26 May New South Wales Mandatory Data Breach Bill and Legislative Council Report on Cyber Security

New South Wales (NSW) has become the first Australian state or territory to introduce a mandatory data breach notification scheme.

The exposure draft which is open for consultation until 18^th June 2021, follows years of work by various NSW Government departments and the privacy commissioner, propelled by the increasing number of cyber security incidents and data breaches involving NSW Government agencies.

The Privacy and Personal Information Protection Amendment Bill 2021 (NSW) is a Bill for an Act to amend the Privacy and Personal Information Protection Act 1998 (NSW) to require public sector agencies to notify certain individuals and the privacy commissioner if there is a data breach relating to personal information.

Cyber Attack on Service NSW

Service NSW is the executive agency within the NSW Department of Customer Service that provides a one-stop access to government services.

In 2020 the agency experienced a cyberattack. A year later, in March 2021, IT News reported that “Service NSW has been unable to reach more than half the 104,000 customers who had their personal information stolen in an email compromise attack against 47 staff members last year … The data breach, which exposed 736GB of data between March and early April 2020, is also now likely to cost up to $35 million to remediate, more than five times as much as first estimated.”

NSW Legislative Council Report on Cyber Security

Report 52 of the NSW Legislative Council dated March 2021 (Report)^[1] records the inquiry into, and report on, cyber security and digital information management in NSW. In particular, the report details the number of cyber security incidents and data breaches involving NSW Government agencies and the monitoring and response to cybersecurity incidents and data breaches across the NSW Government.

Emphasis is placed on supply chain risk involving contractual arrangements between the NSW Government and providers of digital services and infrastructure, and the extent and impact of outsourcing government information systems, including to entities which are owned overseas.

Findings

The Report makes four findings, including that the NSW Government lacks any real framework or clear processes within government to properly and expeditiously deal with requests by people in the community for assistance in the event of a breach of their data.

Recommendations

The Report (which includes the provision of evidence and information on notice by the author of this article) makes 12 recommendations, including that the NSW Government urgently:

• Address the matters in relation to implementing a framework or clear process to properly and expeditiously deal with requests by people in the community for assistance in the event of a breach of their data; and
• Establish a mandatory data breach notification scheme applicable to all NSW Government agencies and its contracted service providers.

Privacy and Personal Information Protection Amendment Bill 2021

The Privacy and Personal Information Protection Amendment Bill (NSW) intends to fill the gaps left by the Commonwealth Government’s notifiable data breach scheme under the Privacy Act 1988 (Cth) which provides for similar requirements that apply to Australian Commonwealth agencies, large businesses (revenue over $3 million pa), health service providers, some small businesses and non-government organisations, but not to state government agencies or local councils.

Under the amendment, the NSW public sector entities would be required to report data breaches to the NSW privacy commissioner and affected individuals when a data breach involving personal, or health information is “likely to result in serious harm”.

In many respects, the Bill mirrors the Privacy Act, including but not limited to that requirement that agencies would only need to notify individuals affected by the breach “as soon as practicable” and take related actions where “reasonable”.

Observations

Australian privacy and data protection law is complex. It follows the US ‘patchwork’ approach. There is no uniform privacy law. Commonwealth law has limited application. All but two states (South Australia and Western Australia) have their own state privacy laws. Only one of two territories has its own privacy law. No state or territory law is the same, and different rules apply to which prevail in the event of conflict and in relation to industry sectors. In addition to this, different security standards (e.g., Commonwealth PSPF and Victorian VPDSS) and terminology applies.

Australian businesses and public sector agencies have a difficult task to make sense of all the requirements. As we have stated in previous articles[2], the relationship between consumer law and new critical infrastructure law increases the obligations upon affected businesses and agencies to identify and protect personal and other information.

Here to Assist – Privacy and Cyber Security Legal frameworks and Regulatory Universe

If you are an Australian business or public sector agency that must comply with these new and interrelated legislative requirements and manage related risk, please contact us. We have highly trained experts in Australia and overseas to assist you to understand and implement privacy and cyber security legal frameworks in accordance with your regulatory universe.  We focus on delivering practical solutions to strategic compliance, that can be implemented across your organisation to bridge the gaps between law, technology.

Helaine Leggat

Managing Partner ICTLC Australia

Notes:

[1] Portfolio Committee No. 1 – Premier and Finance: https://www.parliament.nsw.gov.au/tp/files/79375/Report%2052%20-%20Cybersecurity%20-%20March%202021.PDF

[2] Click on the following links to read the previous articles:

The Consumer Data Right and pending legal reform

Navigating an approach to the Consumer Data Right and security of critical infrastructure