Data Breach Public Notification Register
Mandatory Notification of Data Breaches Scheme
Part 6A of the Privacy and Personal Information Act 1998 (PPIP Act) establishes the Mandatory Notification of Data Breaches Scheme (MNDB Scheme). Information on the MNDB Scheme is available on the Information & Privacy Commission.
When data breaches are published on this Register
Section 59P of the PPIP Act requires that the department maintain a Public Notification Register. Under section 59N(2) and 59P(3) details of data breaches are published in this Register when the Act requires a person affected by a data breach to be notified but it is not reasonably practicable to notify them individually. require the department to include certain information in this Register.
What information is published
Where a notification is made on this Register the section 59P(3)(b) requires the following details (set out in section 59O) to be recorded on the Register except to the extent they contain personal information or would prejudice the department’s functions:
- Date of breach
- Description of breach
- How the breach occurred
- The type of breach (unauthorised disclosure, access or loss of information)
- The kind of information involved
- How long the information was disclosed for
- Action taken or planned to contain or mitigate any harm to individuals or secure the data
- Any recommended actions that affected individuals take themselves (if any)
- How to make a privacy complaint (see below)
- The name of the department as the agency responsible for the breach
- The name of any other NSW government agency involved in the breach (if any)
- Contact details to speak to someone about the breach
How long information is published
Information on this Register is required by the Act to be published for 12 months. No information will be shown on this page if there are no notifications currently required to be published.
Making a privacy complaint
Please note that the department has already formally notified the NSW Privacy Commissioner of each data breach published on this Register.
A person affected by a data breach can also lodge a privacy complaint with the department for the department to investigate. For information on making a privacy complaint to the department please visit Privacy Information and Forms.
Alternatively, to make a privacy complaint to the NSW Privacy Commissioner please see https://www.ipc.nsw.gov.au/privacy .