Proposed changes to NSW privacy laws

The Privacy and Personal Information Protection Amendment Bill 2021 aims to strengthen privacy protection in NSW. The draft exposure bill proposes to:

establish a mandatory notification of data breach (MNDB) scheme to require public sector agencies bound by Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) to notify the Privacy Commissioner and affected individuals of data breaches of personal or health information, which are likely to result in serious harm, and
applies the PPIP Act to all state-owned corporations that are not regulated by the Commonwealth Privacy Act 1988.

MNDB scheme

The MNDB scheme will require public sector agencies to notify the IPC and affected individuals if a data breach affecting personal or health information that is likely to result in serious harm occurs.

The MNDB scheme will require agencies to satisfy other data management requirements, including to maintain an internal data breach incident register, and have a publicly accessible privacy and data management policy.

Under the PPIP Act, the Privacy Commissioner already has regulatory powers and functions, which can be used in relation to the MNDB scheme. These include the power to investigate and make recommendations, and the ability to publish or furnish reports to the Minister responsible for the agency. The MNDB scheme will also confer on the Privacy Commissioner additional regulatory powers in relation to the MNDB scheme, including the power of entry.

The MNDB borrows many aspects of the Commonwealth Notifiable Data Breach scheme. This is proposed to reduce interjurisdictional inconsistencies, especially given that NSW public sector entities already must comply with the Commonwealth scheme in relation to breaches of tax file numbers.

View the bill and factsheet.

Have your say

Submissions

Submissions on the Privacy and Personal Information Protection Amendment Bill 2021 closed on 18 June 2021. We received 32 submissions and have permission to publish the following 24 submissions:

Submission 1 - Information and Privacy Commissioner [PDF, 748kb]
Submission 2 - The Allens Hub for Technology, Law and Innovation [PDF, 225kb]
Submission 3 - Australian Society for Computers and Law [PDF, 356kb]
Submission 4 - Private Submission [PDF, 234kb]
Submission 5 - The Department of Regional NSW [PDF, 498kb]
Submission 6 - NSW Rural Fire Service [PDF, 202kb]
Submission 7 - Sydney Water [PDF, 142kb]
Submission 8 - Office of the Victorian Information Commissioner [PDF, 196kb]
Submission 9 - University of Technology Sydney [PDF, 290kb]
Submission 10 - Hunter Water [PDF, 305kb]
Submission 11 - The Law Society of NSW [PDF, 334kb]
Submission 12 - NSW Agency for Clinical Innovation [PDF, 213kb]
Submission 13 - The Australasian College of Dermatologists [PDF, 491kb]
Submission 14 - NSW Council for Civil Liberties [PDF, 262kb]
Submission 15 - Office of the Information Commissioner QLD [PDF, 317kb]
Submission 16 - Partnership Directorate [PDF, 236kb]
Submission 17 - Consultative Committee of the Privacy and NSW Right to Know Practitioners Network [PDF, 124kb]
Submission 18 – Deloitte [PDF, 1079kb]
Submission 19 - Salinger Privacy [PDF, 260kb]
Submission 20 - Private Submission [PDF, 178kb]
Submission 21 - Department of Planning, Industry and Environment [PDF, 193kb]
Submission 22 - The Law Society of NSW Young Lawyers (Communications, Entertainment and Technology Law Committee) [PDF, 1822kb]
Submission 23 - Icare [PDF, 142kb]
Submission 24 - Northern Sydney Local Health District [PDF, 1317kb]

Outcome

The Privacy and Personal Information Protection Amendment Bill 2022 amends the Privacy and Personal Information Protection Act 1998 and to establish the mandatory notification of data breach (MNDB) scheme and related reforms. The MNDB scheme came into effect in November 2023.

Last updated:

08 Aug 2024

Proposed changes to NSW privacy laws

MNDB scheme

Have your say

Submissions

Last updated:

Follow us