KEY TAKE-OUTS:
- Amendments to the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) will take effect from 28 November 2023
- The Information and Privacy Commission states that the aim of the amendments is to strengthen privacy laws.
- The Information and Privacy Commission will be preparing a raft of guidance documents and resources to support NSW agencies and citizens with regard to the changes.
What are the changes to the PPIP Act?
Amendments to the PIPP Act have been introduced to impose new obligations in the event of a suspected data breach (which includes access, disclosure or loss of personal information held by a public sector agency including Local Councils) as follows:
- Contain the breach and assess the likely severity of harm to impacted individuals.
- If the breach is likely to result in serious harm to an individual, notify the NSW Privacy Commissioner as well as impacted individuals.
- Where impacted individuals cannot be identified or where it is not reasonably practical to notify them, issue a public notification.
Further obligations will be imposed relating to responsible handling of personal and health information, including a requirement to implement a publicly available data breach management policy.
How did we get here?
In July 2019, public submissions were invited in response to the question of whether the Mandatory Notification of Data Breaches (MNDB) Scheme should be implemented in New South Wales. The NSW MDBN Scheme was to be based on the Commonwealth scheme implemented under the Privacy Amendment (Notifiable Data Breaches) Act 2017 and bring the PPIP Act in alignment with the Information Protection Principles. The responses from the public overwhelmingly favoured the introduction of such a scheme.
In May 2021, the Privacy and Personal Information Protection Amendment Bill 2021 (PPIP Amendment Bill) was subsequently released for public consultation. In response to the PPIP Amendment Bill, there was again overwhelming support for a MNDB scheme, with a number of improvements proposed to the Bill.
The Privacy and Personal Information Protection Amendment Bill 2022 was introduced in Parliament by Attorney General, the Hon. Mark Speakman SC MP on 9 November 2022 and was passed by parliament on 16 November 2022, receiving assent on 28 November 2022.
Key Changes
The key changes are:
- State Owned Corporations (SOCs) will be brought under the PPIP Act, where they are not regulated under the Privacy Act 1988 (Cth) (Privacy Act); and
- It introduces the Mandatory Notification of Dates Breaches scheme in NSW.
These key changes are explored further below.
Changes for SOCs
The definition of “public sector agency” is expanded and makes a series of consequential amendments which bring SOCs, which are not already regulated by the Privacy Act, into the PPIP Act scheme.
This amendment will require SOCs to:
- Comply with the PPIP Act regarding the collection and handling of personal information;
- Develop a Privacy Management Plan. The Privacy Management Plan must meet the requirements of section 33 of the PPIP Act; and
- Implement policies and procedures, which detail how the SOC will comply with the PPIP Act (and the Health Records and Information Privacy Act 2002 (NSW), if applicable).
The information handling practices of SOCs may be reviewed by an individual dissatisfied with the handling of their personal information, and SOCs may also have their conduct subject to external review by the NSW Civil and Administrative Tribunal (NCAT).
NCAT has a broad range of powers it can exercise on review, including:
- Conducting hearings;
- Making findings; and
- A power to require a public sector agency to pay damages of an amount up to $40,000 per breach, by way of compensation for any loss or damage suffered because of the conduct.
What is an “eligible data breach”?
The definition of an “eligible data breach” in the PPIP Amendment Bill is consistent with the definition in the Commonwealth Privacy Act.
A data breach will be an “eligible data breach” where:
- There has been unauthorised access to, or disclosure of, personal information held by the public sector agency, or
- Personal information held by the public sector agency is lost.
The PPIP Amendment Bill provides further clarification that an eligible data breach may include:
- A data breach that occurs within a public sector agency
- A data breach that occurs between public sector agencies, or
- A data breach that occurs by an external person or entity accessing data held by a public sector agency without authorisation.
How to assess and report on an eligible data breach
If you have identified an eligible data breach, or suspect an eligible data breach has occurred, three steps are required to be taken as part of the assessment stage:
- Notify the head of your agency (or their delegate).
- The head of the agency must immediately make all reasonable efforts to contain the data breach.
- Start assessing the incident within 30 days of when the incident was first discovered.
The head of the agency may approve an extension of time to conduct the assessment. Any extensions must be notified in writing to the Privacy Commissioner.
Once the assessment is completed, the findings must be provided to the head of the agency (or their delegate). A determination will then be made as to whether the data breach is an “eligible data breach”.
If the data breach is an “eligible data breach”, the notification provisions apply.
There are two key notification requirements:
- Firstly, the head of the agency (or their delegate) must immediately notify the Privacy Commissioner of the breach. Notification will be required to be made in a form approved by the Privacy Commissioner and include relevant details.
- Secondly, the head of the agency (or their delegate) must, to the extent that it is reasonably practicable, take reasonable steps in the circumstances to notify affected individuals of the eligible data breach. If notification is not reasonably practicable, the agency must publish a notice on its website which provides certain details of the breach. This notice is required to be retained in the agency’s public notification register and accessible via the agency’s website for at least 12 months after the date the notification is published.
Are there any exemptions to notification?
The Amendment Bill contains several exemptions to an agency’s notification obligations.
The exemption provisions are detailed and require careful consideration before they are relied on. In some instances, where an agency is relying on an exemption, the Privacy Commissioner needs to be notified. The Privacy Commissioner is then to be updated monthly if the agency is going to continue relying on the exemption. NSW agencies should carefully review the exemptions before relying on them and ensure they fully understand how the exemption operates.
Where to from here?
The amendments come into effect on 28 November 2023, 12 months after the date of assent.
The NSW Information and Privacy Commission will prepare a raft of resources and guidance documents to assist public section agencies and state-owned corporations as they navigate and apply the changes to their operations.
If you need assistance in the steps that your agency needs to take to prepare for the changes, Coutts can assist you. Please contact our Local Government team.
For further information please don’t hesitate to contact Coutts Lawyers.
This blog is merely general and non-specific information on the subject matter and is not and should not be considered or relied on as legal advice. Coutts is not responsible for any cost, expense, loss or liability whatsoever to this blog, including all or any reliance on this blog or use or application of this blog by you.
