Australia’s merger clearance process is undergoing significant reform, driven by longstanding concerns the current voluntary, informal regime does not sufficiently prevent anticompetitive mergers. After...
* The views expressed in externally authored materials linked or published on this site do not necessarily reflect the views of LexisNexis ® Legal & Professional. As AI is poised to transform workplaces...
* The views expressed in externally authored materials linked or published on this site do not necessarily reflect the views of LexisNexis ® Legal & Professional. Corporate legal departments are under...
Authored by: By Sharon Givoni, General Editor of the Privacy Law Bulletin, Principal Lawyer, Sharon Givoni Consulting and Alec Christie, Partner, Head of Privacy Risk and Digital Law, Atmos Legal Australia...
LexisNexis continues to lead the legal technology revolution with the launch of Protégé™, the next-generation AI-powered legal research assistant. Building on the success of Lexis+ AI® , Protégé delivers...
NSW privacy reforms
NSW has recently ushered in a number of significant privacy reforms through the passing of the Privacy and Personal Information Protection Amendment Act 2022 (NSW) (Amending Act).
As part of these reforms, the NSW Government has followed the Commonwealth and introduced a scheme for the mandatory notification of eligible data breaches (MNDB) scheme. The MNDB scheme will apply to NSW public sector agencies, including state-owned corporations (SOCs) that are not regulated by the Privacy Act 1988 (Cth) (Commonwealth Privacy Act).
What changes have been enacted following the passing of the Privacy and Personal Information Protection Amendment Act 2022? What can organisations do to mitigate risk and protect themselves in the future?
This article comes from the experts behind the Privacy Law Bulletin. This bulletin is written by expert lawyers, academics, and legal experts covering the rapidly changing legal landscape around privacy laws and cases that continue to shape Australia's privacy framework. The Privacy Law Bulletin features articles on topical local and international legal issues impacting on privacy law and provides insights on the practical implications of the latest legal developments.
Subscribers to the Privacy Law Bulletin can access the full article HERE.
In addition to the introduction of the MNDB scheme, the privacy reforms also expand the powers of the NSW privacy commissioner and broaden the scope of the definition of a “public sector agency” under the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) to include SOCs that are not subject to the Commonwealth Privacy Act. Accordingly, these SOCs will have to comply with the existing requirements under the PPIP Act as well as where relevant, the new requirements under the Amending Act.
The Amending Act reforms will come into effect on 28 November 2023 (that is, the first anniversary of the Amending Act’s date of assent).
Mandatory notification of data breaches
Under the Amending Act, an “eligible data breach” includes where:
An eligible data breach could range from a large-scale cyberattack on a public sector agency where personal information is unlawfully obtained to a public sector agency employee accidentally leaving a hard copy file containing personal information on the bus.
What are the key features of the MNDB scheme?
The Amending Act prescribes steps that public sector agencies must take if they have reasonable grounds to suspect that an eligible data breach has occurred including (among others):
Exemptions
It is important to note that subject to conditions, the Amending Act includes several exemptions from compliance with some provisions of the Amending Act, for example (among others), if the head of a public sector agency reasonably believes that notification of an eligible data breach would create a serious risk of harm to an individual’s health and safety or if notification of the breach would “worsen the agency’s cybersecurity” or “lead to further data breaches”.
Further, similar to the data breach regime under the Commonwealth Privacy Act, public sector agencies may, in certain circumstances, be exempt from some of the above steps if they can mitigate the harm done by the breach and take action before serious harm to an individual results.
Expansion of the powers of the NSW privacy commissioner
The Amending Act also expands the powers of the NSW privacy commissioner, enabling the privacy commissioner to (among other powers):
Consequential amendments
The Amending Act also makes some consequential amendments to other legislation, including the Government Information (Public Access) Act 2009 (NSW) (GIPA Act). For the purposes of the GIPA Act, it will now be conclusively presumed that there is an overriding public interest against the disclosure of information contained in a document prepared for the assessment of an eligible data breach under the PPIP Act if the information could worsen a public sector agency’s cybersecurity or lead to further data breaches.
How public sector agencies can prepare for the reforms
Public sector agencies should review their privacy compliance frameworks to prepare for the MNDB scheme and the other reforms introduced by the Amending Act. In particular, public sector agencies will need to undertake the following key activities:
What should SOCs do?
In addition to the above, SOCs who become subject to the PPIP Act, will need to put appropriate systems, processes and documentation in place to ensure compliance with the PPIP Act.
We recommend that SOCs undertake a full privacy compliance review that at a minimum, includes the following:
Next steps
It is critical that public sector agencies (including SOCs) are across the key changes to the PPIP Act and begin to develop and implement relevant policies and procedures to prepare for the introduction of the MNDB scheme.