NSW Parliament passes amendments to the PPIP Act

New amendments to the Privacy and Personal Information Protection Act 1998 (PPIP Act), which were passed by the NSW Parliament earlier this month, will require public sector agencies to notify the Privacy Commissioner and affected individuals of data breaches that could result “in serious harm”.

The changes, which introduce the first Mandatory Notification of Data Breaches (MNDB) Scheme for an Australian state or territory, will additionally be aimed at data breaches involving personal or health information.

Aimed, ultimately, at strengthening NSW’s existing privacy laws, the amendments will also extend the application of the PPIP Act to all NSW state-owned corporations that are not regulated by the Commonwealth Privacy Act 1988, and repeal s117C of the Fines Act 1996 to ensure that all NSW public sector agencies are regulated by the same mandatory notification scheme.

Privacy Commissioner Samantha Gavel, who welcomed the passing of amendments, said the MNDB Scheme would help NSW agencies “promote, support and practice responsible privacy governance” and build public confidence and trust in the Government’s use of digital technology.

Under the MNDB Scheme, agencies will be required to satisfy other data management requirements, including the maintenance of an internal data breach incident register as well as a publicly accessible data breach policy.

Ahead of the Scheme’s implementation, the Information and Privacy Commission NSW (IPC) will work with agencies covered under the PPIP Act and release guidance and resources to ensure they have the required systems, processes and capabilities in place to support their compliance with the new laws.

A suite of new MNDB Scheme resources will also be made available to both NSW agencies and citizens, providing guidelines to define eligible data breaches and notification exemptions, and agency-specific guides to support policy and procedural compliance with the new legislative requirements.

Information will also be provided on steps to take following an eligible breach.

On top of this, the IPC will develop e-learning modules for agencies to undertake training on the changes, resources for citizens (such as fact sheets and animations) to understand their rights and processes under the amendments, and updated agency guidance to align with the changes.

The Privacy Commissioner said the MNDB Scheme, once in effect, will help:

  • increase citizen trust in government agency handling of personal information and data breach incidents
  • increase agency awareness of and responses to data breach incidents
  • improve transparency and accountability of agencies in the way agencies respond to serious data breaches
  • encourage agencies to elevate capability to mitigate and manage the risk of data breaches
  • provide citizens with the information needed to reduce their risk of harm following a serious data breach.

“I am looking forward to engaging with agencies to assist them in meeting their compliance requirements under the Scheme and support them to improve their privacy practices,” Gavel said.