24 May NSW Regional Authorities must have a Publicly Accessible Data Breach Policy
Mandatory data breach reporting: Are you are affected?
The Privacy Amendment (Notifiable Data Breaches) Bill 2016 establishes a mandatory data breach notification scheme in Australia. Whist mandatory reporting has been in Europe for over 10 years, NSW is set to become the first Australian state or territory to introduce a mandatory data breach notification scheme following a serious cyber incident (2019).
NSW public sector entities would be required to report data breaches to the Privacy Commissioner and affected individuals when a data breach involving personal or health information is “likely to result in serious harm” under proposed laws.
A serious data breach occurs when there is “unauthorised access to or unauthorised disclosure of personal information”. Suppose an employee lost a USB thumb drive containing personal information, then you will need to report that loss in NSW. Whilst this is in line with Payment Card Industry (PCI) Compliance personal information can also include photos, contact details, fingerprints, health information about an individual’s physical or mental health, disability or any other information related to the provision of health services.
More security responsibility and the challenge
The Privacy and Personal Information Protection Amendment Bill intends to fill the gap left by the Commonwealth’s Notifiable Data Breach Scheme, which applies to federal government agencies and not state government agencies or local councils.
The scheme also requires NSW Government agencies to satisfy more data management requirements. This includes maintaining an internal data breach incident register and developed a publicly accessible data breach policy.
Framework to develop the Data Breach Policy
Creating a Data Breach Policy and response toolkit, performing internal assessments and reviews and ensuring you are achieving PCI Compliance, is part of adhering to the framework required ahead.
If you suspect a breach has occurred, your organisation must conduct an assessment with 30 days to determine whether it meets the threshold for notifying affected individuals and the privacy commissioner.
Strategic Directions has assisted regional authorities to develop breach compliance frameworks, and we can help you introduce a plan to manage the new changes and the reporting risks that lie ahead.