The NSW government will be required to notify anyone affected by a cyberattack or data breach of its records, under planned changes to state privacy laws being introduced later in 2021.
For the first time in any Australian state or territory, it will be compulsory for NSW government departments, state owned corporations and local councils to notify people if their records have been compromised. The NSW legislation will be based on the federal government’s notifiable data breaches scheme, which was introduced in 2018.
Amendments aim to protect privacy of NSW citizens
In a media release published in May 2021, Have your say on NSW privacy laws, NSW Attorney General Mark Speakman stated that under the draft Privacy and Personal Information Protection Amendment Bill 2021, all public sector agencies will have to notify the Privacy Commissioner, and anyone affected, when a data breach involving personal information is likely to result in serious harm.
“The protection of people’s privacy is crucial to public confidence in NSW government services,” Mr Speakman said.
“If passed, this Bill will introduce a scheme that will ensure greater openness and accountability in relation to the handling of personal information held by NSW public sector agencies.”
Massive data breaches in NSW government agencies prompt changes in law
The government’s move follows a substantial data breach of Service NSW in April 2020, when 3.8 million documents, amounting to 736 gigabytes of data, were stolen by unknown cyber attackers. The personal information of 186,000 customers was compromised.
It took the government six months to start notifying affected individuals. After eleven months, twenty thousand victims still had not been told.
Data breach of government records is a growing problem, with information from more than 50,000 NSW driver’s licences being leaked in August 2020.
It is possible under the law for people who suffer loss or damage due to a data breach to receive up to $40,000 compensation. You can find more information on compensation on the NSW Information and Privacy Commission website.
Privacy Commissioner Samantha Gavel revealed in a parliamentary enquiry in early 2021 that there were 79 voluntary notifications of data breaches of NSW government-held records in 2020, up 23 per cent on 2019. (See Privacy commissioner questioned over data breach notification scheme, Government News, February 2021.)
Will the NSW data breach notification scheme produce the intended result?
The Bill will add to the existing privacy protection laws contained in the NSW Privacy and Personal Information Protection Act 1998.
But the degree of privacy protection for the public will depend on the fine print of the final legislation.
Governments often promise that people will be better off under new laws designed to safeguard privacy, enhance individual rights or provide more freedom of speech. Instead it turns into legislation that either contains enough loopholes to have the reverse effect, or it protects the government, rather than the people.
Data breaches leading to identity theft also increasing
Identity theft is increasing as more and more personal records are kept online. Armed with confidential information from hacking government records, criminals can assume a person’s identity and steal from their bank accounts or other assets. (Please see Australian victim of identity theft receives US$1.2 million damages bill from US court.)
According to a report released by the Australian Institute of Criminology (AIC), Identity crime and misuse in Australia 2019, the annual economic impact of identity crime exceeds $2 billion. A survey by the AIC found that one in four Australians has been a victim of identity crime at some point in their lives, with an average loss of more than $3,000.
Identity theft enables many other major crimes
The Department of Home Affairs says identity theft also provides a foundation for many other forms of serious crime. Fraudulent identities may be used for money laundering, tax evasion, dealing in stolen motor vehicles, or to protect the true identities of organised crime members.
Organised crime groups may also sell stolen identity information to other criminal networks. Once a person has their identity stolen, they can be targeted time and again by online criminals. You can find more information on identity theft on the Australian Cyber Security Centre website.
If you are concerned about the security of your data that is held by a government department, or you have had your identity stolen, it’s wise to seek specialist legal advice.
For more information, please see our 2023 articles Companies warned of need for market disclosure following cyber attack and Cybersecurity warning for businesses in court decision.