Login
iscover
NSW’s long-awaited cyber mandatory reporting scheme has finally been announced, with organisations that have been affected by a cyber breach required to notify those impacted.
The new Mandatory Notification of Data Breach Scheme, which will become effective on 28 November this year, comes as part of amendments to the Privacy and Personal Information Protection Act 1998 (the PPIP Act).
“The amendments impact the responsibilities of agencies under the PPIP Act and require agencies to provide notifications to affected individuals in the event of an eligible data breach of their personal or health information by a NSW public sector agency or state-owned corporation subject to the PPIP Act,” said a release by the Information and Privacy Commission.
“The changes to the PPIP Act include:
- Creating a Mandatory Notification of Data Breach (MNDB) Scheme, which will require public sector agencies bound by the PPIP Act to notify the Privacy Commissioner and affected individuals of data breaches involving personal or health information likely to result in serious harm.
- Applying the PPIP Act to all NSW state-owned corporations that are not regulated by the Commonwealth Privacy Act 1988.
- Repealing s117C of the Fines Act 1996 to ensure that all NSW public sector agencies are regulated by the same mandatory notification scheme.”
The Information and Privacy Commissioner has said that agencies under the scheme are obliged to make all efforts within reason to contain a data breach and to undertake an assessment within 30 days of discovering the breach.
Additionally, during the investigation, agencies must make “all reasonable attempts” to reduce the damage of the breach, which could include shutting down parts of its systems to prevent additional access or damage.
As part of the assessment, the organisation must evaluate whether a breach “is an eligible data breach or there are reasonable grounds to believe the breach is an eligible data breach”.
Finally, the Privacy Commissioner and those affected by the breach must be informed.
The commission also recommends that in preparation for the scheme, agencies should establish managing roles and responsibilities, which could involve creating a data breach response team or hiring additional specific staff.
Newsletter
