Logo of Centium
Contact Us

NSW Mandatory Data Breach Notification Scheme Now In Force

April 11, 2024

In November 2022, new mandatory data breach notification regulations came into effect across NSW, including for local government. This legislative change has important implications for how councils must respond to and report data breaches going forward. The NSW Data Breach Notification Scheme creates prescriptive roles, responsibilities and actions that must be taken in the event of a suspected or confirmed data breach. At the core is the principle of promptly mitigating any potential harm. Heads of councils and other organisations covered by the legislation are now directly responsible for immediately notifying the Privacy Commissioner in the case of an "eligible data breach."

Under the Scheme, any council employee who has reasonable grounds to suspect a breach has occurred must report it to their agency head without delay. From there, heads of the agency or organisation must make every reasonable effort to contain the breach and conduct a thorough investigation within 30 days to determine if it meets the definition of an "eligible data breach." This includes assessing the types of information involved, the risk of harm to affected individuals, and whether remedial action is needed, such as notifying those impacted. Non-compliance can result in penalties, including fines, as well as significant reputational damage.

This stringent regulation underscores the growing emphasis on data security and accountability and urges organisations to fortify their defences against potential breaches. This includes people, process, and technology controls and should extend to streamlining their response processes to uphold data confidentiality and integrity. It is good practice for organisations to test their processes at least annually to ensure that all decision-makers are practised in their roles and aware of the end-to-end process for detecting and notifying suspected or actual data breaches.

Data breaches are not just the result of the failure of technical controls but are commonly the result of human error, such as emailing a file of personally identifiable or health identifiable information to the wrong recipients or losing a mobile phone or computer holding such data.

Click the link below to find out how Centium can keep you informed, help you stay vigilant, and prioritise compliance to safeguard your data and uphold the trust of stakeholders. This advice was prepared by Scott Thomson, Centium’s Director of Cyber &IM, who is a Certified by ISACA as a Data Privacy Solution Engineer (CDPSE).

Read more here https://centium.com.au/news/ppip-amendment-act-2022-mandatory-notification/

Our Clients