Both houses of NSW parliament have passed mandatory data breach notification rules that will apply to state agencies and departments, statutory authorities, local councils and some universities.
The Privacy and Personal Information Protection Amendment Bill passed the upper house on Wednesday, having cleared the lower house the previous day.
The bill is now marked as “awaiting assent”. It is due to come into force a year after assent.
The leader of the opposition in the Legislative Council, Penny Sharpe, said state Labor “has been asking for these changes for quite some time.”
“We are pleased that the government has finally brought a proposal before the House to deal with this serious issue, and I indicate at the outset that we do not oppose the bill,” she said.
“NSW public sector agencies hold substantial sensitive information about the people of NSW, including personal, health and financial information.
“It is currently not mandatory for NSW public sector agencies to report data breaches of personal and health information under the Privacy and Personal Information Protection Act. I have to say, I am completely shocked by that.”
Greens MP Abigail Boyd called the changes “long overdue.”
“The bill does not do anything to keep our information safer from theft. It merely imposes a mandatory obligation on State‑owned corporations and public sector agencies to disclose to people impacted by a breach of data held by that corporation or agency,” she said.
“Frankly, it is astonishing that the obligation does not already exist and that it requires legislating at all.”
Boyd added: “The issue of digital rights and privacy - of regulation and responsible use of technology - is only going to become more urgent.
“This bill is a small but positive step in the right direction, and The Greens support it.”
