Voluntary Data Breach Notification

To assist NSW public sector agencies, the Information and Privacy Commission NSW (IPC) has developed a suite of resources to support NSW’s voluntary data breach reporting scheme.

How to notify

Data breach notification form (Word 735KB) Updated August 2020.

This template assists NSW public sector agencies to notify the IPC in the unlikely situation of a data breach. It poses questions around the identity and contact details of the agency, description of the breach, impact assessment and risk of harm, and offers some remedial action points.

Fact sheet and guidance

Fact sheet - NSW public sector agencies and data breaches involving tax file numbers Updated July 2022.

This fact sheet provides information on how to respond to data breaches with guidance on Tax File Number collection, other data breach notification schemes (sharing of government sector data and the European Union's General Data Protection Regulation), and how to notify the IPC if a data breach occurs.

Data Breach Guidance for NSW Agencies Updated September 2020.

This resource is aimed at helping agencies proactively report data breaches under the existing voluntary reporting scheme.

Proactively reporting breaches sends a strong message to the public that your organisation is committed to promoting a culture of privacy protection, and has the necessary systems and processes in place to ensure accountability should a breach occur.

Proactively and voluntarily addressing breaches where they do occur plays a critical role in maintaining public trust in an agency's ability to manage people’s personal information.

Prevention checklist

Data breach prevention checklist (Excel file) Updated May 2021.

This resource provides a useful list of internal checks where you can measure your current level of preparation under the headings of ‘People, Governance and Culture’, ‘Policy’, ‘Processes’, and ‘Technology’. Select the response that best reflects your agency to receive an overall summary.

This resource also provides an action list for responding to a data breach.

Notifiable Data Breach Scheme

The Commonwealth Notifiable Data Breaches (NDB) scheme was introduced under the Australian Privacy Act 1988 (Privacy Act) on 22 February 2018.

The NDB scheme establishes a mandatory data breach notification protocol that requires organisations covered by the Privacy Act to notify individuals likely to be at risk of serious harm due to a data breach.

Although the NDB scheme is aimed primarily at federal government agencies and private sector organisations regulated by the Australian Privacy Principles (APPs) under the Privacy Act, there are provisions that apply to NSW public sector agencies.

Other useful resources

IPC Data Breach Policy
IPC Privacy Governance Framework
IPC Privacy Management Plan
Essential Eight Guide to managing cyber security incidents

Quarterly statistics

The IPC publishes quarterly statistical information about notifications received to assist NSW public sector agencies and the public to understand the operation of the scheme.

IPC Voluntary Breaches Quarterly Statistics:

• FY2022 - 2023: Q4
• FY2022 - 2023: Q3
• FY2022 - 2023: Q2
• FY2022 - 2023: Q1
• FY2021 - 2022: Q4
• FY2021 - 2022: Q3
• FY2021 - 2022: Q2
• FY2021 - 2022: Q1
• FY2020 - 2021: Q3 and Q4
• FY2020 - 2021: Q1 and Q2
• FY2019 - 2020: Q3 and Q4
• FY2019 - 2020: Q1 and Q2
• FY2018 - 2019: Q4
• FY2018 - 2019: Q3
• FY2018 - 2019: Q2
• FY2018 - 2019: Q1
• FY2017 - 2018: Q3 and Q4