A large number of entities subjected to the NSW mandatory data breach notification scheme are yet to publish a data breach policy, with councils among the worst offenders.
A “desktop review” [pdf] by NSW’s information and privacy commission in May this year uncovered an “undesirable” level of non-compliance with the scheme.
The scheme came into effect in November 2023, after a 12-month “transition period” intended to provide time for agencies, state-owned corporations, councils and universities to prepare.
Preparations included creating a data breach policy and updating an existing privacy management policy.
“A comprehensive data breach policy establishes the roles and responsibilities of agency staff in relation to managing a data breach, and the steps the agency will follow when a data breach occurs,” the commissioner said.
“Having a data breach policy and making it publicly accessible enhances transparency and builds trust in the agency’s readiness.”
The desktop review tested with a data breach policy could be easily found on agency websites, but did not analyse its substance.
It found 44 percent of entities “did not have a publicly available, published data breach policy or one that could be located.”
“This represents a significant proportion of agencies that despite the time afforded to prepare for the commencement of the mandatory data breach notification scheme have not taken the necessary steps to fulfil a core legislative requirement of the scheme – to develop and publish a data breach policy,” the commissioner wrote.
“[This] demonstrates a lack of appreciation for the importance of preparedness if a data beach was to occur.”
Of the 94 entities reviewed, 23 councils, 11 NSW government agencies, four state-owned corporations and three universities were found not to have a policy.
There were similar problems with updates to the privacy management policy being either partially complete or non-compliant.
The privacy management policy “identifies and documents safeguards of the personal and health information holdings of an agency,” the commissioner noted.
“There is a clear link in the understanding and identification of the personal and health information holdings of an agency in its privacy management policy and its ability to sufficiently identify (and respond) when an eligible data breach has occurred for the purposes of the mandatory data breach notification scheme.”
The commissioner expressed disappointment in the results, particularly as entities were “on notice” that they needed to prepare the paperwork, and that an audit of some sort had been forthcoming.