Media Release - NSW Privacy Commissioner welcomes the amendments to the Privacy and Personal Information Protection Act 1998 passed by the NSW Parliament
The NSW Privacy Commissioner, Samantha Gavel, welcomes amendments to the Privacy and Personal Information Protection Act 1998 (PPIP Act) which were passed by the NSW Parliament on 16 November 2022.
The amendments to the PPIP Act aim to strengthen privacy legislation in NSW by:
- creating a Mandatory Notification of Data Breaches (MNDB) Scheme which will require public sector agencies bound by the PPIP Act to notify the Privacy Commissioner and affected individuals of data breaches involving personal or health information likely to result in serious harm
- applying the PPIP Act to all NSW state-owned corporations that are not regulated by the Commonwealth Privacy Act 1988
- repealing s117C of the Fines Act 1996 to ensure that all NSW public sector agencies are regulated by the same mandatory notification scheme.
The MNDB Scheme will require agencies to satisfy other data management requirements, including to maintain an internal data breach incident register, and have a publicly accessible data breach policy.
The Privacy Commissioner, Samantha Gavel, said, “The MNDB Scheme will enable NSW agencies to promote, support and practise responsible privacy governance that is consistent across government.
“It will also assist in building public confidence and trust in the Government’s use of digital technology and data to improve outcomes and services for the public.”
Preparing for the new scheme
Ahead of the Scheme’s implementation, the Information and Privacy Commission NSW (IPC) will work with agencies covered under the PPIP Act and release guidance and resources to ensure they have the required systems, processes and capability in place.
The Privacy Commissioner said, “In preparing for implementation of the new Scheme, agencies are encouraged to develop robust processes to identify potential and actual breaches, and elevate government capabilities to mitigate and manage data breaches.
“I am looking forward to engaging with agencies to assist them in meeting their compliance requirements under the Scheme and support them to improve their privacy practices.”
The IPC will develop a suite of new resources and guidance for both NSW agencies and citizens. This will include new guidelines on the details of the MNDB Scheme including defining eligible data breaches, notification exemptions, and agency guides to comply with the new legislative requirements. Resources will also include information on the steps to take following an eligible breach and how to prepare compliant policies and procedures.
The IPC will also develop e-learning modules for agencies to undertake training on the changes, resources for citizens such as fact sheets and animations to understand their rights and processes under the amendments, and update existing agency guidance to align with the changes.
The IPC will implement internal IT enhancements and processes that can support the new agency reporting requirements under the Scheme, and will be updating its website to reflect the legislative changes and create an information hub where agencies can find all relevant information regarding the Scheme.
Once the MNDB Scheme comes into effect, the Privacy Commissioner recognises it will:
- increase citizen trust in government agency handling of personal information and data breach incidents
- increase agency awareness of and responses to data breach incidents
- improve transparency and accountability of agencies in the way agencies respond to serious data breaches
- encourage agencies to elevate capability to mitigate and manage the risk of data breaches
- provide citizens with the information needed to reduce their risk of harm following a serious data breach.
Details about the amendments to the PPIP Act can be found on the NSW Parliament website.
ENDS
For further information, please contact:
The Manager, Communications and Corporate Affairs on 0435 961 691 or email communications@ipc.nsw.gov.au
About the Information and Privacy Commission:
The Information and Privacy Commission NSW (IPC) is an independent statutory authority that administers New South Wales’ legislation dealing with privacy and access to government information. The IPC supports the Information Commissioner and the Privacy Commissioner in fulfilling their legislative responsibilities and functions and to ensure individuals and agencies can access consistent information, guidance and coordinated training about information access and privacy matters.
About the NSW Privacy Commissioner
Samantha Gavel was appointed as NSW Privacy Commissioner on 4 September 2017. Her role is to promote public awareness and understanding of privacy rights in NSW, as well as provide information, support, advice and assistance to agencies and the general public.
For further information about the IPC visit our website at www.ipc.nsw.gov.au
