Mandatory Data Breach Reporting

Mandatory Data Breach Reporting

Mandatory Reporting in QLD and NSW: Transforming Data Breach Response Strategies

Queensland and New South Wales have recently introduced new mandatory data breach notification schemes to strengthen privacy requirements and personal data security safeguards.

These schemes mirror the existing federal-level data breach notification laws and bring about a transformative shift in how public sector entities, including local governments, respond to and report data breaches. 

In this article, we dig deeper into these changes, providing valuable insights to agencies committed to the new mandatory data breach notification laws. Our goal is to help agencies in their planning and adaptation strategies, ensuring a proactive and robust approach to safeguarding sensitive information and reporting breaches as quickly as possible to avoid further damage and stay compliant.

Queensland Mandatory Data Breach Notification Scheme

Overview of the Scheme

The Information Privacy and Other Legislation Amendment Act 2023 marks a pivotal shift in the state’s commitment to cybersecurity by introducing a mandatory data breach notification scheme for state and local government agencies.

The catalyst for this legislative shift emerged from a notable absence within Queensland’s Information Privacy Act 2009 (Qld) (IP Act), which previously failed to impose a mandatory obligation on government agencies to report data breaches. The gap in the regulatory framework became increasingly conspicuous against the backdrop of several high-profile data breaches in recent years, prompting a concerted effort to fortify data security measures across the state.

This new legislation, which comes into effect in mid-2025 for state government agencies and mid-2026 for local governments, puts a comprehensive data breach reporting framework into place. One of the key provisions mandates government agencies to assess eligible data breaches within a strict 30-day timeframe. This time-bound evaluation is designed to ensure a swift response to potential breaches, minimising the risk of compromising sensitive information.

Further, for transparency and accountability purposes, the legislation requires government agencies to promptly notify affected individuals and the Office of the Information Commissioner in the event of a data breach. This not only empowers individuals to take necessary precautions, but also facilitates a coordinated response to mitigate the impact of the breach.

To ensure robust record-keeping and accountability, the legislation also mandates the maintenance of a data breach register that serves as a comprehensive repository of all reported data breaches, aiding regulatory oversight and enabling agencies to track and analyse patterns for continuous improvement of their cybersecurity measures.

As part of its commitment to transparency, the Queensland government will also be required to publish an external data breach policy, which outlines the procedures and protocols that government agencies must adhere to in the event of a data breach. Moreover, it must seek to foster a culture of proactive disclosure and adherence to best practices in data protection.

The mandatory data breach notification scheme responds to recommendations outlined in several key reports. It positions Queensland as a proactive data security and privacy player, standing alongside New South Wales as the second Australian state to legislate such a comprehensive scheme. 

With these new requirements in place, Queensland is taking a significant stride towards fortifying its data breach response strategies and safeguarding the digital well-being of its people and organisations.

What are the implications for Queensland government agencies?

Government agencies within the state now bear crucial responsibilities to ensure the security and privacy of sensitive information. Under this scheme, agencies are mandated to:

  • Keep a Register of Eligible Data Breaches: Maintain a comprehensive record of all eligible data breaches to maintain transparency and accountability.
  • Contain Data Breaches: Take swift and reasonable steps to contain any data breach to limit potential damage.
  • Carry Out Eligible Data Breach Assessments: In cases of uncertainty, conduct a thorough assessment of whether a data breach qualifies as eligible within 30 days. Seeking an extension from the Information Commissioner is necessary if more time is required for assessment.
  • Swiftly Report to the Information Commissioner and Data Subjects: Notify the Information Commissioner and affected data subjects in the event of an eligible data breach, promoting effective communication.
  • Add a Public Disclosure on the Agency’s Website: In instances where direct communication with data subjects is impractical, agencies must publish a data breach notice on their accessible website for a minimum of 12 months.

Preparing for the Queensland Scheme

From our point of view, the introduction of Queensland’s mandatory data breach reporting scheme serves as a catalyst for government agencies to fortify their data protection measures. Proactive measures are vital to meet the upcoming standards, and should include:

  • Defining Roles and Responsibilities: Establish specific roles and responsibilities within the organisation to ensure a coordinated and efficient response to data breaches.
  • Maintaining an Eligible Data Breach Register: Develop and maintain a register that catalogues all eligible data breaches.
  • Formulating a Data Breach Policy: Draft and publish a comprehensive data breach policy outlining the agency’s response strategy, detailing steps to be taken in the event of a breach.
  • Reviewing Contracts with Third-Party Suppliers: Ensure that contracts with external suppliers include provisions for adherence to necessary data protection standards to protect shared information, reinforcing the security of shared information.
  • Updating Privacy Policies: Revise and update existing privacy policies to align with the new reporting scheme and demonstrate the agency’s commitment to safeguarding the privacy of individuals.

NSW Mandatory Data Breach Notification Scheme

Overview of the Scheme

In 2022, the Privacy and Personal Information Protection Act 1998 (NSW) underwent crucial amendments, paving the way for the New South Wales Mandatory Notification of Data Breach (MNDB) Scheme (the MNDB Scheme). It aims to enhance cybersecurity practices within the state, mandating state-owned corporations to fill the jurisdictional gap left by the federal Privacy Act 1988 (Cth) (the Privacy Act).

To ensure a seamless transition, a one-year grace period was granted before the legislation took full effect, enabling organisations to modify their practices in accordance with the new regulatory requirements. 

The primary driver behind these amendments was to fortify the existing legal framework and address the growing concerns surrounding data breaches and privacy lapses. It empowers the state to regulate and enforce mandatory reporting requirements on entities previously exempted at the federal level.

Highlighting key aspects of the MNDB Scheme, it places explicit obligations on organisations falling within its scope. One of the main responsibilities is to notify the Privacy Commissioner in the event of a data breach promptly, ensuring that regulatory authorities are able to assess the incident’s severity. 

Furthermore, under the MNDB Scheme, organisations are obligated to inform affected individuals of the breach, empowering individuals to take necessary precautions by establishing accountability among data controllers and processors. Moreover, the notification process ensures that those impacted are promptly made aware of potential risks, allowing them to take proactive measures to safeguard their personal information.

The scheme also highlights the importance of containing breaches and requires organisations to take immediate and effective measures to mitigate the impact of any breach. The goal behind this is to reduce the severity of data breaches.

In addition to reporting and containing breaches, the MNDB Scheme sets guidelines for assessing breaches within a pre-specified 30-day timeframe, providing ample time to understand the scope, nature, and implications of the breach.

What are the implications for NSW government agencies?

The MNDB Scheme places a significant burden on public sector entities, necessitating their active involvement in various stages of data breach response.

First and foremost, under the MNDB Scheme, government agencies in NSW are obligated to initiate immediate and comprehensive efforts to contain any data breach that comes to their attention. The emphasis here is on the expeditious containment of the breach to prevent further escalation and potential harm.

Within a strict timeframe of 30 days from the identification of a potential breach, agencies are further required to conduct a thorough assessment if there are reasonable grounds to suspect the occurrence of an eligible data breach. This evaluation process is crucial in determining the severity and scope of the breach, enabling agencies to make informed decisions regarding the subsequent steps in the response strategy.

Throughout the assessment period, agencies are directed to deploy all reasonable measures to mitigate the harm caused by the suspected breach. This ensures proper actions can be taken to minimise the adverse effects of the breaches.

Following the assessment, agencies must make a crucial determination: whether the identified breach qualifies as an eligible data breach or if there’s solid evidence to believe it matches the criteria set by the scheme. 

Upon confirming an eligible data breach, government agencies are then obligated to notify both the Privacy Commissioner and the affected individuals. 

In addition to these specific requirements, government agencies in NSW must also adhere to other data management obligations stipulated by the MNDB Scheme. These encompass a broader spectrum of practices and protocols aimed at enhancing overall data security and privacy, reinforcing the comprehensive nature of the scheme.

Preparing for the New South Wales Scheme

Preparing for compliance with the MNDB Scheme is a critical undertaking for government agencies, necessitating the establishment and refinement of various protocols to align with the specified standards. 

To effectively adhere to the requirements outlined in the MNDB Scheme, agencies must proactively institute crucial elements such as the Data Breach Policy (DBP), incident register, privacy management plan, public notification register, and Data Breach Response Plan (DBRP), if not already in place. Regular reviews and updates are vital for existing policies and incident response plans to ensure continuous compliance with the evolving regulatory landscape.

Government agencies operating within the purview of the scheme are obligated to inform data subjects in the event of an eligible data breach. However, a noteworthy exemption exists in cases where notifying the affected individuals could potentially exacerbate cybersecurity risks. Agencies are exempt from such notifications under the following circumstances:

  • Involvement of Multiple Public Sector Agencies: If the breach implicates more than one public sector agency, and another agency participating in the same breach has already notified the affected individuals.
  • Possible Bias in Investigations or Legal Proceedings: When the notification is likely to prejudice ongoing investigations or legal proceedings related to the breach.
  • Successful Containment of the Breach: If the agency successfully contains the breach, limiting the likelihood of serious harm and adverse consequences.
  • Overriding Secrecy Provisions in Other Laws: Instances where other laws possess secrecy provisions that either prohibit or regulate the use or disclosure of pertinent information.
  • Significant Risk to Health or Safety: Notification poses a severe risk of harm to an individual’s health or safety, thereby justifying the exemption.
  • Cybersecurity Concerns: Notification would worsen the agency’s cybersecurity posture or potentially lead to further data breaches.

Despite these exemptions, agencies are still duty-bound to notify the Privacy Commissioner of any circumstances falling within the aforementioned criteria while concurrently taking the necessary steps to respond to the incident. 

Broader Implications and Future Changes

The introduction of more comprehensive mandatory data breach notification schemes in Australia marks a pivotal moment for cybersecurity and privacy nationwide. These changes have far-reaching implications, not only for government agencies but for all entities entrusted with handling sensitive data. As the Commonwealth implements stringent requirements, the focus is on making organisations more responsible and accountable for safeguarding individuals’ data. Further, the shift towards prioritising the privacy of Australians emphasises a growing recognition of the need for robust protection measures.

The incorporation of the Notifiable Data Breaches (NDB) scheme into the Privacy Act was a significant step, acknowledging the necessity of modernising privacy laws and addressing emerging challenges, as well as aligning Australia’s regulatory framework with international standards. 

It’s also worth noting that the reforms outlined under the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Cth) (the Amendment Bill) introduce three key adjustments to the Privacy Act. 

Firstly, there is a substantial increase in penalties for organisations doing business in Australia, encompassing social media and online platforms operating in Australia. The previous maximum fine of $2.1 million for serious or repeated breaches has increased for corporations to $50 million, three times the value of any benefit derived from information misuse, or 30% of a company’s annual domestic turnover—whichever is greater. Individuals, too, now face heightened penalties, with fines potentially reaching up to $2.5 million.

Secondly, the Amendment Bill fortifies the enforcement powers of the Office of the Australian Information Commissioner (OAIC), ensuring more strict oversight and regulatory action that discourages non-compliance.

Thirdly, enhanced information-sharing arrangements between the OAIC and the Australian Communications and Media Authority (ACMA) have been introduced, to develop a proactive and coordinated response to emerging privacy and cybersecurity challenges.

Based on these substantial implications, we advise agencies to take a proactive stance to familiarise themselves with the evolving regulatory requirements and prepare for the implementation of the new legislation.

The new mandatory reporting schemes in QLD and NSW underline the need for preparedness to avoid hefty fines and penalties.

Even those complying with the Privacy Act must stay ahead to mitigate fallout from data breaches. As the new reporting schemes require a substantial shift in response strategies, vigilance is key.

Government agencies and corporations must swiftly adapt to changing regulations. Cybersecurity consultancies, like RightSec, are crucial partners. RightSec offers the expertise and tools you need to prepare for breach mitigation and reporting.

Changes to the Privacy Act have significant implications for your organisation, which is why staying informed is crucial, and RightSec is here to help you navigate this transition! 

Your data security and business resilience are our top priorities, but we understand that a one-size-fits-all approach to cybersecurity is far from ideal. That’s why we tailor our services to your specific business needs and security requirements, making it easier for you to comply with the new legislation without wasting resources.

Book a consultation now to learn more about our tailored services and bolster your preparedness for the new schemes. 

Learn more about your reporting requirements

Find out how RightSec can help your organisation prepare for the changes to mandatory breach reporting requirements.

Contact Us

Tunde Ogunyale - Co-Author

CYBER SECURITY ADVISOR

Tahlia Castles - Co-Author

CYBER SECURITY ADVISOR