10 Council CONNECT May 2018 Corporate & Commercial What’s more, public sector agencies (including local government agencies) must notify data breaches pursuant to: >  the Privacy (Tax File Number) Rule 2015 issued pursuant to section 17 of the Privacy Act >  the Data Sharing (Government Sector) Act 2015, which imposes an obligation on an agency that receives personal or health information to inform a data provider and the NSW Privacy Commission as soon as practicable of a breach (that is, when the agency becomes aware that a breach of privacy legislation has occurred or is likely to have occurred) >  the General Data Protection Regulation, which comes into force on 25 May 2018 and will apply to any organisation offering goods or services to, or monitoring the behaviour of, individuals living in the European Union. So what are the requirements under the Notifiable Data Breaches Scheme? A breach occurs when data, such as a TFN, is lost, or where there has been unauthorised access to or disclosure of such data. A breach becomes notifiable if it is likely to result in serious harm to an individual. The Privacy Act does not define what “serious harm” is. According to the Australian Privacy Commissioner, it may include serious financial, physical, psychological, emotional or reputational harm. The Scheme recommends four steps when responding to a data breach. They are: 1. contain the breach 2. evaluate and mitigate the risks 3. notify and communicate 4. prevent future breaches. In future articles we will examine the requirements of the Scheme in more detail. Trust and Open Government “Good government, sound policy and just decision- making demand that information is collected, stored, managed, used and disclosed wisely and appropriately. Every decision and every activity of government uses information. Each year the amount of information held by government grows and at a faster pace.” ‘Towards an Australia Government Information Policy” November 2010 Issues Paper 1 Office of the Australian Information Commissioner. As data breach disclosure culture (whether through mandatory or voluntary disclosure) sets in, the NSW public sector response will be closely monitored and may set the scene for open government.