44% of NSW government agencies failed to comply with state data breach notification policy

44% of NSW government agencies failed to comply with state data breach notification policy

The NSW Information and Privacy Commission (IPC) has revealed a number of organizations failed to comply with the state’s Mandatory Data Breach Notification Scheme and failed to publish a data breach policy.

The IPC released the findings of its May “desktop review” this month, revealing that some government agencies were not complying with the state’s Mandatory Data Breach Notification (MNDB) Plan.

According to the findings, 44 percent of organizations do not have a publicly available data breach policy on their websites.

“Given the point-in-time nature of this review, the level of non-public (data breach policy) or institutions reviewing (Privacy Management Plan) for the (MNDB) Program at that time is concerning and requires immediate attention,” the IPC said.

The desktop review analyzed 94 organizations, of which 11 NSW government agencies, 23 councils, three universities and four state-owned companies did not have any data breach policies.

“This represents a significant proportion of organizations that, despite the time allotted to prepare for the introduction of the mandatory data breach notification scheme, have not taken the necessary steps to meet a key legal requirement of the scheme: developing and publishing a data breach IPC, which is given to organisations, and which the MNDB plan is due by November 2023. wrote the policy, citing a 12-month “transition period” that ended with its launch in .

“(This) shows a lack of appreciation for the importance of being prepared if a data breach occurs.”

Report comes as IPC reported earlier this month He said NSW universities, government agencies and councils collectively reported 52 data breaches in the seven months ending June this year, revealing more needed to be done to strengthen cybersecurity.

Roughly four-fifths (79 percent) of those affecting government agencies were due to human error, while the remaining 20 percent were the result of threat actors and cyberattacks.

Additionally, approximately a third took between one and six months to notify the Information and Privacy Commissioner (IPC) NSW. Agencies are required to notify the IPC within 30 days or submit a written extension if more than 30 days are needed to evaluate the violation.

“The overall number of notifications received in the first seven months of the MNDB Program was moderate, but results show early signs of an increase in notifications towards the end of the reporting period,” the IPC said, adding that as the MNDB plan matures, it expects the number of notifications to reflect this.

“Investment in improving ICT security and staff capacity is key to improving the security and safety of personal information held by organisations.”

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding and experience of writing in technology. After studying at Macquarie University, he joined Momentum Media in 2022 and has written for a number of publications including Australian Aviation, Cyber ​​Security Connect and Defense Connect. Apart from writing, Daniel has a keen interest in music and spends his time playing in bands around Sydney.