- Privacy amendments and a new mandatory notification of data breach scheme
- Proposed condition for the disbursal of donated funds following disaster appeals
- ALRC Consultation Paper on Judicial Impartiality
- Inquiry into the coronial jurisdiction in NSW
- Disability Discrimination Act 1992 (Cth): reform of reasonable adjustment provisions following Sklavos v Australasian College of Dermatologists
- Australian National Contact Point Peer Review 2021
- A new decision-making framework for property matters in Family Law
Privacy amendments and a new mandatory notification of data breach scheme
The Privacy and Data Law Committee contributed to a letter to the Department of Customer Service on the draft Privacy and Personal Information Protection Amendment Bill 2021, which would establish a mandatory notification of data breach (‘MNDB’) scheme in NSW.
The letter noted that we strongly support the introduction of a mandatory reporting scheme for data breaches in NSW by public sector agencies, and that, so far as possible, such a scheme should mirror the Commonwealth MNDB scheme.
The letter noted a number of issues, however, including:
- The Government should consider additional mechanisms to enhance data protection by encouraging a focus on a ‘just culture’ (shared accountability) approach to managing
security of personal information;
- Such a scheme should avoid duplication with the Commonwealth scheme so far as reasonably practical by limiting its application to agencies / breaches not covered under the Commonwealth scheme;
- We queried the difference in language between the Draft Bill and corresponding provisions under the Commonwealth scheme which enliven a public sector agency’s obligation to assess whether a data breach is an ‘eligible data breach’. On our reading, there is a higher threshold for engagement of the assessment requirements under the proposed NSW scheme, which may have been unintended and may result in underreporting of eligible data breaches in NSW; and
- While we retain concerns with the ‘serious harm’ threshold, in the interests of consistency, we do not oppose its introduction, but suggest that at the least, it should be better articulated (whether in the legislation or elsewhere) that ‘serious’ means sufficiently substantial (including distress) to not be trivial, and that the standard be applied to any of the affected cohort.