Data Breach Public Notification Register
Mandatory Notification of Data Breach (MNDB) Scheme
Part 6A of the Privacy and Personal Information Protection Act 1998 (PPIP Act) establishes the MNDB Scheme. Find out more about the MNDB Scheme.
When information about data breaches is published on this Register
Section 59P(2) of the PPIP Act requires NESA to maintain a Public Notification Register.
Under sections 59N(2) and 59P(3), details of eligible data breaches must be published on this Register when the Act requires NESA to notify individuals affected by a data breach but it is not possible (or not reasonably practicable) to notify them individually. The Act also requires NESA to include certain information on the Register.
What information is published
Where a public notification is made on this Register, section 59P(3)(b) requires the following information (as set out in section 59O) to be recorded on the Register, except to the extent it contains personal information or would prejudice NESA’s functions:
- The date the breach occurred
- A description of breach
- How the breach occurred
- The type of breach that occurred (unauthorised disclosure, unauthorised access or loss of information)
- The personal information involved in the breach
- How long the information was disclosed or accessible
- Action taken or planned to ensure the personal information is secure, or to control or mitigate the harm done to the individual
- Any recommendations about the steps an individual should take in response to the eligible data breach (if any)
- Information about requesting an internal review or making a privacy complaint (see below)
- The name of the agency the subject of the breach
- Where more than one agency was the subject of the breach, the names of any other agencies involved, and
- Contact details for:
- the agency the subject of the breach, or
- for a person nominated by the agency for an individual to contact about the breach.
How long the information remains on the Register
The PPIP Act requires the information to be retained on the Register for at least 12 months after the date the notification is published. No information will appear on the Register if there are no notifications currently required to be published.
Public Notification Register
Date of breach | --------- | --------- |
Description of breach | ||
How the breach occurred | ||
Type of breach | ||
Personal information involved | ||
Length of time disclosed or accessible | ||
Action taken or planned to ensure the personal information is secure, or to control or mitigate the harm | ||
Recommended steps | ||
Name of agency involved | ||
Other agencies involved | ||
Contact details | ||
File reference number |
Requesting an internal review or making a privacy complaint
Please note that NESA has already formally notified the NSW Privacy Commissioner of each eligible data breach appearing on this Register. A person affected by a data breach may lodge an application for internal review with NESA. To request a privacy internal review:
- download the
File
Privacy Complaint: Internal Review Application Form (PDF 171.89KB) - complete it; and
- send it to the Privacy Officer
Alternatively, to make a privacy complaint to the NSW Privacy Commissioner please contact the Information and Privacy Commission NSW (IPC NSW).