Mandatory Notification of Data Breach Scheme

The Mandatory Notification of Data Breach (MNDB) Scheme will come into effect on 28 November 2023. See the Voluntary Data Breach Notification page for information relating to the current scheme in place. 

Amendments to the Privacy and Personal Information Protection Act 1998 (PPIP Act) will come into effect on 28 November 2023. The amendments impact the responsibilities of agencies under the PPIP Act, and require agencies to provide notifications to affected individuals in the event of an eligible data breach of their personal or health information by a NSW public sector agency or state-owned corporation subject to the PPIP Act.

The changes to the PPIP Act include:

• creating a Mandatory Notification of Data Breach (MNDB) Scheme which will require public sector agencies bound by the PPIP Act to notify the Privacy Commissioner and affected individuals of data breaches involving personal or health information likely to result in serious harm
• applying the PPIP Act to all NSW state-owned corporations that are not regulated by the Commonwealth Privacy Act 1988
• repealing s117C of the Fines Act 1996 to ensure that all NSW public sector agencies are regulated by the same mandatory notification scheme.

More Information about the amendments can be found on the NSW Parliament's website. 

The MNDB Scheme will require agencies to satisfy other data management requirements, including to maintain an internal data breach incident register, and have a publicly accessible data breach policy.

You can refer to the IPC’s new and updated resources in relation to the upcoming MNDB Scheme on this page.

Once the MNDB Scheme comes into effect, the IPC will report on how the Scheme is operating. Annual summary data will also be included in the IPC Annual Report.

Note: This page will be updated as new resources are released.

What does this mean for your agency?

From 28 November 2023, agencies will be required to comply with the mandatory notification provisions under Part 6A of the PPIP Act.

Under the MNDB Scheme agencies will have an obligation to:

• immediately make all reasonable efforts to contain a data breach
• undertake an assessment within 30 days where there are reasonable grounds to suspect there may have been an eligible data breach
• during the assessment period, make all reasonable attempts to mitigate the harm done by the suspected breach
• decide whether a breach is an eligible data breach or there are reasonable grounds to believe the breach is an eligible data breach
• notify the Privacy Commissioner and affected individuals of the eligible data breach
• comply with other data management requirements.

What do you need to do to get ready for the MNDB Scheme?

• Roles & responsibilities – agencies should establish clear roles and responsibilities for managing a data breach or suspected data breach. This may include establishment of a data breach response team or the appointment of a specific staff member to lead the agencies data breach response.
   
• Privacy Management Plan – agencies should review and update their plan in compliance with new section 33(2)(c1) which will require the plan to include provisions relating to “the procedures and practices used by the agency to ensure compliance with the obligations and responsibilities set out in Part 6A for the mandatory notification of data breach scheme.” Agencies will be required to include in their plan reference to their data breach policy. 
   
• Data Breach Policy – agencies should prepare and publish a data breach policy in compliance with section 59ZD. The Data Breach Policy should set out how the agency will respond to a data breach. It should establish the roles and responsibilities of agency staff in relation to managing a breach and the steps the agency will follow if a breach occurs.
   
• Policies and Procedures – review and update any relevant policies and procedures to comply with obligations under the MNDB Scheme.
   
• Incident register – an agency is required under section 59ZE to establish and maintain an internal register of eligible data breaches. This register should record the information specified under section 59ZE(2).
   
• Public notification register – agencies are required to maintain a public notification register of any notifications made under section 59N(2). The information recorded in the register must be publicly available for at least 12 months after the date of publication and include the information specified under section 59O.

How do I stay updated?

This page will be regularly updated as new resources and information becomes available. The IPC will also be launching a bi-monthly e-newsletter from April 2023 to update practitioners about new resources and information relating to the MNDB Scheme. If you would like to receive these updates, you can subscribe here. 

In the lead up to 28 November 2023 when the MNDB Scheme commences, the IPC is preparing new and updating existing guidance to support NSW public sector agencies prepare for the scheme. 

• Fact Sheet for agencies: Exemptions from notification to affected individuals 
• Guide to preparing a data breach policy (expected May 2023)
• Guide for agencies: MNDB Scheme (expected June 2023)
• Guideline: Assessing an eligible data breach (expected August 2023 after approval by Minister)
• Guideline: Exemption under s 59W (health and safety) (expected August 2023 after approval by Minister)
• Guideline: Exemption under s 59X (cybersecurity) (expected August 2023 after approval by Minister)

See all privacy resources for agencies here.

The IPC will also prepare guidance for NSW citizens to improve their understanding of the Scheme, their rights and what they can expect once the Scheme is in place.  

• Fact Sheet for citizens: What is the MNDB Scheme (expected May 2023)
• Fact Sheet for citizens: Your rights under the MNDB Scheme (expected May 2023)

See all privacy resources for citizens here.