Have your say

The IPC releases items for consultation. As they are released, they will appear on this page. 

 

Open for consultation: (Consultation Draft) Guidelines – Guidelines on the exemption if a public sector agency has taken certain actions under section 59U

Feedback via email: ipcinfo@ipc.nsw.gov.au 

Close date: 17 April 2026

The Information and Privacy Commission (IPC) is pleased to announce the release of its new Guidelines on the exemption if a public sector agency has taken certain actions under section 59U for consultation and feedback.

Part 6A of the Privacy and Personal Information Protection Act (PPIP Act), establishes a scheme for the mandatory notification of data breaches by NSW public sector agencies. Under the Mandatory Notification of Data Breach Scheme, all public sector agencies bound by the PPIP Act must notify the Privacy Commissioner and affected individuals of data breaches involving personal or health information likely to result in serious harm. When an eligible breach has occurred, the agency must take all steps that are reasonably practicable to notify the individuals to whom the information relates or who may be affected by the breach.

These Guidelines are intended to provide agencies with guidance on the operation of the exemption under section 59U. This provision provides that the head of a public sector agency may decide to exempt the agency from notifying affected individuals if the agency has taken certain actions under s59U to mitigate the harm arising from an eligible data breach.

The IPC values the input of privacy practitioners in NSW and is seeking your feedback on this new guidance. In particular, we would appreciate your responses to the following focus questions:

  1. Do you believe the proposed guidelines provide sufficient clarity on when and how the exemption should be applied?
  2. Are there any scenarios or circumstances where you feel the guidelines may be difficult to interpret or implement?
  3. Can you suggest any improvements or additional considerations that would make the guidelines more effective?
  4. Are the guidelines useful and of assistance to understanding the requirements?

Your feedback is critical to ensuring that the guidance is comprehensive and effective in supporting the NSW public sector.

As required under s59ZI of the PPIP Act, the Privacy Commissioner will consult with the Attorney General and Minister of Customer Service and Digital Government before publishing the Guidelines.

It is anticipated that the finalised Guidelines will be published in Q4 2025–26.

Please submit any feedback in writing to ipcinfo@ipc.nsw.gov.au by COB 17 April 2026.

Aboriginal and Torres Strait Islander Flags
We acknowledge Aboriginal and Torres Strait Islander peoples as custodians of Australia and pay our respects to Elders, past and present. We also acknowledge the ongoing connection to land, sea and communities throughout Australia, and the contributions to the lives of all Australians. 

IPC logo.

© IPC

CC logo

Navigate

Useful links

IPC Social Media

   Linkedin

 

IPC Social Media Terms of Use