New Notification of Data Breach Rules for New South Wales
The Information and Privacy Commission (IPC) of New South Wales (NSW) has announced new rules requiring public sector agencies to report breaches of personal information (PI) that will come into force on November 28, 2023.
The Mandatory Notification of Data Breach (MNDB) Scheme is introduced in an amendment to the NSW Privacy and Personal Information Protection Act 1998 (PPIP Act). The updated Privacy and Personal Information Protection Amendment Bill 2022 passed unanimously in November 2022 with cross-party support.
The new scheme means that public sector agencies need to report eligible data breaches to the NSW Privacy Commissioner as well as notify affected individuals. They will also need to maintain an internal data breach incident register and have a publicly accessible data breach policy.
An “eligible data breach” is an incident where there is unauthorized access to or disclosure of personal information that may result in harm to individuals who can be identified by the data. It also applies to the loss of personal information if unauthorized access or disclosure is likely where this could result in harm to affected individuals.
When reporting a data breach under the new scheme, organizations must include:
- A description of the personal information, including any sensitive information, affected by the breach
- The details of the incident
- An estimation of the number of individuals affected by the breach
These changes apply only to public sector agencies, including NSW government agencies and departments, statutory authorities, local councils, bodies whose accounts are subject to the Auditor General and some universities.
Organizations in scope of the new legislation must establish a program of data management that ensures they are able to meet these new obligations. Recovering from a data breach is made easier with good data management and a clear understanding of the data within the organization, where it is stored and how it is handled.
Data discovery solutions like Ground Labs’ Enterprise Recon support rapid inventory of data across the organization with in-built remediation and data management capability that supports organizations in meeting their privacy and data protection responsibilities.
To learn more about how data discovery supports incident response and organizational resilience, our free white paper, Data — The Cornerstone to Organizational Resilience is available to download now.
Want to keep up with all our blog posts? Subscribe to our newsletter!Subscribe