The NSW Government is proposing forcing state-owned entities to report data breaches under a new bill which could make it the first state or territory to enforce mandatory disclosures.
The state government has tabled its own data notification bill, the Privacy and Personal Information Protection Amendment Bill.
If passed, the proposal would ensure public bodies informed the Privacy Commissioner and affected individuals of data breaches of personal or health information, which are likely to result in serious harm.
This would apply the PPIP Act to all state-owned corporations that are not regulated by the Commonwealth Privacy Act 1988.
The state’s Privacy Commissioner would be granted additional regulatory powers, including the power of entry to monitor compliance.
Under the proposal, which is due to go to a consultation, the head of a public sector agency must establish and maintain an internal register for “eligible” data breaches and inform identified individuals affected by a breach “as soon as practicable”.
The changes would also apply NSW privacy laws to all state-owned corporations that are not regulated by the Commonwealth Privacy Act.
Responders to the consultation have until 18 June.
“The protection of people’s privacy is crucial to public confidence in NSW Government services. I encourage anyone with an interest in this area to make a submission,” said Attorney General Mark Speakman
“If passed, this bill will introduce a scheme that will ensure greater openness and accountability in relation to the handling of personal information held by NSW public sector agencies.”