Mandatory notifiable data breach scheme introduced for NSW government agencies

29 November 2022
Sinead Lynch, Partner, Sydney

In a time of significant changes to the privacy landscape, not least the confirmed passing by the Senate yesterday afternoon of the Privacy Legislation Amendment (Enforcement & Other Measures) Bill, 2022 to increase fines and enhance the OAIC powers (see our recent article here), further well overdue changes were also announced for the public sector. The NSW Government passed the Privacy and Personal Information Protection Amendment Bill 2022 (Bill) which amends the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) to introduce a mandatory notification of data breach scheme (Scheme) for NSW government agencies.

While Australian Federal Government agencies and private sector organisation have been required to notify eligible data breaches under the Notifiable Data Breach Scheme (forming part of the Federal Privacy Act 1988 (Cth) (Privacy Act) since February 2018, there has been no mandatory equivalent at a State Level.

NSW is now the first State to introduce State equivalent obligations for government agencies, including all NSW agencies, departments and local councils, and extends the PPIP Act’s reach to State owned corporations (SOCs) which are not subject to the Privacy Act. After a 12-month transition period, government agencies and SOCs will be required have a data breach response plan, to contain personal information data breaches when they occur and inform the NSW Privacy Commissioner as well as impacted individuals if serious harm is likely. The NSW Privacy Commissioner will be furnished with corresponding enforcement powers to administer the Scheme.

The Scheme closes a substantial privacy protection gap for NSW citizens at a time where public demand for data privacy is stronger than ever. It remains to be seen how efficiently NSW government agencies will be able to implement the new requirements, but what is clear, with the onslaught of new fines and penalties for breach, all public and private enterprises in Australia cannot ignore the privacy implications of how they interact with business and individuals.


Authored By:

Sinead Lynch, Partner (Foreign Qualified Lawyer, not admitted to practice in Australia)
Freya vom Bauer, Associate

This update does not constitute legal advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. You should seek legal or other professional advice before acting or relying on any of the content.

Get in touch