The IPC marks one year since the Mandatory Notification of Data Breach Scheme commenced.


This year, the IPC is marking the one-year anniversary of the Mandatory Notification of Data Breach (MNDB) Scheme which came into effect on 28 November 2023. 

The MNDB Scheme ensures that public sector agencies respond swiftly to data breaches when they occur and provides transparent information to those individuals affected, while also empowering and supporting them to protect themselves in the event of a breach.

The past 12 months have seen a period of transition as agencies began notifying the Privacy Commissioner. Since its commencement on 28 November 2023, the IPC has noted: 

  • a steady and consistent flow of data breaches being notified weekly
  • most of the notifications have come from within the Government sector
  • most notifications involved human error, while a sizeable portion involved malicious or criminal attack
  • in many instances, the breaches affected 10 or fewer individuals.

In the lead up to the commencement of the Scheme and over the past 12 months, the IPC has undertaken a variety of activities to support agencies and inform the public about the MNDB Scheme and of their rights, including:

  • creating a dedicated MNDB hub on the IPC website to provide clear information about the Scheme, housing resources, links, reports and notification information 
  • throughout 2023, releasing bi-monthly MNDB e-Newsletters which included important information and updates, prepared a suite of guidance for agencies to prepare themselves and resources for the public to better understand the Scheme  
  • releasing a webinar for local councils, universities and agencies with a focus on the basics of the MNDB Scheme, agency obligations and what agencies need to do to prepare for the implementation of the Scheme
  • releasing two new e-Learning modules to assist agencies in preparing for the Scheme and their responsibilities as public sector staff
  • publishing quarterly statistics on the Scheme and a MNDB Trends Report for the first seven months of the Scheme
  • the Acting Privacy Commissioner publishing an audit on agency compliance with their requirement to publish a Data Breach Policy on their website
  • undertaking a survey of agencies to provide their feedback and experiences in preparing for the Scheme, using IPC resources and notifying the Privacy Commissioner. A summary of the feedback will be provided in the coming weeks and will be used to inform the forward work program of the IPC over the next 12 month.  

As in 2024, the IPC will continue to provide guidance and support to agencies as they continue their data breach response function and grow their maturity in complying with the requirements of the MNDB Scheme. In addition, the IPC will continue to support and empower citizens in understanding their rights and taking action to protect themselves in the event of a breach.