Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

44% of NSW government entities failed to comply with state data breach notification policy

The NSW Information and Privacy Commission (IPC) has uncovered that a number of agencies have not complied with the state’s Mandatory Notification of Data Breach Scheme, having failed to publish a data breach policy.

user icon Daniel Croft
Wed, 30 Oct 2024
44% of NSW government entities failed to comply with state data breach notification policy
expand image

The IPC published the findings of its May “desktop review” this month, unveiling that a number of government entities had not complied with the state’s Mandatory Notification of Data Breach (MNDB) Scheme.

According to the findings, 44 per cent of agencies did not have a data breach policy publicly available on their website.

“Recognising the point in time nature of this review, the level of agencies that did not have a publicly available [data breach policy] or had reviewed their [Privacy Management Plan] addressing the [MNDB] Scheme at the time is of concern and requiring of prompt attention,” said the IPC.

============
============

The desktop review analysed 94 entities, and of those, 11 NSW government agencies, 23 councils, three universities and four state-owned corporations had no data breach policy.

“This represents a significant proportion of agencies that, despite the time afforded to prepare for the commencement of the mandatory data breach notification scheme, have not taken the necessary steps to fulfil a core legislative requirement of the scheme – to develop and publish a data breach policy,” wrote the IPC, referring to the 12-month “transition period” that entities were awarded, which ended when the MNDB scheme launched in November 2023.

“[This] demonstrates a lack of appreciation for the importance of preparedness if a data breach was to occur.”

The report comes as the IPC reported earlier this month that NSW universities, government agencies, and councils collectively reported 52 data breaches in the seven months ending in June of this year, resulting in more needing to be done to bolster cyber security.

Of those affecting government agencies, roughly four out of five (79 per cent) were the result of human error, while the remaining 20 per cent were the result of threat actors and cyber attacks.

Additionally, roughly one-third took one to six months to inform the Information and Privacy Commissioner (IPC) NSW. Agencies are required to notify the IPC within 30 days, or submit a written extension if more than 30 days are needed to assess the breach.

“The overall number of notifications received in the first seven months of the MNDB Scheme was moderate, although the results show early indications of an increase in notifications towards the end of the reporting period,” said the IPC, adding that as the MNDB scheme matures, it expects the number of notifications to reflect that.

“Investment to uplift ICT security and staff capability are key to improving the safety and security of personal information held by agencies.”

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.