Data breaches in NSW – The time has come to report24 November 2022
NSW Government introduces mandatory notification scheme for data breaches
On 16 November 2022, the Privacy and Personal Information Protection Amendment Bill 2022 (NSW) (Amendment Bill) passed both Houses of Parliament and is now awaiting assent.
The Amendment Bill makes two significant changes to the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act):
- it brings State Owned Corporations (SOCs) into the PPIP Act regime where those SOCs are not already regulated under the Privacy Act 1988 (Cth) (Privacy Act), and
- it introduces the Mandatory Notification of Data Breach scheme (MNDB scheme) in NSW.
In this article, we unpack these changes and discuss:
- what the changes mean for SOCs
- what constitutes an “eligible data breach”
- how to assess and report an eligible data breach, and
- exceptions to notification.
We also offer some practical suggestions that NSW agencies can be taking now, to prepare for commencement of the MNDB scheme.
Changes for SOCs
The Amendment Bill amends the definition of “public sector agency” and makes a series of consequential amendments that will bring SOCs, which are not already regulated by the Privacy Act, into the PPIP Act scheme.
This amendment means that SOCs will be required to comply with the PPIP Act in the collection and handling of personal information. Significantly, SOCs will need to develop a Privacy Management Plan that meets the requirements of section 33 of the PPIP Act and implement policies and procedures, which detail how the SOC will comply with the PPIP Act (and the Health Records and Information Privacy Act 2002 (NSW), if applicable).
SOCs will also be open to having their information handling practices reviewed by an individual who is dissatisfied with how their personal information has been handled (by extending the internal review provisions to SOCs) and SOCs may also have their conduct subject to external review by the NSW Civil and Administrative Tribunal (NCAT). NCAT has a broad range of powers it can exercise on review, including conducting hearings, making findings and a power to require a public sector agency to pay damages of an amount up to $40,000 per breach, by way of compensation for any loss or damage suffered because of the conduct.
What is an “eligible data breach”?
The Amendment Bill is the first of its kind to implement an “eligible data breach” scheme into an Australian state or territory privacy law.
Helpfully, the definition of an “eligible data breach” in the Amendment Bill is consistent with the definition used in the Commonwealth Privacy Act.
A data breach will be an “eligible data breach” where:
- there has been unauthorised access to, or disclosure of, personal information held by the public sector agency, or
- personal information held by the public sector agency is lost.
With respect to unauthorised access to, or unauthorised disclosure of, personal information, two criteria that must be satisfied for the incident to be an eligible data breach:
- there must be unauthorised access to, or unauthorised disclosure of, personal information held by a public sector agency, and
- a reasonable person would conclude that the access or disclosure of the information would be likely to result in serious harm to an individual to whom the information relates.
With respect to lost personal information, three criteria must be satisfied for the incident to be an eligible data breach:
- personal information held by a public sector agency is lost
- in circumstance where unauthorised access to, or unauthorised disclosure of, the information is likely to occur, and
- if the unauthorised access to, or unauthorised disclosure of, the information were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates.
To provide additional clarity, the Amendment Bill confirms an eligible data breach may include:
- a data breach that occurs within a public sector agency
- a data breach that occurs between public sector agencies, or
- a data breach that occurs by an external person or entity accessing data held by a public sector agency without authorisation.
How to assess and report on an eligible data breach
Turning first to assessment, if you have identified an eligible data breach, or suspect an eligible data breach has occurred, three steps are required to be taken as part of the assessment stage:
- Notify the head of your agency (or their delegate).
- The head of the agency must immediately make all reasonable efforts to contain the data breach.
- Start assessing the incident within 30 days of when the incident was first discovered.
What constitutes “all reasonable efforts” to contain a data breach will depend in each case on the specific circumstances of the breach. But, generally speaking, the agency should take steps to minimise the impact on those individuals whose data is affected.
In order to determine whether a data breach is an “eligible data breach”, the agency’s assessor may take into account a number of factors, including:
- the types of personal information involved in the breach
- the sensitivity of the personal information involved in the breach
- whether the personal information is or was protected by security measures
- the persons to whom the unauthorised access to, or unauthorised disclosure of, the personal information involved in the breach was, or could be, made or given
- the likelihood the persons specified above:
- have or had the intention of causing harm, or
- could or did circumvent security measures protecting the information
- the nature of the harm that has occurred or may occur, and
- other matters specified in guidelines issued by the Privacy Commissioner about whether the disclosure is likely to result in serious harm to an individual to whom the personal information relates.
The assessment of the breach must be concluded within 30 days unless the head of the agency approves an extension of time to conduct the assessment. Any extensions must be notified in writing to the Privacy Commissioner.
The assessor’s findings must then be provided to the head of the agency (or their delegate) for a determination as to whether the data breach is an “eligible data breach”.
If the data breach is an “eligible data breach”, the notification provisions apply.
There are two key notification requirements:
- Firstly, the head of the agency (or their delegate) must immediately notify the Privacy Commissioner of the breach. Notification will be required to be made in a form approved by the Privacy Commissioner, and will require details of the personal information affected by the data breach, details of the cyber incident (if the breach is a consequence of a cyber breach), estimated costs to the agency of the breach, total number of individuals affected and whether the agency has taken steps to notify the affected individuals.
- Secondly, the head of the agency (or their delegate) must, to the extent that it is reasonably practicable, take such steps as are reasonable in the circumstances to notify affected individuals of the eligible data breach. Where notification is not reasonably practicable, the agency must publish a notice on its website which provides certain details of the breach. This notice is required to be retained in a public notification register (published on the agency’s website) for at least 12 months after the date the notification is published.
Are there any exemptions to notification?
The Amendment Bill contains a number of exemptions to an agency’s notification obligations.
Some of those exceptions are:
- where the agency has taken steps to mitigate the harm caused by the breach before the breach has caused serious harm and, because of the steps taken, a reasonably person would conclude that the breach would not likely result in serious harm to individuals
- where notification would further compromise the agency’s cyber security or lead to further data breaches
- where notification would be inconsistent with a secrecy provision, and
- where notification would likely prejudice an investigation that could lead to the prosecution of an offence or proceedings before a court or tribunal.
The exemption provisions are detailed and require careful consideration before they are relied on. For example, some of the exemptions require the agency to have regard to any guidelines, prepared by the Privacy Commissioner, in relation to the operation of the exemption. In other cases, the agency is be required to inform the Privacy Commissioner that the agency is relying on the exemption and update the Privacy Commissioner each month that they continue to rely on the exemption. We encourage NSW agencies to carefully review the exemptions before relying on them to ensure you fully understand how the exemption operates.
Practical steps you can take to prepare your agency for the MNDB scheme
The Amendment Act will commence 12 months after assent.
Here are our practical tips for NSW agencies to take, now, in preparation for the changes taking effect:
- If you are a State Owned Corporation, you need to ready your organisation for compliance with the PPIP Act. Steps to take include:
- mapping your information flows to understand what personal information you are handling
- developing your Privacy Management Plan, website content, intranet content, and collection notices to comply with the PPIP Act if they do not already
- updating your internal procedures for compliance with the PPIP Act, and
- giving your staff the tools they need to comply with the Information Privacy Principles and promote a strong privacy culture.
- For all NSW agencies, we recommend you develop your data breach policy now and take steps to publish it on your website. We also recommend that NSW agencies:
- consider what amendments need to be made to your Privacy Management Plan to incorporate the MNDB scheme
- update your delegations to ensure there are clear roles and responsibilities for assessing and reporting an ‘eligible data breach’ and
- if you have an IT security policy, consider the extent to which that policy will interact (or overlap) with the data breach policy and ensure your agency takes a consistent and coordinated approach to managing a data breach that may also be an “eligible data breach”.
- Finally, if in doubt, call the experts! If you need assistance preparing your agency and your staff for the significant changes that are coming, reach out to our cyber and privacy experts who can help provide practical guidance, templates and training – for more information, contact Chantal Tipene or visit our Cyber and Privacy web page.