6 September 2023

NSW Mandatory Notification of Data Breach Scheme

Angela Wong
Senior Consultant
Brett Watson

elevenM’s Angela Wong and Brett Watson outline the changes that are coming with the NSW Mandatory Notification of Data Breach Scheme and provide some advice on how to get ready. Included are two templates to help agencies meet compliance with the reporting requirements.

The long-promised Mandatory Notification of Data Breach (MNDB) Scheme in New South Wales is (almost!) here. Like Sam Kerr’s goal in the World Cup — we all thought it would happen, we patiently waited for it and even got a bit worried it might not happen, but it happened in the end (and it was worth it).  

What’s changed?

The amendments to Part 6A of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) mandate the current voluntary data breaches scheme and brings NSW into line with the Commonwealth Notifiable Data Breaches (NDB) scheme and a similar scheme in Victoria.

Mandatory data breach notification requirements will come into effect from 28 November 2023, and under the scheme NSW public sector agencies will be required to notify the NSW Privacy Commissioner and affected individuals about eligible data breaches.

The introduction of an MNDB Scheme is an important piece of the puzzle in relation to protecting individuals from the potential harms that can arise from a data breach. The personal information of all NSW citizens is likely held by at least one, if not several, government agencies.

In the last couple of years alone, Service NSW, Transport for NSW and iCare have been affected by highly publicised data breaches. The number of data breaches reported to the NSW Information and Privacy Commission (IPC) under the current voluntary scheme are perhaps higher than you would expect — 351 in total across the 2022/23 financial year, with the overwhelming majority occurring in NSW government agencies. It will be interesting to monitor whether (and how) the introduction of the MNDB Scheme affects these figures.

What’s an ‘eligible’ data breach?

An ‘eligible’ data breach occurs where personal information (as defined in the PPIP Act), including health information (as per the Health Records and Information Privacy Act 2002), that is held by a NSW public sector agency is:

  1. accessed or disclosed without authorisation, or lost in circumstances that are likely to lead to unauthorised access or disclosure, and
  2. the access or disclosure of the information would be likely to result in serious harm to an individual.

Breaches can occur between agencies, within an agency and external to an agency.

Which agencies are affected?

The MNDB Scheme has a broad application across the public sector in NSW, and covers government departments, statutory authorities, local councils, Ministers’ offices, some universities, and, importantly, the definition has been expanded to include state-owned corporations (SOCs) that aren’t currently regulated by the Commonwealth NDB scheme.

What do agencies need to do?

The NSW IPC has released a number of guidance materials and resources to help government agencies prepare for the mandatory scheme.

Perhaps most urgently, agencies need to be aware that the MNDB Scheme requires them to prepare and publish a data breach policy for managing eligible data breaches. The IPC has published a Guide to Preparing a Data Breach Policy to help agencies do this.  

Additionally, the MNDB Scheme requires agencies to maintain two types of registers:

  • a public facing notification register, published on the agency’s website, for any public data breach notifications that the agency has issued, and
  • an internal data breach incident register, which is not public-facing, and acts as a record for the agency’s data breaches over time.

Both the notification register and the incident register have content requirements that are set out in the PPIP Act.

We can help

elevenM has prepared two templates that agencies may find useful in their preparations for compliance with the scheme.

Additionally, the Incident Register template as been prepared in such a way that agencies can use it to record privacy ‘incidents’ or ‘near misses’ — events that may not meet the threshold for MNDB notification but should nevertheless be monitored as part of good privacy practice.

Contact us

If you’re interested in learning more about how to prepare for or manage data breaches, contact us at hello@elevenM.com.au or on 1300 003 922.