NSW Government Agencies are to be the first in Australia’s States or Territories to notify citizens of data breaches which may affect their personal information.
Announced by Attorney General, Mark Speakman, the new Privacy and Personal Information Protection Amendment Bill 2022 would see a mandatory notification scheme introduced for NSW’s Government Agencies, introducing the mandatory notification of data breaches.
Mr Speakman said the new law would create new standards of accountability and transparency for Government bodies.
“Every day, the people of NSW offer their personal information to Government Agencies, which is a significant undertaking of trust,” Mr Speakman said.
“In doing so, they enable the Government to provide them with quality, connected services, and the information required to continually improve these services to best meet their needs,” he said.
“In return, the Government has a responsibility to effectively and proactively protect and respect that personal information.”
Mr Speakman said that once passed, the new law would provide consistency across Public Sector Agencies by making it mandatory for Agencies to notify the Privacy Commissioner and those impacted by a data breach involving personal information which was likely to result in serious harm.
“Agencies will also have to satisfy a number of data management requirements, including making reasonable attempts to mitigate the harm done by a data breach, maintaining an internal data breach incident register, and have a publicly accessible data breach policy,” the Attorney General said.
He said the scheme would apply to all NSW Public Sector Agencies as defined in the Privacy and Personal Information Protection Act 1998, including all NSW Agencies and Departments, Statutory Authorities, local councils, bodies whose accounts are subject to the Auditor General and some universities.
Mr Speakman said the Bill would also expand the Privacy and Personal Information Protection Act, including the new scheme, to cover all NSW State-owned corporations not subject to Commonwealth privacy laws.
