Mandatory Notification of Data Breach Scheme

The Mandatory Notification of Data Breach (MNDB) Scheme commenced in NSW on 28 November 2023. See the Voluntary Data Breach Notification page for information relating to the former scheme. 

About the Mandatory Notification of Data Breach Scheme

The MNDB Scheme impacts the responsibilities of agencies under the Privacy and Personal Information Protection Act 1998 (PPIP Act). It requires agencies to notify the Privacy Commissioner and provide notifications to affected individuals in the event of an eligible data breach of their personal or health information by a NSW public sector agency or state-owned corporation subject to the PPIP Act.

More Information about the MNDB Scheme can be found in Part 6A of the Privacy and Personal Information Protection Act 1998

The MNDB Scheme requires agencies to satisfy other data management requirements, including to maintain an internal data breach incident register, and have a publicly accessible data breach policy.

You can refer to the IPC’s new and updated resources in relation to the MNDB Scheme for further information.

Reporting information about the MNDB Scheme is available via the Reporting on the Scheme page. Annual summary data will also be included in the IPC Annual Report. Annual summary data will also be included in the IPC Annual Report.