NSW became the first Australian state or territory to introduce a mandatory scheme for its government agencies to respond to data breaches, after new laws passed parliament last night.
Attorney General Mark Speakman said the passing of the Privacy and Personal Information Protection Amendment Bill 2022 fulfils the NSW Government’s commitment to strengthen privacy protections for personal data.
‘The new law establishes a mandatory data scheme which will require public sector agencies to notify the Privacy Commissioner if there is suspected data breach involving personal information which is likely to result in serious harm,’ said Mr Speakman.
‘Under the scheme, agencies will have to satisfy a number of data management requirements, including maintaining an internal data breach incident register, and having a publicly accessible data breach policy.
‘This scheme establishes new standards of accountability and transparency around the protection of citizens’ personal information. It will create greater openness while also enhancing consistency across all public sector agencies,’ he said.
‘Importantly, it will give individuals information the need to reduce their risk of harm following a serious data breach and help agencies respond properly.
Every day, the people of NSW offer their personal information to government agencies, which is a significant undertaking of trust. In return, the government recognises it has a responsibility to effectively and proactively protect and respect that personal information,’ said Mr Speakman.
‘These reforms will make that responsibility law.’
Minister for Customer Service and Digital Government Victor Dominello said the new laws are evidence of how the government is further strengthening privacy protections and digital governance for the benefit of NSW citizens.
‘The NSW Government consulted extensively on these reforms to ensure the scheme strikes the right balance between improving privacy protections for NSW citizens and being practical enough for government agencies to take appropriate steps in a potential data breach response,’ said Mr Dominello.
‘The scheme will apply to all public sector agencies as defined in the new laws, including all NSW agencies and departments, statutory authorities, local councils, bodies whose accounts are subject to the Auditor General and some universities.’