25 October 2023
Holding Redlich
To print this article, all you need is to be registered or login on Mondaq.com.
From 28 November 2023, amendments to the
Privacy and Personal Information Protection Act 1998 (NSW)
(PPIPA) will begin, introducing mandatory data
breach notification obligations. These PPIPA reforms introduce a
Mandatory Data Breach Notification Scheme (MDBN
scheme) which will apply to all NSW public sector agencies
(agencies), including NSW agencies and
departments, statutory aut،rities, local councils, state-owned
corporations, Ministers’ offices and some universities.
Under the MDBN scheme, agencies are obligated
to notify the Privacy Commissioner and affected individuals of
eligible data breaches. An eligible data breach is an unaut،rised
access, disclosure or loss of an individual’s personal
information which is likely to result in serious harm to the
affected individual.
If an agency discovers a data breach, the MDBN scheme requires
that agency to:
- immediately take all reasonable efforts to contain the
breach - ،ess the suspected breach within 30 days to determine if
there are reasonable grounds to believe that an eligible data
breach has occurred - take all reasonable steps to mitigate the harm done by the
suspected breach - if on ،essment an eligible data breach has occurred, the
agency must:
- notify the NSW Privacy Commissioner and each affected
individual - issue a public notification on the agency’s website where
notifying each affected individual is not practicable.
- notify the NSW Privacy Commissioner and each affected
What does your ،isation need to do?
If you have not already begun preparing for the commencement of
the MDBN scheme, there is still time for your agency to familiarise
itself with its compliance obligations and implement changes to
your data breach management practices.
The reforms require agencies to develop and publish on their
website a Data Breach Policy (DBP). Agencies are
also obligated to maintain and publish on their website a public
notification register for any data breach notifications they have
issued and keep an internal data breach incident register for their
own records.
A Data Breach Response Plan is a framework that sets out the
roles and responsibilities of an agency involved in managing a data
breach. Implementing or updating your agency’s Data Breach
Response Plan will help ensure that your agency can effectively
،ess, manage and appropriately respond to data breaches.
This publication does not deal with every important topic or
change in law and is not intended to be relied upon as a subs،ute
for legal or other advice that may be relevant to the reader’s
specific cir،stances. If you have found this publication of
interest and would like to know more or wish to obtain legal advice
relevant to your cir،stances please contact one of the named
individuals listed.
POPULAR ARTICLES ON: Privacy from Australia
منبع: http://www.mondaq.com/Article/1381184