cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram

NSW government launches Mandatory Notification of Data Breach Scheme

NSW’s long-awaited cyber mandatory reporting scheme has finally been announced, with organisations that have been affected by a cyber breach required to notify those impacted.

user icon Daniel Croft
Mon, 13 Nov 2023
NSW government launches Mandatory Notification of Data Breach Scheme
expand image

The new Mandatory Notification of Data Breach Scheme, which will become effective on 28 November this year, comes as part of amendments to the Privacy and Personal Information Protection Act 1998 (the PPIP Act).

“The amendments impact the responsibilities of agencies under the PPIP Act and require agencies to provide notifications to affected individuals in the event of an eligible data breach of their personal or health information by a NSW public sector agency or state-owned corporation subject to the PPIP Act,” said a release by the Information and Privacy Commission.

“The changes to the PPIP Act include:

  • Creating a Mandatory Notification of Data Breach (MNDB) Scheme, which will require public sector agencies bound by the PPIP Act to notify the Privacy Commissioner and affected individuals of data breaches involving personal or health information likely to result in serious harm.
  • Applying the PPIP Act to all NSW state-owned corporations that are not regulated by the Commonwealth Privacy Act 1988.
  • Repealing s117C of the Fines Act 1996 to ensure that all NSW public sector agencies are regulated by the same mandatory notification scheme.”

The Information and Privacy Commissioner has said that agencies under the scheme are obliged to make all efforts within reason to contain a data breach and to undertake an assessment within 30 days of discovering the breach.

Additionally, during the investigation, agencies must make “all reasonable attempts” to reduce the damage of the breach, which could include shutting down parts of its systems to prevent additional access or damage.

As part of the assessment, the organisation must evaluate whether a breach “is an eligible data breach or there are reasonable grounds to believe the breach is an eligible data breach”.

Finally, the Privacy Commissioner and those affected by the breach must be informed.

The commission also recommends that in preparation for the scheme, agencies should establish managing roles and responsibilities, which could involve creating a data breach response team or hiring additional specific staff.

It also said organisations should establish a privacy management plan, which is defined under a new section of the PPIP Act as including “the procedures and practices used by the agency to ensure compliance with the obligations and responsibilities set out in Part 6A for the Mandatory Notification of Data Breach Scheme”.

Additionally, it said that agencies would be required to establish an incident register to record information regarding a breach, as well as a public notification register. Agencies are also recommended to establish a data breach policy.

For more information, head to the Information and Privacy Commission website.

Comments powered by CComment

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.