NSW government agencies will legally be required to report customer data breaches like cyber attacks if a new bill is passed through parliament.
State government agencies will need to notify customers of a breach within 30 days under the proposed data protection law.
NSW Attorney-General Mark Speakman said the law would make sure people know "fairly promptly" that there had been a data breach.
"They can take their own steps to mitigate the harm, but in the meantime, the public sector agency will also be required to take reasonable steps to manage the situation," Mr Speakman said.
The Privacy and Personal Information Protection Amendment Bill provides a blueprint government agencies need to follow to protect data.
This includes taking steps to mitigate the harm of a data breach and creating an internal register to document those breaches.
Its introduction comes after a spate of cyber attacks on companies including Optus and Medibank jeopardised the data security of millions of people.
Mr Speakman told the ABC the bill had wide support, and he believed it could clear parliament in the next fortnight.
"There are ongoing cyber threats to public sector agencies," he said.
"Sometimes the data breach can be because of hacking and other times it can be because of carelessness.
"As a government, we're doing everything we can to protect citizens' data."
Mr Speakman said the agencies impacted – which includes local councils, statutory authorities and some universities – will have a year to put the necessary systems in place.
NSW Labor leader Chris Minns described the bill as a "common sense" measure.
"I'd like to speak to technology experts about whether it's possible to notify people in an earlier way and to make sure the government is able to comply with those changed rules," he told the ABC.
"If we see, at the end of the day, it makes sense and the government is able to comply with it via its agencies, then we would be supportive of it."
In September, Optus announced it was impacted by a cyber attack. Hackers stole customer information ranging from particulars to ID numbers including passports and driver's licences.
Health insurer Medibank was targeted in an attack in October, revealing the personal information of about 9.7 million current and former customers had been accessed.