The latest developments in law reform & advocacy: August 2021

Privacy amendments and a new mandatory notification of data breach scheme

The Privacy and Data Law Committee contributed to a letter to the Department of Customer Service on the draft Privacy and Personal Information Protection Amendment Bill 2021, which would establish a mandatory notification of data breach (‘MNDB’) scheme in NSW.

The letter noted that we strongly support the introduction of a mandatory reporting scheme for data breaches in NSW by public sector agencies, and that, so far as possible, such a scheme should mirror the Commonwealth MNDB scheme.

The letter noted a number of issues, however, including:

1. The Government should consider additional mechanisms to enhance data protection by encouraging a focus on a ‘just culture’ (shared accountability) approach to managing
   security of personal information;
2. Such a scheme should avoid duplication with the Commonwealth scheme so far as reasonably practical by limiting its application to agencies / breaches not covered under the Commonwealth scheme;
3. We queried the difference in language between the Draft Bill and corresponding provisions under the Commonwealth scheme which enliven a public sector agency’s obligation to assess whether a data breach is an ‘eligible data breach’. On our reading, there is a higher threshold for engagement of the assessment requirements under the proposed NSW scheme, which may have been unintended and may result in underreporting of eligible data breaches in NSW; and
4. While we retain concerns with the ‘serious harm’ threshold, in the interests of consistency, we do not oppose its introduction, but suggest that at the least, it should be better articulated (whether in the legislation or elsewhere) that ‘serious’ means sufficiently substantial (including distress) to not be trivial, and that the standard be applied to any of the affected cohort.