Proposed changes to NSW privacy laws

The Privacy and Personal Information Protection Amendment Bill 2021 aims to strengthen privacy protection in NSW. The draft exposure bill proposes to:

  • establish a mandatory notification of data breach (MNDB) scheme to require public sector agencies bound by Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) to notify the Privacy Commissioner and affected individuals of data breaches of personal or health information, which are likely to result in serious harm, and
  • applies the PPIP Act to all state-owned corporations that are not regulated by the Commonwealth Privacy Act 1988.

MNDB scheme

The MNDB scheme will require public sector agencies to notify the IPC and affected individuals if a data breach affecting personal or health information that is likely to result in serious harm occurs. 

The MNDB scheme will require agencies to satisfy other data management requirements, including to maintain an internal data breach incident register, and have a publicly accessible privacy and data management policy.

Under the PPIP Act, the Privacy Commissioner already has regulatory powers and functions, which can be used in relation to the MNDB scheme. These include the power to investigate and make recommendations, and the ability to publish or furnish reports to the Minister responsible for the agency. The MNDB scheme will also confer on the Privacy Commissioner additional regulatory powers in relation to the MNDB scheme, including the power of entry. 

The MNDB borrows many aspects of the Commonwealth Notifiable Data Breach scheme. This is proposed to reduce interjurisdictional inconsistencies, especially given that NSW public sector entities already must comply with the Commonwealth scheme in relation to breaches of tax file numbers. 

View the bill and factsheet

Have your say

The NSW Government invites interested individuals and organisations to provide feedback on the bill.

Submissions should be made in writing and sent to

Submissions opened on 7 May 2021 and close 18 June 2021.