Under the MNDB Scheme, NSW public sector agencies are required to:
-
contain a data breach and assess the severity of harm on impacted individuals. If the breach is deemed likely to result in serious harm to an individual, the affected agency must notify the NSW Privacy Commissioner and the affected individuals;
-
issue a public notification if the affected individual cannot be identified or if it is not practically reasonable to do so; and
-
implement a publicly available data breach management policy, which includes the handling of personal and health related information.
Attorney General Mark Speakman, member of the NSW Legislative Assembly, said the amending act fulfils the NSW Government’s commitment to introduce a mandatory notification of data breaches scheme, which will strengthen privacy protections for the citizens of NSW.
According to the Minister for Customer Service and Digital Government, Victor Dominello, ‘The scheme will apply to all public sector agencies as defined in the new laws, including all NSW agencies and departments, statutory authorities, local councils, bodies whose accounts are subject to the Auditor General and some universities’.
Enhancing the Privacy Commissioner’s powers
To assist in implementing the scheme, the changes expand the regulatory responsibilities of the NSW Privacy Commissioner, Samantha Gavel, to investigate, monitor, audit and report on the functions of an agency under the MNDB scheme. The Privacy Commissioner will work with agencies to facilitate legal compliance and best privacy practice. To assist the Privacy Commissioner in enforcing the MNDB scheme in the case of agency non-compliance, the changes give authority to access the premises of an agency to observe its systems, policies and procedures.
Impacts on public sector agencies
The key amendments to the PPIP Act include:
- Public sector agencies must notify the NSW Privacy Commissioner and affected individuals of data breaches involving their personal or health information, which are likely to result in serious harm.
- The MNDB scheme has been designed to adopt key features of the Commonwealth NDB scheme, such as sharing the same breach notification threshold of serious harm, and similar assessment and notification time frames and requirements. This is to ease the administrative burden for agencies, in the limited circumstances where both schemes may apply.
- There are new government requirements, including obligations to prepare and publish a data breach policy, keep a public register of breach notifications, establish and maintain an internal data breach incident register, and revise their Privacy Management Plans to include references to the MNDB scheme obligations.
- The definition of a public sector agency within the PPIP Act will be expanded to include State-owned corporations (SOCs) that are not already regulated by the Privacy Act 1988 (Cth). Affected SOCs are required to adopt and implement processes internally. They also need to ensure that they are compliant with the PPIP Act in its entirety, including the new MNDB scheme.
Consequences of non-compliance
An important difference between the NSW MNDB scheme and the Commonwealth NDB scheme is the lack of penalties for non-compliance by NSW public sector agencies. Commonwealth public sector agencies are exposed to penalties of up to $500,000 for serious and repeated interference with privacy. To date, we are not aware of any penalties being imposed on these agencies or to those in connection the NDB scheme.
While there is no monetary penalty for non-compliance with the MNDB scheme in NSW, damage to reputation remains an important incentive for public sector agencies and private sector organisations to comply with their legal obligations. The Privacy Commissioner’s regulatory responsibilities will also be expanded by the amendments, with the insertions of the new sections 59Z and 59ZA meaning the Privacy Commissioner can “investigate, monitor, audit and report” on the compliance of the MNDB by public sector agencies as well as “direct the head of the agency to provide access to premises”.[1] This includes the Privacy Commissioner entering premises to observe a demonstration of the agency’s data handling systems, policies and procedures and to inspect particular documents.[2].
What’s next?
The changes allow for a 12-month transition period, intended to give agencies sufficient time to adopt appropriate systems and processes to comply with the new obligations.
It is anticipated that the NSW Information and Privacy Commission will develop guidelines outlining agencies' obligations under the MNDB scheme. This includes guidance on key threshold questions such as whether a data breach would be likely to result in ‘serious harm’ to an impacted individual.
Hicksons Lawyers’ Commercial and Cyber Risk teams have extensive expertise in this area and are available to help with any questions you may have.
Post by Hicksons' Partner, John Kell.
[1] Privacy and Personal Information Protection Amendment Bill 2022 sch 1 item 11.