I make a contribution to the Privacy and Personal Information Protection Amendment Bill 2022. I echo the sentiments of the shadow Attorney General and make clear that Labor will not oppose the bill. This important legislation will strengthen the New South Wales Privacy and Personal Information Protection Act 1998, which I will refer to as "the Act". It dictates how New South Wales government agencies manage personal information. The current Act does not cover State-owned corporations, which simply elect to follow the Act or not, or are governed by the Commonwealth Privacy Act 1988. Currently, government agencies are not required to disclose a data breach. Instead, the Privacy Commissioner oversees a voluntary reporting scheme for agencies to report a data breach to the commissioner to assess, provide advice on and investigate. That opt-in system is simply not working, with data breaches going either undetected or unreported.
The Privacy and Personal Information Protection Amendment Bill 2022 will amend the Act to establish a scheme, which will apply to all New South Wales public sector agencies, for mandatory notification of data breaches. Under the proposed amendments, in the event of a suspected data breach, an agency will be required to contain and assess the likely severity of the breach on impacted citizens; notify the Privacy Commissioner as well as impacted individuals if the agency assesses that the breach is likely to result in serious harm to an individual; and issue a public notification when impacted individuals cannot be identified, or when it is not reasonably practicable to notify them.
To support the mandatory notification of data breaches scheme, the powers of the Privacy Commissioner will be expanded to investigate and monitor agency compliance with the scheme. The bill will also remove the exclusion of State-owned corporations from the Act and extend the Act to cover State-owned corporations not subject to the Commonwealth Privacy Act 1988. The reforms in the bill are long overdue, with the introduction of a mandatory notification of data breaches and the extension of the Act to cover State-owned corporations long advocated for by Labor. It is disappointing that the Government has acted only in this final sitting fortnight of the Fifty-Seventh Parliament. The Government has had the opportunity to support this reform before now. The Opposition has moved four separate private members' bills on this issue. I thank the then shadow Attorney General, Paul Lynch, for bringing those bills to the Parliament on four separate occasions. The Government failed to support them.
All of those proposed bills predated the March 2020 data breach at Service NSW, which exposed over 100,000 citizens' data. Some impacted citizens have still not been notified, with that figure reported to be as high as 40,000 in August 2021. I cannot emphasise enough the importance of government transparency when it comes to data breaches. In the past few years in particular, citizens have trusted governments with substantial amounts of personal data. It is crucial that governments not only maintain the confidence of the public in safeguarding their data but are also agile in updating legislation to reflect our ever-evolving world.
A breach of public confidence on the protection of data would have a devastating impact on the further digitisation of government services. That is why this Government must be transparent with the New South Wales people on any potential data breaches. The public will trust the Government to protect its data when the right safeguards are put in place. One need only look at the uptake of the COVID-19 check-in system during the height of the pandemic. At the time, I worked with the Minister for Customer Service and Digital Government to pass legislation in this House that put in place restrictions on which government agencies could access the data. That gave the public confidence that the data could be used only for the purpose that it was collected. That was an example of this Parliament embracing an agile approach to protect its citizens. I acknowledge the member for Ryde and the Minister, who is retiring from this Parliament. His legacy will be digital implementation. It has been a delight to work with him. I strongly hope that his future is one he can continue to be proud of. That bipartisan approach was embraced by the Parliament and by the New South Wales public sector agencies.
We cannot talk about privacy and data protection without talking about cybersecurity—the two are intrinsically linked. There will always be bad actors seeking to steal government data, whether they be criminals or foreign State actors. Governments must always be on the front foot in ensuring that cybersecurity is a priority for all public sector agencies. That is an area where New South Wales can do better. The Auditor-General's July 2021 report, entitledManaging cyber risks, which focused on Transport for NSW and Sydney Trains, found that the Government is not managing cybersecurity risks effectively. That finding is deeply concerning. It is critical that each public sector agency's leadership team makes addressing cybersecurity risks a priority. That is not just my view; the Deputy Auditor-General told an upper House inquiry into cybersecurity that executive leadership must value the importance of cybersecurity.
TheManaging cyber risks report found that neither Transport for NSW nor Sydney Trains has fostered a culture that values cybersecurity risk management in executive decision-making. That culture cannot continue in our public sector agencies. The data breaches at Optus and Medibank made clear what is at stake when cybersecurity risk management is not prioritised. I note the announcement on the weekend by the Hon. Clare O'Neil, the Minister for Cyber Security, and the Hon. Mark Dreyfus, the Attorney General, to establish a permanent joint standing operation against cyber criminals. That operation will be led by the Australian Federal Police and Australian Signals Directorate.
The next steps in strengthening our cybersecurity resilience go beyond just fostering a culture that establishes cybersecurity as a priority. They include empowering citizens to have control over their own data, who they share it with and what content they choose to share. Labor is committed to an agile approach to policymaking to protect citizens' data and fight back against those forces that seek to breach citizens' privacy. It is the responsibility of the New South Wales Parliament to make sure that it achieves that, too.