The NSW Privacy Commissioner, Samantha Gavel, welcomes amendments to the Privacy and Personal Information Protection Act 1998 (PPIP Act) which were assented to in NSW Parliament on 28 November 2022.
The Privacy and Personal Information Protection Amendment Bill 2022 was introduced in Parliament by Attorney General, the Hon. Mark Speakman SC MP, on 9 November 2022 and passed Parliament on 16 November 2022.
The amendments to the PPIP Act will come into effect 12 months following assent, from 28 November 2023. They aim to strengthen privacy legislation in NSW by:
- creating a Mandatory Notification of Data Breaches (MNDB) Scheme which will require public sector agencies bound by the PPIP Act to notify the Privacy Commissioner and affected individuals of data breaches involving personal or health information likely to result in serious harm
- applying the PPIP Act to all NSW state-owned corporations that are not regulated by the Commonwealth Privacy Act 1988
- repealing s117C of the Fines Act 1996 to ensure that all NSW public sector agencies are regulated by the same mandatory notification scheme.
The MNDB Scheme will require agencies to satisfy other data management requirements, including to maintain an internal data breach incident register, and have a publicly accessible data breach policy.
Ahead of the Scheme’s implementation, the Information and Privacy Commission NSW (IPC) will work with agencies covered under the PPIP Act and release guidance and resources to ensure they have the required systems, processes and capability in place.
The IPC will develop a suite of new resources and guidance for both NSW agencies and citizens. This will include new guidelines on the details of the MNDB Scheme including defining eligible data breaches, notification exemptions, and agency guides to comply with the new legislative requirements. Resources will also include information on the steps to take following an eligible breach and how to prepare compliant policies and procedures.
The IPC will also develop e-learning modules for agencies to undertake training on the changes, resources for citizens such as fact sheets and animations to understand their rights and processes under the amendments, and update existing agency guidance to align with the changes.
The Privacy Commissioner said, “I am looking forward to working with agencies to assist them in preparing for the MNDB Scheme and enhance their privacy systems and capability.
“A positive outcome from the PPIP Act amendments is that we are now getting state owned corporations on board and ensuring that NSW agencies are practising responsible privacy governance that is consistent across government.”
Details about the amendments to the PPIP Act can be found on the NSW Parliament website.