Mandatory Notification of Data Breach (MNDB) Scheme
Part 6A of the Privacy and Personal Information Protection Act 1998 (PPIP Act) establishes the MNDB Scheme. Find out more about the MNDB Scheme.
When information about data breaches is published on this Register
Section 59P(2) of the PPIP Act requires agencies to maintain a Public Notification Register.
Under sections 59N(2) and 59P(3), details of eligible data breaches must be published on this Register when the Act requires NSW SES to notify individuals affected by a data breach but it is not possible (or not reasonably practicable) to notify them individually. The Act also requires NSW SES to include certain information on the Register.
What information is published
Where a public notification is made on this Register, section 59P(3)(b) requires the following information (as set out in section 59O) to be recorded on the Register, except to the extent it contains personal information or would prejudice NSW SES’s functions:
- The date the breach occurred
- A description of breach
- How the breach occurred
- The type of breach that occurred (unauthorised disclosure, unauthorised access or loss of information)
- The personal information involved in the breach
- How long the information was disclosed or accessible
- Action taken or planned to ensure the personal information is secure, or to control or mitigate the harm done to the individual
- Any recommendations about the steps an individual should take in response to the eligible data breach (if any)
- Information about requesting an internal review or making a privacy complaint (see below)
- The name of the agency the subject of the breach
- Where more than one agency was the subject of the breach, the names of any other agencies involved, and
- Contact details for:
- the agency the subject of the breach, or
- for a person nominated by the agency for an individual to contact about the breach.
How long the information remains on the Register
The PPIP Act requires the information to be retained on the Register for at least 12 months after the date the notification is published. No information will appear on the Register if there are no notifications currently required to be published.
Public Notification Register
Date of breach | ...... | ...... |
Description of breach | | |
How the breach occurred | | |
Type of breach | | |
Personal information involved | | |
Length of time disclosed or accessible | | |
Action taken or planned to ensure the personal information is secure, or to control or mitigate the harm | | |
Recommended steps | | |
Name of agency involved | | |
Other agencies involved | | |
Contact details | | |
File reference number | | |