Legislators up the stakes on privacy with new, mandatory scheme for NSW public sector agencies
Given the recent surge in cyberattacks and data breaches, NSW public sector agencies (as defined under the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) and hereon referred to as ‘agencies’) must be more proactive than ever about their cybersecurity and data-handling practices.
Not only are attacks becoming more frequent, but according to a recent Australian Cyber Security Centre report, last year the average cost of each reported cyber crime rose by 14 per cent.
NSW legislators have taken note. In November last year, the Mandatory Notification of Data Breach (MNDB) scheme commenced, replacing the previous scheme, which was merely voluntary. The changes have been enacted under amendments to the PPIP Act.
Amendments include:
-
a new MNDB scheme that requires agencies to notify the Information and Privacy Commissioner (IPC) and affected individuals of eligible data breaches that are likely to result in serious harm to the affected person
-
exemptions from mandatory notification in certain circumstances
-
giving the IPC power to investigate, monitor, audit and report on agencies regarding the mandatory notification of data breaches
-
requiring agencies to publish a data breach policy and keep a data breach register.
New obligations for agencies
Under the MNDB scheme agencies must now:
-
immediately make all reasonable efforts to contain a data breach undertake an assessment within 30 days where there are reasonable grounds to suspect there may have been an eligible data breach
-
during the assessment period, make all reasonable attempts to mitigate the harm caused by the suspected breach
-
decide whether a breach is an eligible data breach or there are reasonable grounds to believe it is
-
notify the IPC and affected individuals of the eligible data breach
-
comply with other data management requirements.
To whom does the PPIP Act apply?
Under the PPIP Act, agencies include NSW government agencies, statutory authorities, universities, NSW local councils, and other bodies whose accounts are subject to the Auditor General.
The NSW Information and Privacy Commission (IPC) administers the PPIP Act and the Health Records and Information Privacy Act 2002 (NSW).
The Information Protection Principles (IPPS)
The PPIP Act contains 12 IPPs that describe what NSW agencies must do when handling personal information (including how it must be collected, stored, used and disclosed) and a person’s rights to access their own information.
The IPC has also created a Data Breach Self-assessment Tool for MNDB, and a Data Breach Notification to the Privacy Commissioner form, each of which provide guidance on identifying and notifying the IPC of an eligible data breach.
Agencies that collect tax file numbers have additional obligations under the Commonwealth Notifiable Data Breaches scheme established by the Privacy Act 1988 (Cth), where a data breach occurs involving TFNs.
What is personal information?
Section 4(1) of the PPIP Act defines personal information as:
‘information or an opinion (including information or an opinion forming part of a database and whether or not in a recorded form) about an individual whose identity is apparent or can be reasonably ascertained from the information or opinion.’
Personal information includes things such as an individual’s fingerprints, retina prints, body samples or genetic characteristics. It also includes information, or an opinion, that could identify an individual. For example, their name, address, date of birth, gender or audio-visual material.
Personal information does not include any of the types of information listed under section 4(3) for example, information about:
-
an individual who has been dead for more than 30 years
-
an individual that is contained in a publicly available publication
-
an individual arising out of a Royal Commission or Special Commission of Inquiry.
Penalties
While there are no monetary penalties for non-compliance with the MNDB scheme, reputational damage remains an important consideration.
What’s more, individuals affected by an agency’s conduct may seek review of that conduct under Part 5 of the PPIP Act. Even if the agency takes remedial action, the individual may still apply to the NSW Civil and Administrative Tribunal for administrative review. The tribunal may order the Agency to pay the individual up to $40,000 for loss or damage suffered.
How to remain compliant
The IPC says agencies should take these actions as a matter of course:
-
clearly define roles and responsibilities for the management of actual or suspected data breaches
-
ensure the Privacy Management Plan complies with new section 33(2)(c1), which requires provisions for complying with Part 6A of the PPIP Act, specifically the mandatory notification of data breach scheme. (Note: the plan should reference the agency’s data breach policy)
-
develop and publish a data breach policy in accordance with section 59ZD, outlining the agency’s response to a data breach (commonly called a Data Breach Response Plan)
-
revise relevant policies and procedures to align with obligations under the MNDB scheme
-
establish and maintain an internal register of eligible data breaches in accordance with section 59ZE, recording the information specified under section 59ZE(2). Note: this should include, where practicable, for all eligible data breaches –
-
who was notified of the breach
-
when the breach was notified
-
the type of breach
-
details of steps taken by the agency to mitigate harm done by the breach
-
details of the actions taken to prevent future breaches
-
the estimated cost of the breach
-
-
maintain a public notification register of any notifications made under section 59N(2). Information in the register must be publicly available for at least 12 months after publication and include the information specified under section 59O).
Agencies should also update agreements with contractors to include suitable provisions regarding data breach notification and management. Combined with training to upskill staff, this will help establish clear lines of responsibility and accountability.
Reporting a cybercrime, incident or vulnerability
Aside from the new requirements, agencies can report cyber security events or vulnerabilities to the police and/or the Australian Signal’s Directorate’s Australian Cyber Security Centre.
Authors: Rebecca Hegarty, Robert Lee & Juan Roldan