New South Wales passes mandatory notification of data breaches scheme for its public sector agencies – to be in place by 28 November 2023

The string of recent high-profile data breaches and cyber-attacks has prompted the NSW Parliament to strengthen privacy protections across NSW government agencies and departments.

The NSW Parliament has recently introduced a mandatory data breach notification scheme similar to the Federal scheme under the Privacy Act 1988 (Cth) (PA). The Privacy and Personal Information Protection Amendment Act 2022 (the Amendment Act) was passed by the NSW Legislative Assembly on 16 November 2022 with bipartisan support and bolsters the Privacy and Personal Information Protection Act 1998 (NSW) (PIPP Act) which agencies will be familiar with.

The Amendment Act presents a significant change by introducing a mandatory notification of data breach scheme (MNDB Scheme) which is the first of its kind for Australian States and Territories.

The MNDB Scheme largely mirrors the Notifiable Data Breaches Scheme (NDB Scheme) in the PA, which generally does not include state government agencies and departments (except where certain information such as TFNs are held). The Act extends protection to all individuals who provide personal information to NSW Government agencies, departments and State-owned corporations.

A similar mandatory data breach notification scheme is being considered by the Queensland Government, and so we are closely watching this development across the States and Territories with particular interest.

When will the MNDB Scheme become effective and where to start?  

The MNDB Scheme was recently passed by both houses of the NSW Parliament and obtained Royal assent on 28 November 2022. It is due to come into force after a 12-month transition period after Royal assent (so 28 November 2023).

While a year seems like a long time, in our experience with the implementation of the Federal NDB Scheme, agencies will need to start their preparation now to be able to accommodate the new changes when they come into force. In particular, agencies will need to ensure that they can readily identify, assess, and where required notify eligible data breach incidents to affected individuals and the NSW Privacy Commissioner. This includes ensuring that escalation pathways and internal board engagement is set in place to take incidents out of the IT team and into the broader functions of the agency.

Dealing with multi-party data breaches involving third party entities that hold data on behalf of agencies will also be a key focus area to prepare for, and one where there is significant learned experience from the NDB Scheme. In particular, bolstering contracts with service providers to ensure that incidents are notified in a timely manner and that co-operation is provided, as well as determining who has responsibility for investigating vs notifying is key.

Agencies can start now to ensure that their incident response plans accommodate working with agencies such as Cyber Security NSW and IDSUPPORT to ensure that appropriate action is taken post-incident and in line with best practice data risk mitigation support. Be on the look-out for further supporting materials to be provided in the coming months.

Agencies should also work with their insurance/risk and CMT teams to understand and maximise the support mechanisms available through their cyber insurance policy including baking in forensics, legal, and communications workstreams into the response solution. Conducting a ‘meet the breach coach’ onboarding session prior to an event is critical to understanding how the incident will play out, and assigning roles and responsibilities.   

Who does the MNDB Scheme apply to? 

The MNDB Scheme changes the way in which personal information is handled by NSW Government agencies and New South Wales State-owned corporations under the PIPP Act. This includes principal Government departments, statutory bodies, local councils, universities and now NSW State-owned corporations and NSW agencies.  

Contractors to these agencies will also be subject to the MNDB Scheme and so we expect a number of private sector entities will need to look at their own security posture and response mechanisms in the coming months.

What’s going to change? 

Currently, NSW public sector agencies are not legally required to notify the Information and Privacy Commission (IPC) or impacted individuals of a data breach (although in practice, many agencies adopt the NDB Scheme as a voluntary framework in responding to cyber security incidents). 

In effect, the MNDB Scheme changes will raise the standards of accountability and transparency of NSW agencies when managing personal information. In addition to expanding the PPIP Act to all NSW State-owned corporations and NSW agencies, the significant changes introduced by the MNDB Scheme are highlighted below:

1. Mandatory notification of data breaches scheme  

What is required?

NSW agencies are now bound (or at least will be in 12 months’ time) to mitigate risks of data breaches, to contain a suspected data breach and assess the likely severity of harm which may result. In the transition period, we expect to see a number of agencies use the MNDB Scheme as the framework to stress test their response in anticipation of it coming into full effect.

NSW agencies will also be required to notify the IPC as well as impacted individuals if the breach is assessed as likely to result in ‘serious harm’ to an individual. A public notification must be issued where impacted individuals cannot be identified or individual notification is not reasonably practicable. The agency must keep a register of all public notifications on its website.

The MNDB Scheme uses the same assessment threshold and (much of the same language) as the Federal NDB scheme under the PA. This is to avoid inconsistency and administrative burden where both schemes apply, as well as maximise the processes already developed around voluntary compliance with the NDB Scheme.

Although agencies will have 30 days to complete their assessment, the one key change will be that if the assessment extends beyond this period, a notification to the IPC will be required and a specific extension of time will need to be sought. This places pressure on the agency to complete its assessment expeditiously and increases accountability and transparency over the process.

Serious harm assessment  

The MNDB Scheme does not define the threshold ‘likely to result in serious harm.’

However, the MNDB Scheme provides factors to consider when assessing whether the threshold is met.In assessing whether a reasonable person would conclude a data breach would likely result in serious harm, the factors of consideration include the sensitivity of the personal information and the nature of the harm that has occurred or may occur.

Under the MNDB Scheme, NSW agencies will be obliged to notify impacted individuals and the IPC when a data breach is assessed as likely to result in ‘serious harm’. There is no objective measure of seriousness, and agencies should work out what constitutes a serious breach by considering:

• the nature of the incident itself (noting there is a graduating risk associated with different event types);
   
• the type of data held / impacted (noting that different data points carry different risk and require different remediation steps to be taken);
   
• whether personal or health information was disclosed (and other sensitive data which carries greater inherent importance);
   
• the number of individuals affected (noting that the more individuals impacted, the more likely at least one individual could suffer serious harm); and
   
• the risk of harm that could be caused to both individuals and the agency by the breach (noting that this might not be limited to personal information but could include financial, commercial or other reputationally significant data, which wouldn’t technically be caught by the MNDB Scheme but may be relevant).  

The absence of a definition of ‘serious harm’ provides NSW agencies and State-owned corporations with the flexibility to address the diverse range of information held by agencies and to ensure consistency with the Commonwealth NDB Scheme already in place. Consistency with the Commonwealth scheme was considered essential by the NSW Government so individuals dealing with NSW agencies are given the same protections as those when dealing with Federal Government agencies and the private sector.

To further support NSW agencies in their assessment of data breaches and determining whether the data breach is likely to result in ‘serious harm’ to the individual, the IPC has committed to preparing and publishing guidelines outlining the NSW agencies’ obligations under the new NSW MNDB Scheme. We look forward to seeing those materials, as well as materials from Cyber Security NSW and IDSUPPORT who provide a wealth of knowledge and support in this space.

2. Data breach management policy 

The MNDB Scheme also requires the NSW agencies to have a publicly available data breach management policy. This must include provisions about the agency’s procedures and practices to ensure responsible handling of personal and health information and compliance with the MNDB Scheme.

In addition to a data breach management plan, NSW agencies are also required to maintain an internal data breach incident register. Ensuring compliance with these two requirements will be a natural first step for agencies if not already in place.

QLD Developments: looking to reform their Information privacy and right to information framework. 

While NSW is the first to introduce a mandatory notification of data breach scheme for NSW agencies, it won’t be the last. For example, there have been many talks and consultation papers published urging QLD to introduce a mandatory notification of data breaches scheme. In a recent panel presentation we attended with the QLD Privacy Commissioner, this topic was raised front and centre.

Under the Information Privacy Act 2009 (Qld) (IP Act), QLD Government agencies are not obligated to report data breaches to the Office of the Information Commissioner (OIC). In June 2022, the Queensland Government released its consultation paper – “Proposed changes to Queensland’s Information privacy and right to information framework” (Consultation Paper) to consider whether reform of the framework for information privacy is necessary to strengthen the IP Act.  The consultation paper highlights the QLD’s Government plans to introduce a mandatory data breach notification scheme similar to the Federal NDB Scheme and now NSW’s MNDB framework.

QLD’s proposed scheme aims to mitigate serious impacts of data breaches involving government operations whilst maintaining consistency with the Commonwealth NDB Scheme. Mirroring the NSW MNDB Scheme, the QLD Government also proposes to enhance powers and functions for the OIC to better protect the privacy of individuals and respond.

We will continue to monitor developments. We will also closely review the language and assessment/notification requirements under any proposed legislation (if introduced), and advise on the implications of any inconsistency with the Federal and NSW schemes.

Conclusion 

The changes in NSW come after overwhelming support from the community for the introduction of a MNDB Scheme in the public consultation process after the consultation of the draft PPIP Amendment Act 2021 in May 2021.

The MNDB Scheme will enhance privacy protections in NSW by bolstering requirements of agencies to protect individuals’ personal information through a reporting mechanism. It also has the secondary purpose of mitigating the risk of data breaches by encouraging NSW agencies to improve their data handling and management practices, through increased oversight by the IPC as well as the NSW community.   

NSW government agencies should establish a 12-month plan to ensure that they are ready for the MNDB Scheme when it comes into force, as well as addressing other factors with cause or contribute to the occurrence and severity of incidents.Proactive incident response preparation, data minimisation, and security control improvement are all key examples of what others in this space are doing to prepare. Further, early engagement with cyber insurance providers is key to ensuring that robust processes are developed, understood, and support is available in the time of need.

How can Clyde & Co help comply with the MNDB Scheme? 

Clyde & Co’s Cyber, Privacy and Technology Team has unparalleled and specialised expertise across the privacy, cyber, and broader technology practice areas including working with government agencies.

Clyde & Co’s incident response team has extensive experience in responding to thousands of data breaches in accordance with the Federal NDB Scheme which was introduced in 2018.

As NSW’s MNDB Scheme largely mirrors the Commonwealth NBD Scheme, Clyde & Co can provide NSW agencies the benefit of over five years’ experience with the NDB Scheme. This includes preparing for the introduction of the MNDB Scheme, and responding to cyber incidents as they occur.

Please reach out if you’d like to discuss further.