The purpose of this Self-assessment Tool is to assist NSW public sector agencies to determine whether a data breach is an eligible data breach under the MNDB Scheme.
If you are an individual and you believe that a NSW public sector agency has breached your personal information, please see our page on How do I make a complaint for more information about your options.
If there is an immediate risk to a person’s life, health or safety call 000, do not delay action by completing this assessment.
Under the Mandatory Notification of Data Breach Scheme (MNDB Scheme), a NSW public sector agency that suspects an “eligible” data breach has occurred, must carry out an assessment of whether the data breach incident is an eligible data breach. This guidance has been designed to assist public sector agencies in undertaking that assessment.
The IPC's MNDB Scheme guidance and this self-assessment must be read and completed within the context of an individual public sector agency’s relevant internal policies and processes, together with the statutory guidance issued by the Privacy Commissioner. The IPC's guidance is available via the MNDB Scheme webpage.
Individual agencies will have internal data breach policies, procedures and accountabilities that will vary based on their information holdings, functions, risk appetite, organisational structures and unique operating environments. An agency may incorporate this guidance into its data breach response plans, policies and procedures.
This self-assessment is designed so it may be undertaken by a person who may be either:
- an officer or employee of the agency that is the subject of the data breach
- an officer or employee of another public sector agency acting on behalf of the public sector agency the subject of the data breach
- a person acting on behalf of the public sector agency the subject of the data breach, or a person employed by that person.
Note: An 'employee' includes an individual engaged by the public sector agency under a contract.
The assessment of the data breach should not be undertaken by a person reasonably suspected of being involved in an action or omission that led to or resulted in the data breach.
Agencies should ensure that all staff called upon to assess a data breach or make an escalation decision, are trained and capable of adequately assessing the breach and its impact.
The assessment must be carried out in an expeditious way. Whilst undertaking this assessment, agencies must ensure that it takes all reasonable attempts to mitigate any harm already done.
On completion of the self-assessment you will have the option to enter an email address. This will enable a copy of your completed self-assessment including the response to be emailed to you. The IPC does not collect or retain a copy of the information entered into the assessment, including the email address, and will be unable to provide you a copy if you do not retain a copy of your self-assessment.
Agencies should retain the email copy of the self-assessment information, including the assessor’s name and position, date of the assessment, and any supporting or reference material used in undertaking the assessment.