About us
Locations
- Adelaide
  - Level 1
  - 333 King William Street
  - Adelaide SA 5000
  - GPO Box 949, Adelaide SA 5001
  - +61 8 8456 2433
  - +61 8 8456 2499
  - info.sa@gadens.com
  Location Map
- Brisbane
  - Level 11, ONE ONE ONE
  - 111 Eagle Street
  - Brisbane QLD 4000
  - GPO Box 129, Brisbane QLD 4001
  - +61 7 3231 1666
  - +61 7 3229 5850
  - info.qld@gadens.com
  Location Map
- Melbourne
  - Level 13, Collins Arch
  - 447 Collins Street
  - Melbourne VIC 3000
  - GPO Box 48, Melbourne VIC 3000
  - +61 3 9252 2555
  - +61 3 9252 2500
  - info.vic@gadens.com
  Location Map
- Perth
  - Lavan (Associate office)
  - Level 20, The Quadrant
  - 1 William Street
  - Perth WA 6000
  - PO Box F338, Perth WA 6000
  - +61 8 9288 6000
  - +61 8 9288 6001
  - info.wa@gadens.com
  Location Map
- Sydney
  - Level 20
  - 25 Martin Place
  - Sydney NSW 2000
  - PO Box H332, Australia Square NSW 1215
  - +61 2 9231 4996
  - +61 2 9163 3000
  - info.nsw@gadens.com
  Location Map
International
Careers
News
Contact us

Mandatory notifiable data breach scheme introduced for NSW government agencies

29 November 2022

Sinead Lynch, Partner, Sydney

In a time of significant changes to the privacy landscape, not least the confirmed passing by the Senate yesterday afternoon of the Privacy Legislation Amendment (Enforcement & Other Measures) Bill, 2022 to increase fines and enhance the OAIC powers (see our recent article here), further well overdue changes were also announced for the public sector. The NSW Government passed the Privacy and Personal Information Protection Amendment Bill 2022 (Bill) which amends the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) to introduce a mandatory notification of data breach scheme (Scheme) for NSW government agencies.

While Australian Federal Government agencies and private sector organisation have been required to notify eligible data breaches under the Notifiable Data Breach Scheme (forming part of the Federal Privacy Act 1988 (Cth) (Privacy Act) since February 2018, there has been no mandatory equivalent at a State Level.

NSW is now the first State to introduce State equivalent obligations for government agencies, including all NSW agencies, departments and local councils, and extends the PPIP Act’s reach to State owned corporations (SOCs) which are not subject to the Privacy Act. After a 12-month transition period, government agencies and SOCs will be required have a data breach response plan, to contain personal information data breaches when they occur and inform the NSW Privacy Commissioner as well as impacted individuals if serious harm is likely. The NSW Privacy Commissioner will be furnished with corresponding enforcement powers to administer the Scheme.

The Scheme closes a substantial privacy protection gap for NSW citizens at a time where public demand for data privacy is stronger than ever. It remains to be seen how efficiently NSW government agencies will be able to implement the new requirements, but what is clear, with the onslaught of new fines and penalties for breach, all public and private enterprises in Australia cannot ignore the privacy implications of how they interact with business and individuals.

Authored By:

Sinead Lynch, Partner (Foreign Qualified Lawyer, not admitted to practice in Australia)
Freya vom Bauer, Associate

This update does not constitute legal advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. You should seek legal or other professional advice before acting or relying on any of the content.

Get in touch

Sinead Lynch
Partner, Sydney
+61 2 9163 3064
sinead.lynch@gadens.com