Labor will push for New South Wales to adopt new laws requiring state government agencies to notify individuals if their data is involved in a serious privacy breach
Shadow attorney general Paul Lynch said today that he plans to this week introduce the Privacy and Personal Information Protection Amendment (Notification of Serious Violations of Privacy by Public Sector Agencies) Bill.
Under the proposed legislation, agencies will be forced to notify individuals affected by a serious breach of privacy as well as the state’s privacy commissioner.
Lynch said that the bill is an effort to bring state law into line with federal law.
Federal parliament earlier this year passed legislation to create a mandatory data breach regime. The federal scheme covers Commonwealth agencies and many Australian businesses. Its obligations take effect in February 2018.
“With a few exceptions, NSW government agencies are not even required to notify the Privacy Commissioner if they suffer a data breach, let alone the affected individuals,” said Anna Johnston, director of specialist consultancy Salinger Privacy.
“Bringing NSW privacy law into line with the new federal scheme of notifiable data breaches would be a step in the right direction.”
“However even NSW government agencies will be covered by the federal scheme from February, at least in relation to their handling of the Tax File Numbers of their staff, so they should be turning their mind to this topic anyway, and preparing a data breach response procedure,” she added.
A 2015 report of the NSW Privacy Commissioner recommended that the NSW Privacy and Personal Information Protection Act 1998 be amended “to provide for mandatory notification of serious breaches of an individual’s privacy by a public sector agency similar to that proposed to be provided in the Privacy Act 1988 (Cth).”
“Currently when a breach of the IPPs [information protection principles in the PPIP Act] occurs there is no requirement upon NSW public sector agencies to notify the Privacy Commissioner, or those individuals whose personal information is involved or third parties,” the report stated.
“Increasing use of and capacity of information technology increases the potential impact of a breach, particularly when ‘big data’ is involved.”
“Amending the PPIP Act to require in cases of serious breaches notification to those to whom the personal information relates is appropriate, with agencies assisted by the development of guidelines addressing the parameters of ‘serious breach’,” the report stated.
“Mandatory notification by state agencies of serious privacy breaches was recommended by the Privacy Commissioner in 2015,” Lynch said.
“The state government has done nothing. Because of that the state opposition will introduce this legislation.”
“Mandatory notification increases the transparency of government operation. It is also a useful way of reducing the likelihood of further breaches,” the shadow attorney general said.