What the NSW public sector can learn from the first Mandatory Notification of Data Breach Scheme Trends Report

In late November 2023, the NSW Mandatory Notification of Data Breach (MNDB) Scheme under the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) commenced. On 1 October 2024, the NSW Information and Privacy Commission (IPC) published on its website the first Mandatory Notification of Data Breach Trends Report for the reporting period from November 2023 to June 2024.

The Trends Report signposts the key trends concerning the causes and impacts of data breaches and offers several key learnings for NSW public sector agencies. In particular, it emphasises the importance of adequately preparing for, and responding to, an “eligible data breach”.

An eligible data breach is a category of data breach involving personal information as defined in section 59D(1) of the PPIP Act.

Some key data breach stats

The Trends Report identified that 52 eligible data breaches had been notified by the NSW Government, local government and university sectors to the Privacy Commissioner during the reporting period. The Trends Report noted that no notifications were received from State Owned Corporations during the reporting period.

Of the breaches notified, the Trends Report noted that the majority of breaches (79%) notified during the reporting period involved human error. The next highest number of notifications reported during the reporting period were reportedly due to malicious or criminal attacks (for example, cyber incidents, theft, insider threats). The Trends Report identified that only two notifications involved a “system fault” (that is, a business or technology process error not caused by direct human error).

The main human error related to the unauthorised disclosure of personal information by unintended release or publication of personal information (that is, disclosure of personal information in a way that is not permitted at law).

Notably, the Trends Report observed that when compared with earlier in the reporting period, notifications of eligible data breaches had gradually increased towards the end of the reporting period.

Bolster cyber security and be ready

The Trends Report identified that cyber security uplifts should be a focus for NSW public sector entities. According to the Trends Report:

“The IPC strongly encourages leaders across the sectors to engage with the risks arising from cyber security. Investment to uplift ICT security and staff capability are key to improving the safety and security of personal information held by agencies.”

The Trends Report reiterated the importance of compliance with the NSW Cyber Security Policy and noted that, even when a NSW public sector entity (for example, a university) is not mandated to follow the NSW Cyber Security Policy, “its adoption is recommended to build a foundation of strong cyber security practice”.

The Trends Report also underscored the importance of data breach response readiness and recommended that public sector entities undertake regular data breach simulations to test their data breach readiness and to assist them to identify any potential gaps or deficiencies in their data breach response plans.

Effective notifications of eligible data breaches

The Trends Report identified that effective notification of eligible data breaches is key. It noted that when notifying affected individuals, NSW public sector agencies should ensure that such notifications:

• are provided in a timely manner;
• provide “meaningful information” about what has occurred and enough information to provide an accurate sense of what risks may arise for the individual;
• include all the information required under section 59O of the PPIP Act;
• provide clear instructions for recommended steps the affected individual can take or the services that may be contacted for assistance; and
• are written in plain English and in a manner that does not compound the impact of the data breach.

Contracted service providers

The Trends Report identified that some eligible data breaches notified during the reporting period involved private sector entities performing services under contract to an agency. This reiterates the criticality of ensuring that contracts with third parties address data breach response and that data breach policies and response plans are comprehensive, including to cover contracted service provider arrangements.

In particular, we recommend that public sector agencies’ contracts with third party providers that collect, store, process or handle personal information impose direct obligations on third party service providers to ensure that public sector agencies can fully comply with all relevant privacy laws and their obligations under the MNDB Scheme. In this regard, it is important to note that, in some circumstances, personal information in the hands of a contracted service provider will still be considered “held” by, and the responsibility of, a public sector agency.

Other recommendations

The Trends Report provides several other salient recommendations and good practice tips to respond to data breaches and to reduce the harm to affected individuals, including (among others):

• ensuring that delegations under the MNDB Scheme are made to individuals at the appropriate level of seniority and with the necessary expertise to respond to a data breach in compliance with the PPIP Act;
• where data breaches impact a high number of individuals, setting up a dedicated webpage or support line to provide affected individuals with a centralised contact point to obtain further information about the breach;
• implementing regular staff training and establishing a “pro-privacy culture”;
• implementing regular reviews of access privileges for “admin” accounts to ensure that they are configured in accordance with the principle of “least privilege” access; and
• having a defined process for making and triaging data breach reports.