breach can be exacerbated if public sector agencies retain unnecessary personal information as it increases the amount of risk caused by a data breach. Further, it is important to note that, under s 12(a) of the PPIP Act, public sector agencies must ensure “that the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used”. Therefore, we recommend that public sector agencies undertake an audit of their personal information holdings at regular intervals to ensure compliance with their obligations under the PPIP Act and other relevant laws.
• Train personnel — agencies will need to train their personnel in terms of the procedures and compliance obligations imposed by the MNDB scheme and other NSW Government privacy reforms. The advent of the reforms also provides a timely opportunity for public sector agencies to do a privacy review and refresh including in relation to their compliance with all other requirements under the PPIP Act and other relevant privacy laws.

What should SOCs do?

In addition to the above, SOCs who become subject to the PPIP Act, will need to put appropriate systems, processes and documentation in place to ensure compliance with the PPIP Act.

We recommend that SOCs undertake a full privacy compliance review that at a minimum, includes the following:

• auditing current personal information holdings
• reviewing and updating practices for the collection, use and disclosure of personal information to ensure that these are in accordance with the information privacy principles under the PPIP Act
• undertaking a privacy gap analysis to identify any risks and areas where they may not yet be compliant
• reviewing and updating contracts and making any necessary changes, including adding privacy-specific provisions to contracts to comply with the PPIP Act and all other relevant privacy laws
• reviewing and updating privacy policies and procedures (including creating new policies for the MNDB scheme) and
• where appropriate, completing privacy impact assessments for new programs, decisions or processes with a privacy impact to ensure that privacy risks are managed and mitigated

Next steps

It is critical that public sector agencies (including SOCs) are across the key changes to the PPIP Act and begin to develop and implement relevant policies and procedures to prepare for the introduction of the MNDB scheme.