Council Circular 24-06 Privacy and the Mandatory Notification of Data Breach Scheme

Circular Details24-06 / 29/05/2024 / A899914
Who should read thisCouncillors / General Managers / Governance and records staff / all council staff
ContactCouncil Governance Team / 02 4428 4100 /
Action requiredCouncil to Implement
PDF Version24-06 Privacy and the Mandatory Notification of Data Breach Scheme

What’s new or changing

  • The Mandatory Notification of Data Breach Scheme (MNDB Scheme) commenced on 28 November 2023 following a 12-month transition period.

What this will mean for your council

  • The MNDB Scheme is a mandatory notification requirement under the Privacy and Personal Information Protection Act 1998 for NSW public sector agencies (including councils) in the event of an ‘eligible data breach’.
  • Any officer or employee of a public sector agency with reasonable grounds to suspect that an eligible data breach has occurred must immediately report the suspected breach to the head of the agency or their delegate.
  • The agency head must then carry out an assessment of whether there are reasonable grounds to believe that the suspected data breach is in fact an eligible data breach. This assessment must be completed within 30 days.
  • Under the MNDB Scheme, an agency must notify the affected individuals and the Privacy Commissioner when there has been an eligible data breach.

Key points

  • Personal information for the purposes of the MNDB Scheme includes ‘health information’.
  • Notifications to the Privacy Commissioner of a data breach or any updates must be made using the approved form/s.
  • General managers should ensure that appropriate delegations are in place so that the right people have the authority to make decisions quickly.
  • Information requirements when notifying affected individuals in relation to an eligible data breach are set out in the scheme.
  • Under the MNDB Scheme, councils are to satisfy other data management requirements, including maintaining an internal data breach incident register, and having a publicly accessible data breach policy (DBP).
  • Councils are required to ensure their DBP is publicly accessible which means Councils should publish their DBP on their website.
  • The MNDB Scheme will improve public trust and help mitigate the impact of data breaches when they occur by providing greater transparency, improving agencies’ response to data breaches, and empowering affected individuals to take steps of their own to manage risks that might arise from a breach.

Where to go for further information

  • Further information about the details of the scheme, councils’ obligations and resources available to assist are available from the Information and Privacy Commission at its MNDB Resources page.

Brett Whitworth

Deputy Secretary

Office Local Government