NSW set to introduce mandatory data breach notification scheme to protect privacy

19th Aug 2021

The NSW Government will be required to notify anyone affected by a cyber-attack or data breach of its records under planned changes to state privacy laws being introduced in the Privacy and Personal Information Protection Amendment Bill 2021 (Bill) later this year.

For the first time in any Australian state or territory, it will be compulsory for NSW Government departments, state-owned corporations and local councils to notify people if their records have been compromised. The NSW legislation will be based on the Federal Government’s notifiable data breaches scheme which was introduced in 2018.

Amendments aim to protect privacy of NSW citizens

In a media release published in May 2021, NSW Attorney General Mark Speakman stated that under the draft Bill all public sector agencies will have to notify the Privacy Commissioner, and anyone affected, when a data breach involving personal information is likely to result in serious harm.

Mr Speakman stated that ‘[t]he protection of people’s privacy is crucial to public confidence in NSW Government services … If passed, this Bill will introduce a scheme that will ensure greater openness and accountability in relation to the handling of personal information held by NSW public sector agencies.’

Massive data breaches in NSW government agencies prompt changes in law

The Government’s move follows a substantial data breach of Service NSW in April 2020, when 3.8 million documents, amounting to 736 GB of data, were stolen by unknown cyber-attackers. This incident resulted in the personal information of 186,000 customers being compromised.

It took the Government six months to start notifying affected individuals. After 11 months, 20,000 victims still had not been notified.

Data breaches of government records is a growing problem, with information from more than 50,000 NSW driver’s licences being leaked in August 2020.

Under the law, it is possible for people who suffer loss or damage due to a data breach to receive up to $40,000 in compensation.

Privacy Commissioner Samantha Gavel revealed in a parliamentary inquiry in early 2021 that there were 79 voluntary notifications of data breaches of NSW government-held records in 2020, up 23% on 2019.

Will the NSW data breach notification scheme produce the intended result?

The Bill will add to the existing privacy protection laws contained in the NSW Privacy and Personal Information Protection Act 1998.

But the degree of privacy protection for the public will depend on the fine print of the final legislation.

Governments often promise that people will be better off under new laws designed to safeguard privacy, enhance individual rights or provide more freedom of speech. Instead what may eventuate is legislation that either contains enough loopholes to have the reverse effect, or protects the government rather than the people.

Data breaches leading to identity theft also increasing

Identity theft is increasing as more personal records are being kept online. Armed with confidential information gained from hacking government records, criminals can assume a person’s identity and steal from their bank accounts or other assets.

According to a report released by the Australian Institute of Criminology (AIC), the annual economic impact of identity crime exceeds $2 billion. The AIC found that one in four Australians has been a victim of identity crime at some point in their lives, with an average loss of more than $3,000.

Identity theft enables other major crimes

The Department of Home Affairs has stated that identity theft also provides a foundation for many other forms of serious crime. Fraudulent identities may be used for money laundering, tax evasion, dealing in stolen motor vehicles, or protecting the true identities of organised crime members.

Organised crime groups may also sell stolen identity information to other criminal networks. Once a person has their identity stolen, they can be repeatedly targeted by online criminals.

It’s wise to seek specialist legal advice if you have concerns about the security of data held by a government department or suspect identity theft.

This is an edited version of an article first published at Stacks Law.

Michael McHugh is a lawyer in the Stacks office in Tamworth. He specialises in property law, mortgages and securities, mergers and acquisitions and commercial litigation. He has worked in the areas of agribusiness and finance for major regional lenders.

The views and opinions expressed in these articles are the authors' and do not necessarily represent the views and opinions of the Australian Lawyers Alliance (ALA).

Learn about how you can get involved and contribute an article

Tags: Privacy