Mandatory Notification of Data Breach Scheme

About the Mandatory Notification of Data Breach Scheme

The Mandatory Notification of Data Breach Scheme (MNDB Scheme) is a mandatory notification requirement under the Privacy and Personal Information Protection Act 1998 (PPIP Act) for NSW public sector agencies in the event of an ‘eligible data breach’.

Under the MNDB Scheme, an agency must notify the affected individuals and the Privacy Commissioner when there has been an eligible data breach.

The MNDB Scheme comes into effect from 28 November 2023.

What is an eligible data breach?

An ‘eligible data breach’ occurs when there is:

  • unauthorised access to, or unauthorised disclosure of, personal information held by an agency that would be likely to result in serious harm to an individual to whom the information relates
  • the loss of personal information held by an agency in circumstances where unauthorised access or disclosure is likely to occur and which would be likely to result in serious harm to an individual to whom the information relates.

What is serious harm?

Serious harm can include physical, financial, or material harm, emotional or psychological harm or reputational harm. The impact of the harm can vary from person to person, but may include:

  • financial loss through fraud
  • a likely risk of physical or psychological harm, such as by an abusive ex-partner
  • identity theft, which can affect your finances and/or credit record
  • serious harm to an individual’s reputation.

Your right to be notified of a breach of your personal information

When a data breach occurs, an agency must immediately make all reasonable efforts to contain the breach and try to reduce the likelihood that an individual will experience serious harm.

Agencies then have 30 days from the date they become aware of a possible data breach to assess whether that data breach is likely to result in serious harm. Whilst making this assessment, all reasonable attempts must be made to mitigate any harm already done.

If an agency decides there has been an eligible data breach in relation to your personal information, it must notify you as soon as practicable about that breach. This means that an agency must notify you in writing and provide you with information about the eligible data breach, including:

  • actions the agency has taken or plans to take to control or mitigate the harm done to you
  • steps you should consider taking following an eligible data breach
  • information about how to seek an internal review of the agency’s conduct or make a privacy complaint to the Privacy Commissioner.

If the agency is unable to notify you directly it must publish a notification on its website and take reasonable steps to publicise the notification. The notification must remain on the agency’s public notification register for at least 12 months.

There are certain exemptions to the requirement that agencies notify affected individuals of a data breach. For example, if an agency acts quickly to mitigate a data breach, and because of this action the data breach is not likely to result in serious harm, there is no requirement to notify any affected individuals.

More information about the MNDB Scheme and other resources can be found on our dedicated webpage

Resources for citizens

The IPC has prepared guidance for NSW citizens to improve their understanding of the Scheme, their rights and what they can expect once the Scheme is in place.  

Other useful guidance

See all privacy resources for citizens here.

IPC MNDB e-Newsletter for citizens