Share this article on:
NSW’s long-awaited cyber mandatory reporting scheme has finally been announced, with organisations that have been affected by a cyber breach required to notify those impacted.
The new Mandatory Notification of Data Breach Scheme, which will become effective on 28 November this year, comes as part of amendments to the Privacy and Personal Information Protection Act 1998 (the PPIP Act).
“The amendments impact the responsibilities of agencies under the PPIP Act and require agencies to provide notifications to affected individuals in the event of an eligible data breach of their personal or health information by a NSW public sector agency or state-owned corporation subject to the PPIP Act,” said a release by the Information and Privacy Commission.
“The changes to the PPIP Act include:
The Information and Privacy Commissioner has said that agencies under the scheme are obliged to make all efforts within reason to contain a data breach and to undertake an assessment within 30 days of discovering the breach.
Additionally, during the investigation, agencies must make “all reasonable attempts” to reduce the damage of the breach, which could include shutting down parts of its systems to prevent additional access or damage.
As part of the assessment, the organisation must evaluate whether a breach “is an eligible data breach or there are reasonable grounds to believe the breach is an eligible data breach”.
Finally, the Privacy Commissioner and those affected by the breach must be informed.
The commission also recommends that in preparation for the scheme, agencies should establish managing roles and responsibilities, which could involve creating a data breach response team or hiring additional specific staff.
It also said organisations should establish a privacy management plan, which is defined under a new section of the PPIP Act as including “the procedures and practices used by the agency to ensure compliance with the obligations and responsibilities set out in Part 6A for the Mandatory Notification of Data Breach Scheme”.
Additionally, it said that agencies would be required to establish an incident register to record information regarding a breach, as well as a public notification register. Agencies are also recommended to establish a data breach policy.
For more information, head to the Information and Privacy Commission website.