The New South Wales Government has passed the Privacy and Personal Information Protection Amendment Act 2022, which is set to come into effect on December 28th, 2023. The new legislation brings significant reforms to public sector privacy laws and applies to state-based public sector agencies and state-owned corporations in New South Wales. Agencies and SOCs have a 12-month transition period to understand their new obligations and build new processes to comply.

The Privacy and Personal Information Protection Act 1988 (NSW) (PPIP Act) dictates how state-based public agencies in NSW manage personal information. The PPIP Amendment Act makes notable changes to the PPIP Act, including extending the PPIP Act’s application to state-owned corporations, introducing a mandatory data breach notification scheme, expanding the Information and Privacy Commissioner’s powers, and introducing a requirement to publish data breach policies.

The amendments will extend the PPIP Act to cover state-owned entities such as Sydney Water, Water NSW, Essential Energy, and Port Authority NSW. The rationale behind this reform is to ensure consistency in how personal information is treated across the public sector, and that the privacy obligations of state-owned corporations and public sector agencies are the same.

One of the key amendments to the PPIP Act is the introduction of a new Mandatory Notification of Data Breaches (MNDB) scheme for public sector agencies, aligning existing privacy laws for New South Wales public sector agencies and state-owned corporations with the existing Commonwealth Notifiable Data Breach scheme. The MNDB scheme requires agencies to notify both the commissioner and affected individuals if a data breach is likely to cause serious harm to that individual.

Under the MNDB scheme, an eligible data breach occurs where there is unauthorized access or disclosure to personal information or personal information is compromised, and that breach or compromise is likely to cause serious harm to an individual.

The PPIP Amendment Act provides that the agency should consider factors such as the sensitivity of the personal information, whether cybersecurity or encryption methods will protect the information, the likelihood of malicious intent, and the nature of harm that could occur to assess the severity of a data breach.

Overall, the recent amendments to the PPIP Act aims to strengthen the privacy protections of citizens in NSW by updating the existing legislation and making new provisions for state-owned corporations. It is important for public sector agencies and SOCs to take the necessary steps to comply with the new laws and ensure the privacy and security of personal information.

Need help ensuring data privacy compliance with your marketing and sales efforts?  Contact us to learn how 4Comply can ensure ongoing compliance.