MNDB guidelines released for agencies

Three new guidelines have been released for Queensland public sector agencies, outlining further details about the incoming Mandatory Notification Data Breach (MNDB) scheme.

This is a key change brought about by the Information Privacy and Other Legislation Amendment Act 2023 (IPOLA).

The MNDB scheme will apply to agencies from 1 July 2025, and local government will follow 12 months later.

The scheme will require agencies to take certain actions when they know, or reasonably believe, that a data breach has occurred, keep an eligible data breach register, and publish a data breach policy.

The three new MNDB guidelines are available on the OIC website and include:

• Mandatory Notification of Data Breach (PDF, 610.44 KB)
• Data Breach Registers and Policies (PDF, 643.18 KB)
• Exemptions (PDF, 579.96 KB)

Key subjects covered in the guidelines include definitions of a data breach, eligible data breach, and serious harm; agency obligations when a data breach occurs or is suspected; notification to affected individuals and the Information Commissioner; publishing and reporting requirements; data breach policies; and assessing whether an exemption may apply.

Agencies are required to develop a data breach policy and disclosure register in preparation for the MNDB scheme. Agencies should also be aware that cooperation from multiple business units could be required to handle such matters, including:

• privacy
• right to information
• ICT management and cyber security
• human resources
• procurement and contract management
• legal
• integrity, risk, governance and ethics
• key senior executives.

OIC will continue to roll out IPOLA Guidelines, associated resources and training (coming soon), and update subscribers through the weekly newsletter.