The Mandatory Notification of Data Breach (MNDB) Scheme will come into effect on 28 November 2023. It requires public sector agencies bound by the PPIP Act to notify the Privacy Commissioner and affected individuals of data breaches involving personal or health information likely to result in serious harm. It also applies to all NSW state-owned corporations that are not regulated by the Commonwealth Privacy Act 1988. Agencies are required to:
- immediately make all reasonable efforts to contain a data breach
- undertake an assessment within 30 days where there are reasonable grounds to suspect there may have been an eligible data breach
- during the assessment period, make all reasonable attempts to mitigate the harm done by the suspected breach
- decide whether a breach is an eligible data breach or there are reasonable grounds to believe the breach is an eligible data breach
- notify the Privacy Commissioner and affected individuals of the eligible data breach
- comply with other data management requirements.
In support of these obligations, the IPC has released the Data Breach Notification to the Privacy Commissioner form, which sets out the information that agencies must supply to the Privacy Commissioner when making a notification of an eligible data breach.
Agencies need to prepare and publish a data breach policy in compliance with section 59ZD. The Data Breach Policy should set out how the agency will respond to a data breach. It should establish the roles and responsibilities of agency staff in relation to managing a breach and the steps the agency will follow if a breach occurs. The IPC has released a Guide to preparing a data breach policy.
The Privacy Commissioner has released a webinar for local councils, universities, statutory corporations and agencies to assist them in preparing for the upcoming MNDB Scheme. Watch the webinar via the IPC’s YouTube channel