NSWCCL made a submission to the NSW Department of Communities and Justice Inquiry into the Privacy and Personal Information Protection Amendment Bill 2021.

This Bill

1. proposes the creation of a mandatory notification of data breach scheme
2. would extend the Act to include NSW State-Owned Corporations that are not already regulated by the Privacy Act 1988 (Cth)

These are welcome and necessary changes. However, NSWCCL does not consider that the Bill, as currently drafted, achieves the primary purposes of notification (giving consumers control over the use and sharing of their data and increasing accountability).

1. It is possible that an eligible data breach may not be reported to an affected individual or the Privacy Commissioner for at least 30 days. 2 Such a time frame looks to be protecting the interests of public sector agencies at the expense of the individuals whose information is collected and used.
2. The Bill provides that a data breach is “eligible” to be reported if it is “likely to cause serious harm to the individual whose information is breached”.

Our recommendations included opposition to the “likely to cause serious harm”, preferring a lower threshold, and a recommendation of a timeframe of no more than 10 days.

More information: read our full submission