Voluntary Data Breach Notification

The Mandatory Notification of Data Breach (MNDB) Scheme came into effect on 28 November 2023. See the Mandatory Notification of Data Breach Scheme page for information relating to the current scheme in place.

Voluntary Data Breach Notification Scheme

The IPC’s Voluntary Data Breach Notification Scheme was in place until the commencement of the Mandatory Notification of Data Breach (MNDB) Scheme on 28 November 2023.

The MNDB Scheme is a mandatory notification requirement under the Privacy and Personal Information Protection Act 1998 for NSW public sector agencies in the event of an ‘eligible data breach’. Under the MNDB Scheme, an agency must notify the affected individuals and the Privacy Commissioner when there has been an eligible data breach.

Although the Voluntary Scheme has ended, you can still find other resources and statistics from the Scheme below.

Notifiable Data Breach Scheme

The Commonwealth Notifiable Data Breaches (NDB) scheme was introduced under the Australian Privacy Act 1988 (Privacy Act) on 22 February 2018.

The NDB scheme establishes a mandatory data breach notification protocol that requires organisations covered by the Privacy Act to notify individuals likely to be at risk of serious harm due to a data breach.

Although the NDB scheme is aimed primarily at federal government agencies and private sector organisations regulated by the Australian Privacy Principles (APPs) under the Privacy Act, there are provisions that apply to NSW public sector agencies.

Other useful resources

IPC Data Breach Policy
IPC Privacy Governance Framework
IPC Privacy Management Plan
Essential Eight Guide to managing cyber security incidents

IPC Voluntary Breaches Quarterly Statistics:

The IPC published quarterly statistical information about notifications received to assist NSW public sector agencies and the public to understand the operation of the scheme.

Note: On 28 November 2023, the Mandatory Notification of Data Breach Scheme commenced in NSW. The data that is reported for FY2023 - 2024 for Quarter 2 for the Voluntary Data Breach Scheme is for the period up to and including 27 November 2023. Going forward, all future reporting on data breaches will be made under the Mandatory Notification of Data Breach Scheme and are available via the Reporting on the Scheme page.