This article applies to public sector agencies that deal with personal information, including health information in NSW.

Privacy and Personal Information Protection Amendment Bill 2022 (NSW)

Background

Please be advised that the Privacy and Personal Information Protection Amendment Bill 2022 (NSW) (the Bill) passed the NSW Parliament on 16 November 2022 and received Royal Asset on 28 November 2022. The Act will commence on the first anniversary of the date of assent.

The Bill amends the Privacy and Personal Information Protection Act 1998 (NSW) (the PPIP Act) and establishes the Mandatory Notification of Data Breach Scheme (the MNDB Scheme). The Bill also expands the definition of public sector agency under section 3 of the PPIP Act to include NSW State Owned Corporations (SOCs) that are not already subject to the Privacy Act 1988 (Cth).

Mandatory notification of data breaches

The Bill inserts Part 6A of the PPIP Act providing provisions relating to mandatory notification of data breaches by public sector agencies.

Assessment of data breaches

Under the new section 59E of the PPIP Act, an officer or employee of a public sector agency must report a data breach to the head of the public sector agency.

Within 30 days, the head of the public sector agency must assess whether the data breach falls within the scope of an eligible data breach and take all reasonable steps to contain the data breach. If the breach cannot be assessed within 30 days, the head of the public sector agency must give written notice to the Privacy Commissioner (the Commissioner) regarding the extension period necessary to conduct the assessment.

The new section 59F of the PPIP Act also provides that the head of the public sector agency must take all reasonable steps to mitigate the harm done by the data breach and have regard to guidelines, prepared by the Commissioner, about the process for carrying out an assessment.

Eligible data breach means:

• there is unauthorised access to, or unauthorised disclosure of, personal information held by a public sector agency and a reasonable person would conclude that the access or disclosure of the information would be likely to result in serious harm to an individual to whom the information relates; or
• personal information held by a public sector agency is lost in circumstances where:
  • unauthorised access to, or unauthorised disclosure of, the information is likely to occur; and
  • if the unauthorised access to, or unauthorised disclosure of, the information were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates.

Head, of a public sector agency, means:

• for a Public Service agency, the person who is the head of the Public Service agency within the meaning of the Government Sector Employment Act 2013 (NSW); or
• otherwise, the person who is the chief executive officer, however described, of the agency or otherwise responsible for the agency’s day to day management.

Notification of data breaches to the Commissioner

If the head of the public agency decides that an eligible data breach has occurred, the head of the public agency must immediately notify the Commissioner of the breach in an approved form. The new section 59M of the PPIP Act lists the information required to be provided, which, most relevantly, includes:

• a description of the personal information (Part 6A of the PPIP Act includes health information within the meaning of the Health Records and Information Privacy Act 2002 (NSW)) that was the subject of the breach;
• the details of the cyber incident (if relevant); and
• the estimated total number of individuals that were affected or likely be affected by the data breach.

In addition to notifying the Commissioner, the head of the public sector agency must notify individuals affected by the data breach, unless an exemption provided by Division 4 applies. If the head of the public sector agency is unable to notify the individual, the head of the public sector agency must publish a public notification under the new section 59P of the PPIP Act.

The head of the public sector agency must also keep a register (known as a public notification register) available on the agency’s website. The information must be kept on the public notifications register for at least 12 months.

As soon as the information is published, the head of the public sector agency must provide the Commissioner with information on how to access the public notification register on the agency’s website.

Other requirements for public sector agencies

Under the new section 59ZD of the PPIP Act, the head of the public sector agency must prepare and publish a data breach policy (the policy), with the policy being publicly available. Additionally, the new section 59ZE of the PPIP Act requires the public sector agency establish and maintain an internal register to record information in relation to eligible data breaches. The information must include:

• who was notified of the breach;
• when the breach was notified;
• the type of breach;
• details of steps taken by the public sector agency to mitigate harm done by the breach;
• details of the actions taken to prevent future breaches; and
• the estimated cost of the breach.

Please click here to access the full Bill.