Providing Data Breach Notification Protections Against State Governments (Submission on the Privacy and Personal Information Protection Amendment Bill 2021 (NSW))

Australian citizens living in the State of New South Wales do not have the protections of mandatory data breach notification (MDBN) requirements in relation to data breaches by New South Wales (NSW) government agencies, or by organisations/contractors who provide services on behalf of the NSW Government, and who may not be covered by the DBN requirements of the Privacy Act 1988 (Cth). The Draft Privacy and Personal Information Protection Amendment Bill 2021 (PPIP Act), is a welcome innovation. This submission focuses upon those areas of the Bill requiring amendment. We find that the draft Bill, while in theory an important advance for citizens of NSW, delivers a far more limited and defective set of reforms than is necessary or desirable. Its main deficiencies are as follows: • Its scope is too limited because it does not apply to outsourced service providers to NSW government agencies. • It does not make clear that disclosures of information purportedly authorised by superior officers, but not consistent with PPIP Act requirements, may be data breaches. • It does not close a loophole in NSW privacy law where disclosures by employees outside the scope of their employment fall outside the PPIP Act’s requirements, so agencies are not liable. • The standard of liability for data breaches, ‘likely to result in serious harm’, is too narrow and too high. • People outside an agency need to be able to trigger an investigation of a data breach. • Both assessors of data breaches, and those carrying out internal reviews under the PPIP Act, should be able to come from outside the agency. • The Privacy Commissioner should have the final say on whether affected individuals are informed of data breaches, not the agency concerned. • The Commissioner should also have the final say on whether exemptions from requirements to notify individuals are applicable. • Assessments to establish ‘eligible data breaches’ should be referred to an agency’s internal Audit and Risk Committee, and established ‘eligible data breaches’ reported in the agency’s Annual Report. • A failure to give a data breach notification should result in a right for affected individuals to seek compensation for breach of PPIP Act. To make this right meaningful, there should be provision for statutory damages of $3,000 payable without need to prove actual damage, if a person’s personal information is included in an eligible data breach. Specific recommendations for amendments tot he Bill are made on all these points, and aTable of all recommendations made is at the end of this submission.