The State Library of New South Wales announced a major update to its Web Privacy Statement, aligning with the launch of the NSW Mandatory Notification of Data Breaches scheme on 28 November 2023. This policy update will affect all digital platforms in the Library and its partner systems.
This change strengthens the rules for collecting, using, storing, and protecting personal data as outlined in the Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002. Report any data breach to the Privacy Officer immediately. Stringent controls on disclosure, storage, and access are now enforced. This announcement represents a major step forward in enhancing privacy, data governance, and cybersecurity standards in Australia’s public sector.
Reforms strengthen privacy
Recent reforms have bolstered the legal framework for privacy in NSW. On 28 November 2023, the Mandatory Notification of Data Breaches (MNDB) scheme took effect following recent changes to the Privacy and Personal Information Protection Act 1998 (PPIP Act). Public sector agencies must notify the NSW Privacy Commissioner and affected individuals when a qualifying breach occurs under the PPIP Act. A breach qualifies as “eligible” when unauthorised access, disclosure, or loss of personal or health information occurs, and a reasonable person would foresee significant harm.
Agencies must establish a Data Breach Policy, implement internal registers, and uphold public notification registers. Assess breaches within a 30-day timeframe upon awareness. Individuals may not receive notifications in certain situations, such as potential cybersecurity risks, overlapping agency responsibilities, or cases where disclosure might worsen harm. The reforms require greater accountability in data governance, digital government, and data infrastructure. Public sector leaders must reassess how they share data with vendors, manage cloud storage, control access, and implement safeguards to prevent data silos. Cybersecurity plays a crucial role in privacy and stands at the forefront today.
Collection drives trust
The Library confirms, “We will only collect personal information which you provide to us and will only use it for the purposes for which it was collected.”
Organisations retain personal data only for the time it takes to achieve specific purposes. The Library communicates clearly at each collection point, outlining the required information, explaining why it is necessary, and detailing the conditions for its use. The system collects anonymous metadata, such as pages viewed, visit durations, device types, IP addresses, browser languages, and search terms. Analysts use this data to examine usage patterns, improve services, and strengthen digital government initiatives. Vendors offering services such as event booking and online retail collect user data based on their specific policies.
The Library collects contact or non-identifiable information from users to address service concerns and for analytical purposes. Individuals must sign up for specific services that require identifiable personal information. Public sector agencies must uphold data governance and ensure that their data infrastructure supports minimal collection and transparency in these collection practices. Remove unnecessary data silos, protect privacy in all cloud storage or vendor agreements, and build trust in digital government services.
Check out: “Law stops claim-farming, secures data privacy”
Governance ensures trust
The State Library of New South Wales uses personal information only for its intended purposes and restricts access to authorised personnel. They do not identify or track individual browsing unless you provide explicit consent. Individuals disclose personal information only when they have gathered it for that specific purpose, with full awareness and approval from the individual. The Library enforces a strict policy that prohibits the sale, trade, or licensing of personal data for any commercial purposes. Disclosure occurs only when it’s essential to meet contracted services or when required by law, such as in response to a valid law enforcement request.
All disclosures adhere to strict agreements that define data usage, access limitations, and retention guidelines. These practices raise the importance of incorporating privacy from the outset and require clear communication in data sharing between public agencies. They ensure that data sharing occurs within the limits of legal and ethical standards while building trust in digital government services. The model boosts cybersecurity, reduces data silos, and fosters accountability for data governance across cloud environments.
Security protects data
The State Library of New South Wales follows an Information Security Policy V5.0, approved on 8 July 2025, to implement strong measures for storing, securing, and protecting its information assets. The organisation prioritises the confidentiality, integrity, and availability of data, including personally identifiable information, health records, financial details, and operating systems. Staff access to systems remains strictly limited to what is necessary, based on their specific roles and responsibilities.
The Library requires supplier contracts to include security obligations. The organisation performs comprehensive privacy assessments on all systems, including cloud-based services, before deployments or upgrades. Every six months, we review user access privileges. The NSW Government sets forth guidelines for the classification and labelling of sensitive information.
The Library disposes of records securely, following the guidelines set by the State Records Act 1998. Certified erasure takes place for digital records, and meticulous shredding occurs for paper records. Vigilant surveillance protects information systems from unauthorised modifications. Advanced intrusion detection tools and software effectively identify any misuse. The Library adopts top-tier cybersecurity measures, including risk assessment, incident management, and compliance with the NSW Cyber Security Policy.
Access empowers privacy
Individuals hold specific rights to view, edit, and remove their personal information at the State Library of New South Wales. The Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002 empower individuals to request free access to or copies of their personal information stored by the Library. If you identify any information that is incorrect, incomplete, outdated, or misleading, please request an adjustment.
If the Library denies your amendment request, feel free to provide a comment that accurately reflects the facts. Research collections, publicly visible data, and data protected by legal professional privilege may not be subject to correction. Reach out to the appropriate service or Privacy Contact Officer to cancel correspondence or subscriptions from Library databases.
Third parties must verify your identity to access your information, unless the law requires otherwise. The rights highlight the importance of transparency, responsibility, and public trust in digital governance within the public sector. Leaders must ensure that systems provide access and allow for rectification, safeguard data subjects’ rights, and eliminate data silos and unnecessary retention. Robust erasure and amendment rules shape the response of cloud storage and vendor-hosted systems to data rights, ensuring compliance with legal standards.
Policies drive accountability
Effective 28 November 2023, all NSW public sector entities must enhance their accountability under the Mandatory Notification of Data Breaches plan outlined in the Privacy and Personal Information Protection Act 1998. Agencies, statutory bodies, local governments, universities, and state-owned enterprises must inform the NSW Privacy Commissioner and those affected about personal or health data breaches that pose a significant risk of harm. Agencies will maintain internal and public breach registers, publish a data breach policy, and review breaches within 30 days.
The plan empowers the Privacy Commissioner, enabling detailed audits and compliance monitoring throughout federal agencies. Recent changes highlight proactive governance, strengthen cybersecurity, and enhance public communication in the processing of public data. Agencies are urged to integrate privacy into digital transformation, ensuring secure data collaboration across platforms and cloud storage solutions. NSW combines privacy, data infrastructure, and digital trust with breach responsibility, establishing a baseline for the public sector.
The State Library of New South Wales establishes a new standard for privacy accountability in Australia’s public sector. The updated framework integrates data protection, cybersecurity, and governance into every stage of digital service delivery. The approach shows a transition from compliance to proactive risk management, bolstered by the Mandatory Notification of Data Breaches scheme. Public agencies must now enhance cloud storage security, upgrade data infrastructure, and foster transparent collaboration while safeguarding privacy. The Library’s model shows that trust, legal compliance, and digital efficiency can work together effectively. As privacy regulations evolve, authorities will prioritise protecting citizens’ data while fostering innovation in digital government systems.
Justin Lavadia is a content producer and editor at Public Spectrum with a diverse writing background spanning various niches and formats. With a wealth of experience, he brings clarity and concise communication to digital content. His expertise lies in crafting engaging content and delivering impactful narratives that resonate with readers.
Latest
Popular