Data breaches

Mandatory Notification of Data Breaches Scheme

Part 6A of the Privacy and Personal Information Act 1998 (NSW) (PPIP Act) establishes the Mandatory Notification of Data Breaches Scheme (MNDB scheme) which Council is required to adhere to.

The MNDB scheme requires Council to notify affected individuals and the Privacy Commissioners when certain data breaches occur. Refer to this IPC Factsheet for detailed information about the MNDB scheme and the different obligations it imposes.

What is a data breach?

A data breach occurs when your personal information that is held by Council is accessed or disclosed in a way that it shouldn’t have been (e.g. where it is lost, stolen, or given to the wrong person). This IPC Factsheet outlines what personal information is, provides examples of what actions could lead to a breach, what actions could cause serious harm, and your rights as an affected person.

Data Breach vs Privacy Complaint

If you suspect Council has disclosed your personal information in a way it shouldn’t have, or you believe Council has disclosed someone else’s personal information (because for example you received another person’s information in error), you can notify Council of a suspected data breach by completing this form. Please note, this report will only serve to notify Council of the suspected breach. Council will acknowledge your report within 5 working days of your submission and advise you of the process going forward. Council is required to undertake an assessment within 30 calendar days as to whether the suspected data breach would pose serious risk of harm to affected individuals. The outcome of the assessment would result in response actions that Council would manage as agreed for each individual incident.

If you have experienced harm as a result of a data breach and want to make a complaint, you can lodge a privacy complaint and Council will investigate it in accordance with its Privacy Management Plan. With privacy complaints, Council is required to complete its investigation within 60 days. The outcome of the investigation would result in findings and different options available, and how Council proceeds would depend on the options chosen by the complainant.

Data Breach Policy

Council’s Data Breach Management Protocol and Guidelines outline Council’s commitments to managing Council’s response to data breaches.

Public Notification Register

In compliance with section 59P of the PPIP Act, Council keeps this Public Notification Register(XLSX, 16KB) and information in it is published for 12 months after each incident.

A public notification is provided when it is not reasonably practicable to notify any or all of the individuals affected by the breach directly. If a notification of a data breach is published on this Register, it can be assumed that Council has already formally notified the Privacy Commissioner of that data breach.

No information will be shown on this page if there are no notifications currently required to be published.