Posted on October 17, 2024 by Megan Hawley and Samantha Hainke
REMINDER: Requirements of the Mandatory Data Breach Notification Scheme for Public Sector Agencies
The Mandatory Notification of Data Breach Scheme (MNDB Scheme) is a mandatory notification requirement under the Privacy and Personal Information Protection Act 1998 (PPIP Act) for NSW public sector agencies, including all NSW agencies and departments, statutory authorities, local councils, state-owned corporations, and Ministers’ offices in the event of an ‘eligible data breach’.
NSW public sector agencies are required under the MNDB Scheme to notify affected individuals and the Privacy Commissioner when there has been an ‘eligible data breach’. The MNDB Scheme also includes other data management requirements, including maintaining an internal data breach incident register, and having a publicly accessible data breach policy (DBP).
The MNDB scheme applies to ‘personal information’ as defined in section 4 of the PPIP Act, meaning:
‘information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion’
It also applies to ‘health information’ as defined in section 6 of the Health Records and Information Privacy Act 2002.
In some cases, public sector agencies will have notification obligations under both the MNDB Scheme and the Commonwealth’s Notifiable Data Breach scheme, contained in Part IIIC of the Privacy Act 1988 (Privacy Act).
It important that all NSW public sector agencies are aware of their notification obligations under the PPIP Act and Privacy Act and general managers of councils should ensure that appropriate delegations are in place so that the relevant council officers have the authority to make decisions quickly and take immediate action where required.
What is an ‘eligible data breach’?
An ‘eligible data breach’ occurs where:
- there is unauthorised access to, or an unauthorised disclosure of, personal information held by a public sector agency or there is a loss of personal information held by a public sector agency in circumstances that are likely to result in unauthorised access to, or unauthorised disclosure of, the information; and
- a reasonable person would conclude that the access or disclosure of the information would be likely to result in serious harm to an individual to whom the information relates.
Serious harm occurs where the harm arising from the eligible data breach has, or may, result in a real and substantial damaging effect to the individual. The effect on the individual must be more than irritation, annoyance or inconvenience. Harm to an individual includes physical harm, economic, financial or material harm, emotional or psychological harm and reputational harm.
Determining whether serious harm has occurred as a result of a data breach will vary on a case by case basis.
Overview of the MNDB Scheme
Where any agency officer becomes aware, or has reasonable grounds to suspect that an eligible data breach has occurred, that officer must immediately report the suspected breach to the head of the agency or their delegate.
For a local council, the relevant head of the agency is its general manager appointed under s334 of the Local Government Act 1993. However, the general manager may also delegate their authority to another appropriate council officer.
The head of the agency or delegate must immediately make all reasonable efforts to contain the data breach, and carry out an assessment of whether there are reasonable grounds to believe that the suspected data breach is an eligible data breach. This assessment must be completed within 30 days.
During an assessment, the head of the agency or delegate must make all reasonable attempts to mitigate the harm caused by the suspected breach.
The Information and Privacy Commission (IPC) has issued a suite of guidelines to guide public sector agencies through the considerations necessary for determining whether an eligible data breach has occurred and whether the threshold for serious harm has been met. Agencies must have regard to the guidelines prepared by the Privacy Commissioner when conducting an assessment under Part 6A of the PPIP Act.
Where a data breach has been assessed as an ‘eligible data breach’, agencies must:
- notify the Privacy Commissioner immediately, using the form approved by the Privacy Commissioner available on the IPC website,
- notify affected individuals as soon as practicable.
Record Keeping
Public sector agencies are also required under the MNDB Scheme to maintain each of the following:
- a public DBP, setting out how the agency will respond to data breaches;
- a public register of data breach notifications issued by the agency; and
- an internal register of eligible data breaches at the agency.
Data Breach Policy
Under the MNDB Scheme, a DBP is a documented policy or plan setting out how an agency will respond to a data breach. Agencies are required to prepare a DBP under section 59ZD of the PPIP Act. A DBP should establish the roles and responsibilities of agency staff in relation to managing a breach, and the steps the agency will follow when a breach occurs.
The purpose of publishing the DBP under the MNDB Scheme is to enhance transparency and ensures agencies remain accountable for the way they respond to data breaches, facilitate public trust and confidence in the government and the services it provides.
A DBP will need to outline an agency’s overall strategy for managing data breaches, and should include at a minimum each of the following:
- how the agency has prepared for a data breach;
- a clear description of what constitutes a breach;
- strategy for containing, assessing, and managing eligible data breaches;
- roles and responsibilities of staff members;
- record keeping requirements; and
- post-breach review and evaluation.
Public sector agencies are required to ensure their DBP is publicly accessible which means councils and public sector agencies should publish their DBP on their website.
The MNDB Scheme commenced on 28 November 2023 following a 12-month transition period from the assent of the Privacy and Personal Information Protection Amendment Bill 2022. We discussed the privacy bill which introduced MNDB Scheme for public sector agencies in this post here.
The guidelines published by the IPC regarding the MNDB Scheme are available here.
If you have any questions in relation to this post, please leave a comment below or contact Megan Hawley on 02 8235 9703 or Samantha Hainke on 8235 9727.
Leave a comment
in focus comments policy
LTL welcomes your feedback and comments on our posts. all comments, however, will be moderated and we reserve the right not to publish any comment for any reason.
LTL in focus is primarily designed for public sector and development professionals dealing in the fields of planning, environment and government. you may, therefore, wish to consult your organisation’s social media policy before you post any comments. it should go without saying that we expect all comments to maintain a level of respect and professional courtesy.
Please note we are unable to provide specific legal advice via these comments. If you wish to engage us to provide legal advice on a matter, please contact our office directly.
In making a comment you are required to provide your email address, this will not be published on the site. if the moderator chooses to publish your comment, the name you provide will be published with your comment – it is your choice whether you provide your full name or just your first name. if you provide your full name, we may seek to verify your identity prior to publication of your first comment. If you wish your comment to be directed only to the author or moderator please make that clear – marking it NFP or Not For Publication is the easiest way. thank you for your support and happy reading – matthew mcnamara, ceo.