Legal development

Mandatory data breach notification laws hit NSW

Insight Hero Image

    What you need to know

    • The NSW Parliament passed the Privacy and Personal Information Protection Amendment Bill 2022 on 16 November 2022.
    • The Bill:
      • introduces mandatory data breach notices in NSW (which currently has a voluntary regime);
      • requires agencies to have the privacy management plans, data breach policies and data breach registers to support the mandatory notification scheme;
      • brings more pro-active, interventionist and cyber focused functions and powers to the NSW Privacy Commissioner; and
      • extends NSW privacy law to cover NSW State owned corporations not covered by Commonwealth privacy law.
    • The reforms amend the Privacy and Personal Information Protection Act 1998 (NSW), and impact NSW public sector agencies, including NSW agencies and departments, statutory authorities, local councils, bodies whose accounts are subject to the Auditor General, some universities and State owned corporations not covered by Commonwealth privacy laws.
    • Agencies will have 12 months to comply with the new rules.
    • The reforms come after more than three years of consultation.  Expect other jurisdictions to follow.

    What you need to do

    • While the reforms will have a 12 month lead-time, agencies should build (and fund) cyber resilience maturity – in particular the capability to monitor, record, assess, report and act on cyber incidents.
    • Climb the learning curve – the Information and Privacy Commissioner will publish an e-learning module and guidelines, including guidance on how agencies should assess data breaches.
    • Design resilient monitoring, assessment, recording and reporting frameworks – the new rules encourage robust and documented processes – but these documents can themselves be valuable to attackers.  Agencies need to design frameworks that will work while systems are compromised.
    • We expect the Privacy Commissioner to use these new regulatory tools to push cyber maturity in agencies.  The Audit Office of New South Wales issued a series of reports in 2021 investigating cyber maturity in a range of NSW public sector agencies, with some key lessons that can be acted on today
      • Prioritise cyber maturity as a matter of urgency
      • Demonstrate continuous improvement against the NSW Cyber Security Policy, which sets out 25 mandatory requirements, including implementing the Australian Cyber Security Centre's "Essential 8" strategies
      • Drive consistency in policies, processes and definition around security incidents and data breaches to ensure data breaches are recorded in registers, and take action to address root causes
      • Identify your most vital systems - your "crown jewels"
      • Improve IT controls, particularly around user access administration and privileged user access
    • Assess and manage cyber supply chain risk when procuring goods and services and in the management of contractors.  Often supply chains provide a weak link in organisational security and need to be considered and managed appropriately.

    What data breaches need to be notified?

    The NSW mandatory data breach scheme is designed to be consistent with the Commonwealth scheme, as some incidents may trigger both regimes (eg if tax file numbers are involved).
    An eligible data breach is one that is likely to result in serious harm.  The bill includes factors that may be considered, including the types and sensitivity of information and security measures.
    Notification is not required where mitigation steps taken mean serious harm is not likely to occur. Other exemptions include where notification:

    • presents cyber risks
    • is given by another affected agency
    • presents a serious risk of harm to health or safety

    Contain, assess, notify

    An employee or officer must report a suspected eligible data breach to the agency. The agency must:

    • Contain:  immediately take all reasonable steps to contain the data breach
    • Assess:  expeditiously, and within 30 days, assess whether the data breach is an eligible data breach (this period can be extended by the head of the agency)
    • Notify:  once an eligible data breach is confirmed, the agency must notify the NSW Privacy Commissioner immediately, and affected individuals as soon as practicable (or if notifying individuals is not practical, publish a notification)
     

    Update plans, policy and register

    Agencies must:

    • update privacy management plans to cover the data breach notification scheme
    • publish a data breach policy
    • maintain an internal register of eligible data breaches – including details such as mitigation steps, actions to prevent future breaches and estimated costs of breaches

    While these requirements may at first appear administrative, they will practically require agencies to review, design and document operational and governance arrangements to prepare for, defend against, mitigate and recover from incidents.

    Internal process documents, and in particular the internal register, will be valuable information to a threat actor.  Know how you will document the steps taken to identify, respond to, report and recover from an incident. Consider communications and records protocols, particularly if corporate systems might be accessible to threat actors.

    New functions and powers

    The NSW Privacy Commissioner will have new functions and powers that signal a more pro-active, interventionist and cyber-focused regulator.  

    These include to:

    • investigate, monitor, audit and report on compliance with notification scheme, including data handling
    • assist agencies to prepare data breach policies and comply with the scheme
    • observe systems, policies and procedures
    • observe demonstrations of data handling systems, policies, procedures and inspect documents
    • direct an agency to prepare a statements about suspected eligible data breach, and recommend notification to individuals as if it was an eligible data breach
    • issue reports and guidelines

    The new functions and powers will make it easier for the Privacy Commissioner to assist with and uplift the capabilities of agencies.  They also allow the Privacy Commissioner to "look under the hood" of agency operations, and potentially to name and shame agencies that fail to take action.

    Independent oversight and monitoring is not new to NSW agencies – cyber resilience is an ongoing focus for the Audit Office of NSW.  However, new powers and functions may give the Privacy Commissioner leverage to drive change and impact budgets.

    Other jurisdictions will follow suit

    As in NSW, mandatory data breach notifications have been on the agenda in other jurisdictions for some time.  

    • The Queensland government consulted on introducing a similar mandatory data breach notification scheme in June 2022. 
    • The Office of the Victorian Information Commissioner called for mandatory data breach notifications in September 2022 after a department failed to notify people that their data had been accessed by a man convicted to sexually assaulting a child.
    • In 2019, the Western Australian Office of the Information Commissioner submitted that the Western Australian Government should consider a mandatory reporting scheme.

    The NSW legislation will ease the path to introducing similar regimes, modelled on the Commonwealth regime, in other jurisdictions.

    Authors: Rebecca Cope (Partner, Digital Economy Transactions), Mathew Baldwin (Partner, Digital Economy Transactions), Tim Brookes (Partner, Digital Economy Transactions), Andrew Hilton (Expertise Counsel, Digital Economy Transactions) and Dominic Christie (Lawyer, Digital Economy Transactions).

    This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.

    The Ashurst Group is global, and comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst.  Some members of the Ashurst Group are limited liability entities.

    Ashurst Risk Advisory Pty Ltd (ABN 74 996 309 133) provides services under the Ashurst Risk Advisory brand. The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.

    For more information about the Ashurst Group and the services offered, please visit www.ashurst.com.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.