Mandatory Notification of Data Breach Scheme

The Mandatory Notification of Data Breach (MNDB) Scheme will come into effect on 28 November 2023. See the Voluntary Data Breach Notification page for information relating to the current scheme in place. 

About the Mandatory Notification of Data Breach Scheme

Amendments to the Privacy and Personal Information Protection Act 1998 (PPIP Act) will come into effect on 28 November 2023. The amendments impact the responsibilities of agencies under the PPIP Act, and require agencies to provide notifications to affected individuals in the event of an eligible data breach of their personal or health information by a NSW public sector agency or state-owned corporation subject to the PPIP Act.

The changes to the PPIP Act include:

  • creating a Mandatory Notification of Data Breach (MNDB) Scheme which will require public sector agencies bound by the PPIP Act to notify the Privacy Commissioner and affected individuals of data breaches involving personal or health information likely to result in serious harm
  • applying the PPIP Act to all NSW state-owned corporations that are not regulated by the Commonwealth Privacy Act 1988
  • repealing s117C of the Fines Act 1996 to ensure that all NSW public sector agencies are regulated by the same mandatory notification scheme.

More Information about the amendments can be found on the NSW Parliament's website

The MNDB Scheme will require agencies to satisfy other data management requirements, including to maintain an internal data breach incident register, and have a publicly accessible data breach policy.

You can refer to the IPC’s new and updated resources in relation to the upcoming MNDB Scheme on this page.

Once the MNDB Scheme comes into effect, the IPC will report on how the Scheme is operating. Annual summary data will also be included in the IPC Annual Report.

Note: This page will be updated as new resources are released.

Preparing for the MNDB Scheme
What does this mean for your agency?

From 28 November 2023, agencies will be required to comply with the mandatory notification provisions under Part 6A of the PPIP Act.

Under the MNDB Scheme agencies will have an obligation to:

  • immediately make all reasonable efforts to contain a data breach
  • undertake an assessment within 30 days where there are reasonable grounds to suspect there may have been an eligible data breach
  • during the assessment period, make all reasonable attempts to mitigate the harm done by the suspected breach
  • decide whether a breach is an eligible data breach or there are reasonable grounds to believe the breach is an eligible data breach
  • notify the Privacy Commissioner and affected individuals of the eligible data breach
  • comply with other data management requirements.

In support of these obligations, the IPC has released the Data Breach Notification to the Privacy Commissioner form, which sets out the information that agencies must supply to the Privacy Commissioner when making a notification of an eligible data breach.

What do you need to do to get ready for the MNDB Scheme?
  • Roles & responsibilities – agencies should establish clear roles and responsibilities for managing a data breach or suspected data breach. This may include establishment of a data breach response team or the appointment of a specific staff member to lead the agencies data breach response.
  • Privacy Management Plan – agencies should review and update their plan in compliance with new section 33(2)(c1) which will require the plan to include provisions relating to “the procedures and practices used by the agency to ensure compliance with the obligations and responsibilities set out in Part 6A for the mandatory notification of data breach scheme.” Agencies will be required to include in their plan reference to their data breach policy. 
  • Data Breach Policy – agencies should prepare and publish a data breach policy in compliance with section 59ZD. The Data Breach Policy should set out how the agency will respond to a data breach. It should establish the roles and responsibilities of agency staff in relation to managing a breach and the steps the agency will follow if a breach occurs.
  • Policies and Procedures – review and update any relevant policies and procedures to comply with obligations under the MNDB Scheme.
  • Incident register – an agency is required under section 59ZE to establish and maintain an internal register of eligible data breaches. This register should record the information specified under section 59ZE(2).
  • Public notification register – agencies are required to maintain a public notification register of any notifications made under section 59N(2). The information recorded in the register must be publicly available for at least 12 months after the date of publication and include the information specified under section 59O.

How do I stay updated?

This page will be regularly updated as new resources and information becomes available. The IPC has launched a new bi-monthly e-newsletter to update practitioners about new resources and information relating to the MNDB Scheme. Past editions are available to view further down this page and if you would like to receive these updates, you can subscribe here

Resources for agencies

In the lead up to 28 November 2023 when the MNDB Scheme commences, the IPC is preparing new and updating existing guidance to support NSW public sector agencies prepare for the Scheme. 

See all privacy resources for agencies here.

Resources for citizens

The IPC will also prepare guidance for NSW citizens to improve their understanding of the Scheme, their rights and what they can expect once the Scheme is in place.  

See all privacy resources for citizens here.

IPC MNDB Bi-monthly e-Newsletter

View past editions of the e-Newsletter below:

IPC Webinar: Introduction to the Mandatory Notification of Data Breach Scheme - Ensuring your agency is prepared

The Privacy Commissioner has released a webinar for local councils, universities and agencies to assist them in preparing for the upcoming MNDB Scheme. 

During the webinar, the Privacy Commissioner focused on the basics of the MNDB Scheme, public sector agency obligations under the Scheme and what public sector agencies need to do to prepare for the implementation of the Scheme.

Other useful guidance

The IPC also has a range of other guidance available to assist agencies in understanding their obligations under the PPIP Act. See all privacy resources for agencies here.

*Resources to be updated as part of the preparations for the MNDB Scheme.