Mandatory data breach notification

The Department of Communities and Justice and the Department of Customer Service are determining whether a mandatory reporting scheme for data breaches should be adopted under the Privacy and Personal Information Protection Act 1998. The Department of Communities and Justice published a discussion paper in July 2019 and invited submissions from the public.

What’s this about?

The Privacy and Personal Information Protection Act 1998 governs how NSW public sector agencies manage personal information. 

The Department of Communities and Justice is seeking feedback on:

• Whether a mandatory reporting scheme for data breaches by NSW public sector agencies should be implemented in NSW
  
• If a mandatory reporting scheme is implemented in NSW, how the scheme should operate.
  

The Mandatory Notification of Data Breaches by NSW Public Sector Agencies Discussion Paper (DOC, 367.5 KB) includes specific questions for consideration.

Submissions

Submissions closed on 23 August 2019. We received 23 submissions in response to our Discussion paper.

• Submission 1 Private submission [PDF, 55kb] (PDF, 55.3 KB)
  
• Submission 2 Private Submission - not available to public
  
• Submission 3 Private Submission [PDF, 50kb] (PDF, 50.7 KB)
  
• Submission 4 Private Submission - not available to public
  
• Submission 5 Private Submission - not available to public
  
• Submission 6 Private submission [PDF,48kb] (PDF, 48.1 KB)
  
• Submission 7 New South Wales Council for Civil Liberties [PDF, 159kb] (PDF, 159.0 KB)
  
• Submission 8 Information and Privacy Commission NSW [PDF, 3654kb] (PDF, 3.6 MB)
  
• Submission 9 Youngman Consultancy [PDF, 26kb] (PDF, 26.2 KB)
  
• Submission 10 The Australasian College of Dermatologists [PDF, 335kb] (PDF, 335.7 KB)
  
• Submission 11 yourtown [PDF, 1485kb] (PDF, 1.5 MB)
  
• Submission 12 Deloitte [PDF, 163kb] (PDF, 163.9 KB)
  
• Submission 13 Cessnock City Council [PDF, 201kb] (PDF, 201.3 KB)
  
• Submission 14 Inner West Council [PDF, 81kb] (PDF, 81.1 KB)
  
• Submission 15 University of New South Wales, The Allens Hub for Technology, Law and Innovation [PDF, 422kb] (PDF, 422.0 KB)
  
• Submission 16 City of Sydney Council [PDF, 1393kb] (PDF, 1.4 MB)
  
• Submission 17 Law Society of NSW [PDF, 4122kb] (PDF, 4.0 MB)
  
• Submission 18 Independent Commission Against Corruption NSW [PDF, 534kb] (PDF, 534.6 KB)
  
• Submission 19 Transport for NSW [PDF, 110kb] (PDF, 110.2 KB)
  
• Submission 20 Department of Customer Service [PDF, 97kb] (PDF, 97.7 KB)
  
• Submission 21 Sydney Water [PDF, 113kb] (PDF, 113.6 KB)
  
• Submission 22 Consultative Committee of the NSW Right to Information and Privacy Practitioners Network [PDF, 35kb] (PDF, 35.5 KB)
  
• Submission 23 Icare [PDF, 334kb] (PDF, 34.4 KB)
  

Outcome

The Privacy and Personal Information Protection Amendment Bill 2022 amends the Privacy and Personal Information Protection Act 1998 and to establish the mandatory notification of data breach (MNDB) scheme and related reforms. The MNDB scheme came into effect in November 2023.