NSW privacy reform

The PPIP Amendment Act changes the Privacy and Personal Information Protection Act 1988 (NSW) ('the PPIP Act'). The PPIP Act dictates how state-based public agencies in NSW manage personal information. It also empowers the Information and Privacy Commissioner ('the Commissioner') under the Information and Privacy Commission NSW ('IPC') to advise on and investigate public sector agencies' compliance with privacy requirements.

Who do the reforms apply to?

The PPIP Act only applies to state-based public sector agencies in NSW, including:

• statutory authorities;
• universities; and
• local councils.

The focus on state-based public sector agencies is designed to prevent overlap with existing federal legislation which regulates government entities.

We also discuss how SOCs will also be subject to the PPIP Act below.

What are the changes?

The PPIP Amendment Act makes notable changes to the PPIP Act including:

• extending the PPIP Act's application to SOCs;
• introducing a mandatory data breach notification scheme;
• expanding the Commissioner's powers; and
• introducing a requirement to publish data breach policies.

We explore these amendments in the following section.

SOCs

The PPIP Amendment Act will extend the PPIP Act to cover SOCs. SOCs are entities established under the State-Owned Corporations Act 1989 (NSW) and include:

• Sydney Water;
• Water NSW;
• Essential Energy; and
• Port Authority NSW.

SOCs will now be captured in the definition of 'public sector agency' and have new privacy obligations. The rationale driving this reform is to ensure:

• consistency in how personal information is treated across the public sector; and
• that the privacy obligations of SOCs and public sector agencies are the same. 

Mandatory notification of data breaches scheme

The PPIP Amendment Act introduces a new Mandatory Notification of Data Breaches scheme ('MNDB') for public sector agencies. The scheme will align NSW privacy laws for NSW public sector agencies and SOCs with the existing Commonwealth Notifiable Data Breach scheme.

The MNDB scheme requires agencies to notify both the Commissioner and affected individuals if a data breach is likely to cause serious harm to that individual.

Eligible data breach

Under the MNDB scheme, an eligible data breach occurs where there is unauthorised access or disclosure to personal information or personal information is compromised and that breach or compromise is likely to cause serious harm to an individual.

Serious harm is not specifically defined in the PPIP Amendment Act but the PPIP Amendment Act does provide factors for agencies to consider in assessing the severity of a breach. These are explored below.

Assessment requirements

Once a data breach has been discovered, the head of the relevant agency has 30 days to make an assessment and determine whether an eligible data breach has occurred or if it is reasonably likely to occur.

As part of that assessment, the agency must assess whether serious harm is likely to occur as a result of the data breach.

The PPIP Act provides that the agency should consider these kinds of factors to assess the severity of a data breach:

• the sensitivity of the personal information;
• whether cybersecurity or encryption methods will protect the information;
• the likelihood of malicious intent by the person who had unauthorised access or disclosure; and
• the nature of harm that could occur.

The Commissioner can also establish guidelines on how agencies can carry out assessments.

Notification

Once the assessment is complete, the head of the relevant agency must:

• Immediately notify the Commissioner if an eligible data breach has occurred or if it is reasonably likely an eligible data breach has occurred.
• Detail what personal information was affected, how the breach occurred, and the costs involved in detecting, assessing, and mitigating the breach.
• Notify affected individuals as soon as reasonably practicable. If the agency is unable to notify individuals, it must issue a public notification and sufficiently promote it to alert any affected individuals.

Exemptions

There are several exemptions that allow affected agencies to bypass part or all of their MNBD obligations.

These include circumstances where:

• the agency has sufficiently mitigated the breach in a manner that makes it unlikely that serious harm will occur;
• if notification is inconsistent with secrecy provisions;
• if notification poses a serious risk to an individual's health and safety;
• where the agency believes that notification will worsen their cybersecurity position; or
• where the agency believes notification will prejudice ongoing investigations.

New transparency requirements

The introduction of the PPIP Amendment Act will bring new requirements for agencies. These requirements are designed to increase transparency and deter agencies from breaching privacy rights in NSW.

Agencies will be required to:

• publish their data breach policy;
• establish an internal register of eligible data breaches ('the Internal Register'); and
• maintain a public notification register ('the Public Register').

The Internal Register must include:

• records of any eligible data breach that the agency has experienced;
• details regarding the notification process;
• the type of breach experienced;
• mitigation measures; and
• the overall estimated cost of the breach.

The Public Register must contain:

• information relating to data breaches suffered by the agency;
• when the data breach occurred; and
• what type of personal information it affected.

The Public Register must be available on the agency's website for 12 months. Once an eligible data breach notification is published, the agency must inform the Commissioner on how the public can access the information.

The Commissioner's powers

The Commissioner promotes public awareness of privacy rights, assists agencies, and investigates privacy concerns which are levelled at public sector agencies.

The Commissioner is empowered to deal with privacy complaints and may monitor applicable agencies.

Under the PPIP Amendment Act, the Commissioner's powers will be expanded to cover the new MNDB scheme. The powers include:

• directing agencies to provide certain information to the Commissioner;
• recommending agencies to notify individuals of a suspected data breach;
• accessing relevant premises to observe the agencies' data handling systems and polices; and
• making recommendations and reports in relation to the MNDB scheme.

What's next?

Public sector agencies and SOCs have until 28 November 2023 to prepare for the changes introduced by the PPIP Amendment Act.

During the transition period, agencies and SOCs should consider:

• updating their privacy policies to ensure their policy sets out their MNDB scheme requirements;
• making the privacy policy publicly available if it is not already;
• for SOCs, ensuring that their privacy policy is compliant with the PPIP Act;
• training staff on MNDB scheme requirements, including:
  • recognising and reporting an eligible data breach;
  • assigning reporting roles; and
  • establishing mitigation protocols;
• establishing a public and internal data breach register; and
• reviewing their cybersecurity protocols, including:
  • working from home policies;
  • cybersecurity training and; and
  • maintaining secure database procedures.

Katherine Sainty Director
[email protected]
Lily O Brien Junior Paralegal
[email protected]
Sainty Law, Sydney