Share this article on:
The NSW Information and Privacy Commission (IPC) has uncovered that a number of agencies have not complied with the state’s Mandatory Notification of Data Breach Scheme, having failed to publish a data breach policy.
The IPC published the findings of its May “desktop review” this month, unveiling that a number of government entities had not complied with the state’s Mandatory Notification of Data Breach (MNDB) Scheme.
According to the findings, 44 per cent of agencies did not have a data breach policy publicly available on their website.
“Recognising the point in time nature of this review, the level of agencies that did not have a publicly available [data breach policy] or had reviewed their [Privacy Management Plan] addressing the [MNDB] Scheme at the time is of concern and requiring of prompt attention,” said the IPC.
The desktop review analysed 94 entities, and of those, 11 NSW government agencies, 23 councils, three universities and four state-owned corporations had no data breach policy.
“This represents a significant proportion of agencies that, despite the time afforded to prepare for the commencement of the mandatory data breach notification scheme, have not taken the necessary steps to fulfil a core legislative requirement of the scheme – to develop and publish a data breach policy,” wrote the IPC, referring to the 12-month “transition period” that entities were awarded, which ended when the MNDB scheme launched in November 2023.
“[This] demonstrates a lack of appreciation for the importance of preparedness if a data breach was to occur.”
The report comes as the IPC reported earlier this month that NSW universities, government agencies, and councils collectively reported 52 data breaches in the seven months ending in June of this year, resulting in more needing to be done to bolster cyber security.
Of those affecting government agencies, roughly four out of five (79 per cent) were the result of human error, while the remaining 20 per cent were the result of threat actors and cyber attacks.
Additionally, roughly one-third took one to six months to inform the Information and Privacy Commissioner (IPC) NSW. Agencies are required to notify the IPC within 30 days, or submit a written extension if more than 30 days are needed to assess the breach.
“The overall number of notifications received in the first seven months of the MNDB Scheme was moderate, although the results show early indications of an increase in notifications towards the end of the reporting period,” said the IPC, adding that as the MNDB scheme matures, it expects the number of notifications to reflect that.
“Investment to uplift ICT security and staff capability are key to improving the safety and security of personal information held by agencies.”