The New South Wales government recently announced the Mandatory Notification of Data Breach Scheme (MNDB) will come into effect on November 28th. This scheme is part of amendments to the Privacy and Personal Information Protection Act 1998 (PPIP Act).
The Key Changes Include:
Notification Requirement: Public sector agencies under the Privacy & Personal Information Protection Act (PPIP Act) are now mandated to notify the Privacy Commissioner and affected individuals if a data breach occurs, especially if it involves personal or health information that may lead to serious harm.
Extended Coverage: The PPIP Act now applies to all NSW state-owned corporations not regulated by the Commonwealth Privacy Act 1988, ensuring a more comprehensive cyber security framework.
Unified Approach: Section 117C of the Fines Act 1996 has been repealed to establish a consistent mandatory notification scheme for all NSW public sector agencies.
According to the Information and Privacy Commissioner, agencies are expected to make reasonable efforts to contain a data breach and conduct an assessment within 30 days of its discovery. During the investigation, agencies should take all reasonable steps to minimise damage, which may include temporarily shutting down systems.
As part of the assessment process, organisations must determine whether the breach qualifies as an eligible data breach or if there are reasonable grounds to believe so. Subsequently, the Privacy Commissioner and affected parties must be notified.
For a data breach to constitute as an ‘eligible data breach’ under the MNDB Scheme there are two tests to be satisfied:
- There is an unauthorised access to, or unauthorised disclosure of, personal information held by a public sector agency or there is a loss of personal information held by a public sector agency in circumstances that are likely to result in unauthorised access to, or unauthorised disclosure of, the information, and
- A reasonable person would conclude that the access or disclosure of the information would be likely to result in serious harm to an individual to whom the information relates.
If still unsure as to whether your breach qualifies as an eligible MNDB, the NSW Government have provided this self assessment tool to assist you in this determination.
What You Need To Do Now?
To prepare for this scheme, agencies are encouraged to establish clear roles and responsibilities, potentially forming a data breach response team or hiring specific staff. The creation of a privacy management plan, outlining procedures for compliance with the Mandatory Notification of Data Breach Scheme, is recommended.
Additionally, agencies are advised to maintain an incident register to record breach information and a public notification register. Establishing a comprehensive data breach policy is also suggested. For further information on guides, templates and directions on how to create and implement these suggestions, please see the Information and Privacy Commission (IPC) website here.
Once the MNDB Scheme comes into effect on November 28th, the IPC will report on how the Scheme is operating. Annual summary data will also be included in the Information and Privacy Commission Annual Report.
For more detailed information now, interested parties can visit the IPC website. The introduction of this scheme marks a significant step in enhancing cyber security practices within NSW, ensuring a more transparent and accountable approach to data breaches.
What Happens If You Don't Comply?
Failing to comply with the Mandatory Notification of Data Breach Scheme and in turn the Privacy Regulations can have severe consequences, encompassing hefty fines, penalties, and investigations by regulatory bodies. One such authoritative entity is the Information Commissioner's Office (ICO). In cases where a breach is deemed an eligible data breach, organisations are obligated to promptly notify the Privacy Commissioner and affected individuals. This notification process involves utilising the IPC website's designated form.
The financial repercussions for non-compliance are substantial, with the maximum penalty for corporations escalating recently, from the previous $2.22 million penalty.
This penalty is determined as the greater of
- three times the value of the benefit obtained from the contravention (if assessable by the court), or
- 30% of the body corporate's adjusted turnover during the breach turnover period (if the court cannot determine the benefit's value).
Additionally, the Information Commissioner possesses the authority to issue infringement notices, imposing monetary penalties for the failure or refusal to provide necessary information, answer inquiries, or produce required documents on time. The Commissioner's determinations may mandate specific actions to rectify conduct leading to a breach, potentially requiring the engagement of an independent and qualified adviser at the respondent's expense.
Diamond IT Can Help Strengthen Your Data Security
Diamond IT's Managed IT Services proactively support customers in reducing risk and aligning with best practices. Our Business Technology Consultants are specialists in improving internal cyber security and supporting businesses to ensure robust cyber plans and practices are in place.
- Cyber Risk Discovery
- Managed Endpoint Detection & Response
- Disaster Recovery (DR) Planning
- Policy and Procedure Development and Review
- Cyber and Data Breach Consulting and Forensic Analysis
If you need advice on how you can ensure your cyber security strategy is fit for purpose, our team of Cyber Security experts are ready to help. Contact our team on 1300 307 907 today.