PPIP Amendment Act 2022 – Mandatory Notification of Data Breach Scheme

In late 2022, the NSW Government passed the Privacy and Personal Information Protection (“PPIP”) Amendment Act, which will come into effect on 28 November 2023.

This will have a significant impact on many public sector clients, especially those in Local Government, State-owned Corporations and higher education who are not already subject to the Privacy Act 1988 of the Commonwealth.

Mandatory Compliance is Important

One of the most significant impacts of the PPIP Amendment Act is the “mandatory notification of data breach scheme.”  To comply with the Act, your organisation must have completed or have in place the following:

• Classified and labelled all data;
• Regularly trained all staff on the proper handling of personal information and the internal procedure for notification of suspected data breaches;
• Documented data ownership (including roles and responsibilities for owners and custodians);
• Effective data governance;
• Actively monitor your IT environment for data leaks and breaches;
• Documented your data breach response plan (including decision-making processes and delegations, how you will notify impacted parties and comply with the mandatory data breach reporting requirements); and
• Tested your plan annually and ensured that all parts of the organisation have the knowledge and ability to execute their responsibilities under the plan.

Data Breach Reporting and Mitigation

Under the Act, organisations must investigate if any employee has reasonable grounds to suspect that a breach has occurred. This must be reported to the head of the agency or organisation, who must immediately make all reasonable efforts to contain the data breach and ensure that within 30 days an investigation is carried out to assess if there was an eligible data breach.

Heads of organisations are responsible for the immediate notification of the eligible data breach to the Privacy Commissioner.

A key principle that must be applied under the Act is that organisations address the mitigation of harm done by the suspected data breach. This would include management of public relations and media interest in the incident. Ensuring that the public relations and media unit’s roles are clearly defined and tested in the response plan is critical to ensuring that this principle is met.

How Centium Can Help

Centium is experienced in helping organisations minimise their risk of non-compliance with the Act by providing tailored assistance and support services through:

• Health checks on data and information governance and management;
• Facilitated workshops to develop and document robust policies and procedures;
• Customised eLearning modules on data privacy and internal reporting;
• Facilitating testing of your response plans and reporting protocols; and
• Undertaking investigations where a suspected or actual breach may have occurred.

How to get in touch with Centium

• Please contact Scott Thomson, Director of Cyber & IT at Centium at: Scott.Thomson@centium.com.au
• Please provide a short description of the area of concern or risk you need help to minimise. We will work with you and provide tailored assistance and support.
• Our initial consultation and solution overview will be both cost and obligation-free.