Data and privacy law has become increasingly relevant for businesses and individuals in the digital age. Among other things, privacy law governs how your private information is handled by the government. Proposed changes to NSW privacy law under the Privacy and Personal Information Protection Act 1988 (NSW) (‘PPIP Act’) seek to introduce a mandatory data breach notification scheme, which has the potential to significantly impact how the NSW government deals with your personal information. This article will outline the proposed changes to the PPIP Act and provide recommendations for compliance with privacy law.
What are the proposed changes to privacy law?
- There are plans to introduce a mandatory obligation for NSW government agencies to report any breaches of data. Currently, government agencies are only encouraged to report data breaches to the Information and Privacy Commission (‘IPC’) and affected individuals on a volunteer basis.
- A draft amendment to the PPIP Act introducing the mandatory data breach notification obligation is expected to be released in the next couple of months of 2021.
How do the changes affect how my personal information is handled?
The proposed introduction of the mandatory data breach reporting obligation may require personal information to be disclosed to the IPC and affected individuals. However, any notification obligations are still required to comply with the Information Protection Principles within the PPIP Act. These include requirements for NSW government agencies to:
- Only collect personal information where it is lawful and necessary
- Only collect personal information directly from the person concerned
- Disclose why they are collecting personal information and how they are using it
- Only store personal information where it is necessary
- Protect personal information from unauthorised use or access
- Allow the person to amend and update their personal information where necessary
Recommendations for businesses to comply with privacy law
The proposed changes to the PPIP Act serve as a good reminder for businesses to ensure they are complying with existing and changing areas of privacy law. Businesses should review their current data handling practices and ensure privacy law compliance. Relevant considerations include:
- How do you use and collect the personal information of your employees? This should only be done with consent and where necessary.
- What practices and processes do you have in place for any potential data breaches?
- Are the data breach reporting processes of your business mandatory or voluntary?
- How are your business contracts structured to include privacy considerations?
- The NSW Government has proposed amendments to privacy law introducing a mandatory requirement for government agencies to report data breaches.
- A draft amendment to the PPIP Act is to be released in the upcoming months.
- Privacy law requires that personal information is only used, stored and collected in limited circumstances.
- Businesses should review their data handling practices to ensure they are complying with existing and changing areas of privacy law.