Statement relating to Western Sydney University


The Acting Privacy Commissioner was notified of a data breach at Western Sydney University in accordance with the Mandatory Notification of Data Breach (MNDB) Scheme. The University are notifying affected individuals. 

The Acting Privacy Commissioner does not comment on the details of individual matters. Investigations of incidents are undertaken independently by the agency with reporting obligations required under the MNDB Scheme.

People who believe they are affected by this incident or who have been notified and would like more information should contact Western Sydney University on 02 9174 6942 (Monday to Friday, 9.00am to 4.30pm AEST) or visit their website: 

The NSW Privacy Commissioner’s functions include promoting privacy rights and the adoption of privacy best practice, preparing guidelines, and oversighting the NSW privacy legislation. 

The Privacy Commissioner’s regulatory responsibilities include:

  • support agencies and new service delivery models to achieve compliance with privacy rights through risk identification, agency self-audit tool, guidance and advice
  • increase community awareness of privacy rights
  • provide targeted guidance and resources to agencies to support and assist them to better manage and mitigate data breaches
  • provide advice to agencies to assist them in adopting and complying with NSW privacy legislation
  • promote a “privacy-by-design” approach by agencies to projects that involve the use of personal information, including the need for Privacy Impact Assessments to be undertaken and good privacy governance and minimise privacy risks
  • consult, develop and promote a suite of information governance e-learning modules for implementation by agencies including privacy management.

NSW has a Mandatory Notification of Data Breach (MNDB) Scheme in place. The MNDB Scheme requires all NSW public sector agencies bound by the PPIP Act to notify the Privacy Commissioner and affected individuals of data breaches involving personal or health information likely to result in serious harm. The Privacy Commissioner will assess the information provided by the agency in order to satisfy themself that the agency has complied with its obligations with the MNDB Scheme. 

More information regarding the MNDB Scheme, including the obligations of agencies and the requirements not notify individuals affected by a breach, can be found via the IPC website.




For further information, please contact:

The Manager, Communications and Corporate Affairs on 0435 961 691 or email

About the Information and Privacy Commission:

The Information and Privacy Commission NSW (IPC) is an independent statutory authority that administers New South Wales’ legislation dealing with privacy and access to government information. The IPC supports the Information Commissioner and the Privacy Commissioner in fulfilling their legislative responsibilities and functions and to ensure individuals and agencies can access consistent information, guidance and coordinated training about information access and privacy matters.

About the Acting NSW Privacy Commissioner

Ms Sonia Minutillo was appointed as the Acting Privacy Commissioner in February 2024. As Acting Privacy Commissioner, her role includes the promotion of public awareness and understanding of privacy rights in NSW, as well as providing information, support, advice and assistance to agencies and the public.

The Privacy Commissioner administers the Privacy and Personal Information Protection Act 1998 (PPIP Act) and the Health Records and Information Privacy Act 2002 (HRIP Act).

For further information about the IPC visit our website at 

Download a copy of the statement.