NSW taking action on personal data protection

16 November 2022

NSW is one step closer to becoming the first state or territory in Australia to have a mandatory notification scheme for its government agencies to respond to personal data breaches.

The NSW Government’s Privacy and Personal Information Protection Amendment Bill 2022 passed the Legislative Assembly last night.

Attorney General Mark Speakman said the bill fulfils the Government’s 2020 commitment to introduce a mandatory notification of data breaches scheme to strengthen privacy protections for the citizens of NSW.

“Unlike Labor’s past forays into the area, this bill is the product of extensive consultation and consideration,” Mr Speakman said.

“This consultation has resulted in a carefully considered scheme that will affect the operations of hundreds of NSW public sector agencies, including principal government departments, statutory bodies, local councils and universities.

“I acknowledge Labor’s support for these reforms and note that they have been long awaited.

“However, as I said during debate of Labor’s half-baked private member’s bill on 1 August 2019, any decision to introduce a mandatory notification scheme in NSW must be informed by proper analysis and consultation.

“Even before Labor’s bill was debated, the NSW Government was inviting community submissions on a discussion paper asking whether a mandatory data breach reporting scheme should be adopted in NSW and, if so, how the scheme should operate.

“Twenty-three submissions were received, including from NSW public sector agencies, members of the public, local councils, universities and various advocacy and professional groups.

“Following extensive development and drafting consideration, including consultation with the Office of the Australian Information Commissioner and Cyber Security NSW, the NSW Government released an exposure draft of this bill for public consultation in May 2021.

“That exposure draft proposed a specific model for a mandatory notification of data breach scheme. Thirty-two submissions were received on that draft.”

Mr Speakman said a number of significant amendments were made to the bill following the consultation, including:

• Amending the wording of the assessment threshold to make it identical to the Commonwealth Privacy Act
• Establishing additional requirements for the approval of an extension to the assessment period to ensure this only occurs where appropriate
• Expanding the circumstances where an agency is required to issue a public notification.

“This scheme will establish new standards of accountability and transparency around the protection of citizens’ personal information,” Mr Speakman said.

“It will make NSW the first Australian state or territory to introduce a mandatory notification of data breach scheme for its government agencies.

Every day, the people of NSW offer their personal information to government agencies, which is a significant undertaking of trust. In return, the government has a responsibility to effectively and proactively protect and respect that personal information in a way that is workable and practical for those agencies.

“This bill will make that responsibility law.”