Uniformity of Law II: NSW Government pledges to introduce Mandatory Data Breach Reporting in respect to State Government Agencies

Cameron Abbott, Warwick Andersen and Max Evans

Following on from the consultation opened by the NSW Government in July 2019 (the subject of a previous blog), NSW Attorney-General Mark Speakman has committed to introducing a mandatory data breach scheme, according to an article by ITNews.

At present, neither NSW privacy laws nor the notifiable data breach scheme under Part IIIC of the Privacy Act 1988 (Cth) require public sector agencies in NSW to notify the NSW Privacy Commissioner and affected individuals where a data breach creates a risk of serious harm. This led to a consultation conducted by the Department of Communities and Justice in late 2019, which revealed “overwhelming public support” for the introduction of a mandatory data breach scheme in NSW, with the NSW Government “sharing a view” that the relevant scheme should be introduced.

Whilst the article notes that there is still conflicting opinions about what the scheme should look like, it is likely that the scheme will mimic some aspects of the Commonwealth scheme. It is important to note however that several submissions including the Department of Customer Service and the Information and Privacy Commission have supported shortening the notification timeframe for reporting data breaches from 30 working days under the Commonwealth scheme to 10 working days.

We will keep you updated on how the NSW Government navigates the design of the new scheme.