Agencies lodging a voluntary or mandatory data breach notification
The Office of the Information Commissioner (OIC) oversees the Mandatory Notification of Data Breach (MNDB) scheme, which includes monitoring and, if necessary, investigating compliance with the scheme
Under the MNDB scheme, Queensland public sector agencies must:
- assess suspected data breaches to determine whether they meet the threshold for notification
- take steps to contain the breach and mitigate the harm to impacted individuals
- comply withany obligation to notify affected individuals and OIC of an eligible data breach
- report voluntarily if a breach does not meet the threshold, but the agency still considers notification appropriate for transparency or risk mitigation.
OIC reviews notifications to monitor compliance with these obligations.
We may provide guidance, request further information, or initiate further regulatory action where necessary. Agencies and individuals can find detailed information on breach assessment and notification steps on the OIC’s privacy principals page.
What is an eligible data breach?
An eligible data breach occurs when there is unauthorised access, disclosure or loss of personal information that is likely to result in serious harm to the individual affected.
Use the MNDB assessment tool to help you decide whether a data breach may be eligible under the scheme.
Lodging a data breach notification
If you believe your agency has experienced an eligible data breach incident:
- Log into the OIC Agency Portal
- Lodge a data breach notification via the data breach notification form.
In certain circumstances, an agency may be exempt from notifying OIC of a data breach.
