NSW Desktop Review Reveals Gaps in Data Breach Policies

A recent review in New South Wales has revealed a widespread lack of data breach policies among entities required to comply with the state’s mandatory data breach notification scheme. This review, carried out by the NSW Information and Privacy Commission in May, found that many organizations, especially local councils, had not yet published data breach policies despite the requirement.

The scheme, which took effect in November 2023 after a 12-month transition period, mandated that agencies, state-owned corporations, councils, and universities develop and make available a data breach policy. The goal was to ensure these organizations were ready to manage data breaches and had protocols for notifying affected individuals when breaches occur.

A data breach policy, as defined by the commission, outlines staff roles and responsibilities in managing a data breach and details the steps the organization will take in response. Public access to these policies promotes transparency and strengthens public trust, the commission noted.

During the review, the commission checked whether data breach policies could be easily found on organization websites, though it did not evaluate the policies’ content. Findings showed that 44 percent of the entities lacked a publicly accessible data breach policy or had none available at all. The commission described this as a significant shortfall, especially given the time allowed to prepare for the scheme’s launch.

Out of 94 entities reviewed, 23 councils, 11 government agencies, four state-owned corporations, and three universities were found to have no data breach policy. Additionally, many had not fully updated their privacy management policies, which are supposed to outline how personal and health information is safeguarded by the organization.

These shortcomings underscore the importance of robust privacy management. Proper documentation helps organizations identify and respond to data breaches when they occur, as required under the mandatory notification scheme. The commissioner expressed frustration over these findings, noting that the organizations had been informed of the need to comply and should have been prepared for this level of scrutiny.