NSW agencies to be forced to report hacks

People facing serious harm when government agencies lose of their personal data are set to get added protections in NSW.

The Perrottet government says NSW will become the first state or territory to have a mandatory notification scheme for its government agencies, forcing agency heads to escalate matters to the privacy commissioner.

If passed this month, agencies will have to keep logs of serious breaches, make reasonable attempts to mitigate the harm done by a data breach and alert affected people.

If alerting all affected people is not reasonably practicable, agency bosses will have to place a notice on its website for 12 months.

Attorney-General Mark Speakman said every day people offered their personal information to government agencies in a "significant undertaking of trust".

"In return, the government has a responsibility to effectively and proactively protect and respect that personal information," he said.

Customer Service Minister Victor Dominello said the state government had invested $315 million to bolster cyber systems and launched ID Support NSW to help those impacted by identity theft.

"The bill will provide greater certainty for the public and government agencies regarding personal information and the steps required if a data breach occurs," he said.

"A mandatory notification scheme also ensures that the ability for an affected citizen to take their own protective action is a primary consideration in any data breach response."

Labor Leader Chris Minns said he hadn't yet studied the legislation "but it seems like a common sense measure".

"Obviously we need to let customers and taxpayers of the state know that there is a data breach and legislation has to keep pace with evolving technologies and the threats to that technology," he said.

Public sector agencies include all departments, local councils, some universities and bodies such as Service NSW, TAFE NSW and State Super.

The Privacy and Personal Information Protection Act 1998 will also be expanded to cover all NSW state-owned corporations not subject to federal privacy laws.

The change comes after data breaches at Optus, Medibank and a host of other companies in recent months.

The lower house of federal parliament on Wednesday passed new laws to hike fines for companies that had serious data breaches to 30 per cent of a company's turnover during the affected period.