We have blogged numerous times on the notifiable data breach scheme provided for in Part IIIC of Privacy Act 1988 (Cth) including more recently in relation to its success in assisting the preparedness of the health sector to report and respond to data breaches.
Whilst the NSW Information Privacy Commissioner recommends that public sector agencies notify it and affected individuals where a data breach creates a risk of serious harm, neither NSW privacy laws nor the notifiable data breach scheme require public sector agencies in NSW to provide such notification. There are many reasons for state government agencies to mandatorily report data breaches. Informing citizens when privacy breaches occur provides an opportunity for individual protection against potentially adverse consequences, whilst mandatory data breach reporting would address the current under-reporting of data breaches in NSW, which according to the consultation may be the norm.
If the notifiable data breach scheme is an appropriate burden to put on private companies, with the Commonwealth Government highlighting the need for citizens to be confident that their personal information is being sufficiently protected by such entities, you’d expect that government entities such as public agencies would have adopted such an approach well before now. At least however the consultation is a step in the right direction with the NSW Government endeavouring to catch up to existing obligations placed on private entities.
We will track the consultation and let you know the result.