The NSW government has published a draft bill for mandatory data breach notifications. 

The exposure draft comes after two years of work by the departments of Communities and Justice and Customer Service and the state’s privacy commissioner.

The Privacy and Personal Information Protection Amendment Bill (accessible here in PDF form) would require all government departments and agencies, state-owned corporations, local councils and some universities in NSW to report any breaches that are likely to result in “serious harm”. Affected individuals and the privacy commissioner would both have to be informed. 

The bill defines a serious breach as “unauthorised access to, or unauthorised disclosure of, personal information”.

Any affected agency must conduct an assessment within 30 days of a suspected breach occurring. 

The bill would also allow the privacy commissioner to enter the premises of entities and inspect anything that may relate to compliance with the scheme. 

The proposed changes are open for consultation until June 18.