In effect from: 31 July 2025

Mandatory notification of data breach

Chapter 3A of the IP Act creates a mandatory notification of data breach (MNDB) scheme, which requires agencies (other than local government) to notify individuals and the Information Commissioner about eligible data breaches involving personal information held by the agency.

The MNDB scheme will not apply to local government until 1 July 2026. Until then, local government should refer to the section at the end of this page, Privacy breach management for local government for guidance on managing privacy breaches.

Agencies must use the OIC agency portal when making a data breach notification.

Data breaches and eligible data breaches

Chapter 3A of the IP Act applies to personal information in a document held by an agency, unless the personal information is contained in a document to which the privacy principle requirements do not apply.

For chapter 3A, a data breach occurs if there is unauthorised access to, or unauthorised disclosure of, personal information, or personal information is lost in circumstances where there is likely to be unauthorised access to, or unauthorised disclosure of, the personal information.

A data breach will be an eligible data breach if the actual or potential unauthorised access to, or disclosure of, personal information is likely to result in serious harm to an individual to whom the personal information relates (an affected individual).

Documents held by contracted service providers

Chapter 2, part 3 of the IP Act requires agencies to bind some service providers to comply with the privacy principles requirements in the IP Act. This does not include the MNDB scheme, but because the MNDB scheme applies to personal information in documents held by an agency, a data breach by a service provider may be a data breach of the agency, depending on the nature of the service and the contract.

When entering into new or reviewing existing contracts, agencies should consider the specific circumstances of the contract, the kinds of personal information involved, and the relevant operating environment. This will help identify whether to include contractual data breach arrangements, eg:

• an obligations to promptly report data breaches
• a requirement to contain and mitigate data breaches; and
• a requirement to assist and cooperate with the agency’s data breach assessments.

When reviewing contracts, agencies should consider if the existing terms will address these points and seek amendment or modification where appropriate.

Service providers and the Commonwealth notifiable data breach scheme

Some private sector entities are subject to the Commonwealth Notifiable Data Breach scheme and other obligations in the Privacy Act 1988 (Cth). However, section 7B(5) of that Act provides an exemption for acts done, or practices engaged in, for a contract with a State or Territory authority.

Queensland government agencies are State authorities within the meaning of the Privacy Act 1988 (Cth). As such, it is important that agencies do not attempt to rely on a service provider’s Commonwealth privacy obligations; appropriate privacy and data breach terms must be included in the contract.

MNDB Scheme Obligations

If an agency knows or reasonably suspects that a data breach is an eligible data breach, it must immediately take, and continue to take, all reasonable steps to contain and mitigate the data breach.

If an agency knows or reasonably believes that the data breach is an eligible data breach, the agency must notify the Information Commissioner and particular individuals as soon as practicable unless an exemption applies.

If an agency is not certain whether a data breach is an eligible data breach, it must, within 30 days, assess whether there are reasonable grounds to believe the data breach is an eligible data breach of the agency.

Contain and mitigate

If an agency knows or reasonably suspects that a data breach is an eligible data breach involving personal information held by the agency, it must immediately take, and continue to take, all reasonable steps to contain the data breach and mitigate its harm. This can include:

• making efforts to recover the personal information
• securing, restricting access, or shutting down to breached systems
• suspending the activity that led to the data breach; or
• revoking or changing access codes or passwords.

If a third party is in possession of the personal information and declines to return it, it may be necessary to seek legal advice on what actions can be taken to recover the information. When recovering information, agencies should also take steps to ascertain whether the information has been shared or disseminated and ensure copies have not been made or that all copies are recovered.

Agencies should ensure that containing an eligible or suspected eligible data breach does not destroy information that may be required for an internal or external investigation into the breach.

An agency’s data breach policy should clearly identify the steps to be followed in responding to, containing, and mitigating an eligible or suspected eligible data breach, including appropriate escalation pathways. Depending on the circumstances of the data breach and the agency’s data breach policy, this may include informing:

• the agency’s privacy officer and/or senior management responsible for the area in which the breach occurred being informed immediately about the breach; and
• the head of the agency, and senior personnel responsible for information security, communications, legal services, human resources, and employee misconduct (eg internal audit, ethical standards or Crime and Corruption Commission liaison officer), as appropriate.

Assess the breach

If an agency does not know but reasonably suspects that a data breach is an eligible data breach, it must assess whether there are reasonable grounds to believe it is an eligible data breach. This assessment must be completed within 30 days unless the assessment time is extended under section 49 of the IP Act.

An agency’s assessment and reasons for its decision about whether a data breach is an eligible data breach should be recorded in writing and include the material facts of the specific breach. The assessment should address the matters listed in section 47(2) of the IP Act and any other relevant factors.

Data breaches affecting another agency

If the agency becomes aware that an eligible or suspected eligible data breach may affect another agency, it must give the other agency a written notice of the data breach that includes:

• a description of the data breach; and
• a description of the kind of personal information involved in the data breach, without including any personal information in the description.

Notification obligations

If an agency knows or reasonably believes that there has been an eligible data breach involving personal information held by the agency, it must:

• prepare a statement which includes the information stated in section 51(2) of the IP Act
• give the statement to the Information Commissioner; and
• notify individuals whose personal information was involved in the breach, including the information in section 53(2) of the IP Act.

Exemptions from notification obligations

The MNDB scheme includes exemption from some or all of the MNDB scheme’s notification obligations.

Additional notification

Depending on the nature of the information and the circumstances of the breach, it may be appropriate to notify other entities of a data breach.

Information Commissioner's role

Chapter 3A, part 4 of the IP Act sets out the Information Commissioner's role in relation to eligible data breaches, including:

• giving directions and recommendations to agencies when certain criteria are satisfied; and
• monitoring and investigating agency compliance with the MNDB scheme.

Non-eligible data breaches and voluntary reporting to OIC

Prior to the commencement of the MNDB scheme, OIC administered a voluntary data breach reporting scheme. With the commencement of the MNDB scheme, OIC continues to encourage agencies to advise the OIC of data breaches that do not meet the threshold of an eligible data breach.

Information gathered from voluntary reports will allow OIC to provide agencies with assistance and advice in relation to a data breach and to assist the Information Commissioner in fulfilling their broader performance and monitoring statutory functions under section 135, including:

• promoting understanding of and compliance with the privacy principles
• providing best practice leadership and advice, including by providing advice and assistance to relevant entities on the interpretation and administration of this Act
• conducting compliance audits to assess relevant entities’ compliance with the privacy principles
• initiating privacy education and training, including education and training programs targeted at particular aspects of privacy administration, and education and training programs to promote greater awareness of the operation of this Act in the community and within the public sector environment
• commenting on any issues relating to the administration of privacy in the public sector environment; and
• issuing guidelines about any matter relating to the Information Commissioner’s functions, including guidelines on how the IP Act should be applied and on privacy best practice generally.

Assessing the data breach

When an agency becomes aware of a data breach, it must assess it and objectively decide if the known circumstances support knowledge, reasonable belief, or reasonable suspicion that the data breach is an eligible data breach of the agency.

There are many different ways that an agency may become aware of a data breach. Depending on the circumstances, the agency may only have enough initial information to reasonably suspect they have experienced an eligible data breach.

If the agency only suspects that a data breach may be an eligible data breach, it will need to conduct further enquiries and examinations to determine whether it is an eligible data breach. An agency’s assessment and any decisions made should be recorded in writing and include the material facts of the specific breach.

This assessment must be completed within 30 days from the date the agency became aware of the data breach.

Reasonable belief or suspicion

Whether or not there are reasonable grounds to believe or suspect that a data breach is an eligible data breach will depend on the facts specific to each incident.

A reasonable belief that a data breach is an eligible data breach requires an objective view and a fair, proper, and moderate approach to ensure all known and relevant facts, circumstances, and considerations are identified and properly balanced. There will be reasonable grounds to believe that a data breach is an eligible breach if the available facts would be sufficient to persuade a reasonable person.

A reasonable suspicion, however, does not require the same level of certainty and evidence as a reasonable belief, but the agency must still have some factual basis for deciding that there is a reasonable suspicion that a data breach is an eligible data breach. It must be more than a possibility.

Has there been unauthorised access, disclosure or loss

Unauthorised access to personal information occurs when information held by an agency is accessed by someone who is not authorised to do so. For example:

• Within an agency, if an employee browses agency records relating to a family member, a neighbour, or a celebrity without a legitimate purpose.
• Between agencies, if a team at one agency is provided with access to systems and data of a second agency as part of a joint project and a team member uses that access for reasons other than the project.
• Outside an agency, if information is compromised during a cyberattack and intentionally accessed by a person external to the agency.

Unauthorised disclosure occurs when an agency intentionally or unintentionally discloses personal information without authority. For example:

• An agency software update, conducted by the agency or a third party service provider, results in the unintended publication of customer records containing personal information on the agency’s website.
• An agency intends to provide de-identified information to a researcher and accidently sends the data with personal identifiers included.
• An agency discloses an individual’s personal information to a third party who is not the intended recipient, eg by emailing it to the wrong address.
• A database containing personal information hosted in a cloud environment or a web facing application lacks appropriate access controls, disclosing personal information to unauthorised individuals.

Unauthorised access and disclosure are not mutually exclusive and can occur as a result of the same breach or chain of events. For example, if an agency mistakenly discloses personal information via a webform on its internet site and a third party can view the information, this may be unauthorised disclosure and unauthorised access.

Loss of personal information involves an agency no longer having possession or control of the information. Loss may occur because of a deliberate or accidental act or omission of an agency, or due to the deliberate actions of a third party. For example:

• An agency sells or disposes of a physical asset, such as a laptop or filing cabinet, that contains an individual’s personal information.
• An agency employee accidentally leaves a device, such as a USB or external drive, containing personal information on public transport.
• A device containing personal information is stolen from an agency’s premises or an employee’s home.

Loss of personal information will only be a data breach if it is likely to result in unauthorised access to, or disclosure of, the information. If the personal information is inaccessible or the agency can confirm it was destroyed it is unlikely to be a data breach, for example:

• Agency documents containing personal information are destroyed in a natural disaster (eg a bushfire or flood event).
• A password protected laptop containing client files is left on public transport but is handed in and the agency is able to establish there was no access to the stored information.
• A USB containing personal information is lost, but security measures are in place, such as the data being encrypted or protected by a strong password.
• A tablet device containing a client’s records is stolen from an agency employee’s home, but it is only accessible via multifactor authentication.

Is it likely to result in serious harm

A data breach will be an eligible data breach if it will result or is likely to result in serious harm to some or all of the affected individuals. Serious harm is likely to result if the risk of serious harm is more than merely possible; it must be more probable than not to occur. It is an objective test to be determined on the facts of the specific breach, taking into account the section 47(2) matters.

Agencies do does not need to identify the specific individuals who may be harmed in order to determine that serious harm is likely to result for one or more individuals. A data breach affecting a large number of individuals may be an eligible data breach even if the personal information involved is not highly sensitive if the agency concludes that serious harm is likely to result for some of the individuals.

If doubt or ambiguity exists about whether a data breach is likely to result in serious harm, agencies should err on the side of caution and treat the data breach as an eligible data breach.

Serious harm is defined in schedule 5 of the IP Act as including:

• serious physical, psychological, emotional, or financial harm to the individual because of the access or disclosure; or
• serious harm to the individual's reputation because of the access or disclosure.

This is not an exhaustive definition and other kinds of harm can meet the serious threshold. Serious harm occurs where the harm arising from the data breach causes, or may cause, substantial detrimental effect to an individual. This requires more than mere irritation, annoyance, or inconvenience.

Serious harm is not limited to physical harm or a threat to physical safety; it can include, for example, emotional or reputational harm.

How to conduct the assessment

The best way to assess a data breach will depend on the circumstances, however assessment should generally involve:

• gathering information about the breach
• analysing information with regard to the factors which influence the likelihood of serious harm; and
• making a decision on whether the gathered information and analysis supports knowledge, reasonable belief, or reasonable suspicion that the data breach is eligible.

Gathering information

Agencies will need to collect information relevant to the data breach, which may involve:

• determining the cause the breach
• identifying the types of personal information accessed, disclosed or lost
• investigating IT systems, eg by assessing audit logs or other records
• determining the extent of the breach; and
• contacting relevant stakeholders.

Analysis

Analysis requires reviewing the collected information to identify the context of the breach, including the type and amount of personal information and the number of individuals who may be affected. The analysis should also consider the potential impact on affected individuals, including:

• actual or potential harms to individuals whose personal information is involved in the breach
• the seriousness of that harm; and
• the likelihood that the harm will occur.

Agencies must take the matters listed in section 47(2) into account when determining whether a breach is likely to result in serious harm. The section 47(2) matters are:

• the kind of personal information accessed, disclosed or lost
• the sensitivity of the personal information
• whether the personal information is protected by one or more security measures
• if the personal information is protected by one or more security measures, the likelihood that any of those security measures could be overcome
• the persons, or the kinds of persons, who have obtained, or who could obtain, the personal information
• the nature of the harm likely to result from the data breach; and
• any other relevant matter.

Other relevant matters include:

• the type of personal information accessed, disclosed or lost, and whether a combination of types of personal information might lead to increased risk
• the amount of time the information was exposed or accessible, including the amount of time information was exposed prior to the agency discovering the breach
• the circumstances of the individuals affected and their vulnerability or susceptibility to harm (that is, if any individuals are at heightened risk of harm or have decreased capacity to protect themselves from harm)
• the circumstances in which the breach occurred; and
• actions taken by the agency to reduce the risk of harm following the breach.

The types of personal information accessed, disclosed or lost

Regard must be had to the kind of personal information involved in the breach, because some kinds of personal information pose a higher risk of harm when compromised.

If a data breach involves identity credentials, documents such as passports, driver licences or Medicare cards, or financial information, eg credit card numbers or bank account details, agencies should be alert to a heightened risk of harm. This kind of information can be used to commit identity theft, fraud, or other financial crimes, so a data breach involving it is more likely to result in serious harm than a breach involving an email address or mobile phone number.

The sensitivity of the personal information

The IP Act contains specific rules for the collection, use and disclosure of sensitive information, such as racial or ethnic origin, political opinions or associations, religious beliefs or affiliations, and sexual orientation or practices. Data breaches involving these types of personal information may be more likely to result in serious harm.

Additionally, there are other types of personal information that do not meet the IP Act definition of sensitive information, but can still lead to more significant risk of harm, eg personal information related to a certain vulnerability which could result in an individual suffering prejudice if it was made public.

The level of risk will often depend on the circumstances. For example, historical health information related to treatment for a minor injury may not indicate a significant risk of harm, unless it is relevant to an individual’s employment and could negatively affect their career if misused.

Whether the personal information is protected by one or more security measures

Generally, robust encryption will decrease the risk of serious harm, but it can be further decreased by other measures, such as controls restricting access and the ability to remotely remove or wipe data.

When considering the effect of security measures on the risk of harm, agencies should take into account the strength and effectiveness of the measure and the potential ability of the person in possession of the information to circumvent it. For example, encrypted data accidentally disclosed to the wrong recipient will have a very different assessment of risk from a hacker gaining access to information protected by a weak security measure.

The likelihood that any security measures could be overcome

As discussed above, agencies need to be aware that not all security measures will remove or significantly decrease the risk of harm. Agencies will need to assess the perceived strength of any encryption and the anticipated abilities of any unauthorised recipient to negate or circumvent the security measures. For example, weak password protection will create a higher level of risk than protection by industry recognised security or encryption measures.

The persons, or kinds of persons, who have obtained, or who could obtain, the personal information

If an agency has information about the identity or motives of people who have, or may have had, access to the personal information, it will be able to make a more thorough assessment of the likelihood of serious harm. For instance, personal information obtained through a targeted cyber-attack is more likely to result in serious harm to an individual than a breach which involves the same type of information being incorrectly emailed to a trusted recipient, such as a law firm or another agency.

The existence of a relationship between the individual to whom the personal information relates and the recipient of the information may increase the risk of serious harm. For example:

• a breach involving medical information being disclosed to a family member or colleague, as it may cause distress or embarrassment; or
• disclosure of an individual’s address to the individual’s former partner where there has been a history of domestic or family violence.

For data breaches involving a cyber element, agencies should be alert to a higher risk of harm compared to breaches caused by human or system errors. The complexity of a cyber breach can be an indicator of the level of criminal intent behind the breach.

If personal information is posted online following a cyberbreach, it is dangerous to assume that the posted information is the only information which was accessed. Consideration should be given to all personal information held in the breached system.

The Office of the Australian Information Commissioner noted in its Notifiable data breaches report – January to June 2024 that trusting any assurances given by a cyber threat actor, or relying on assumptions when facts regarding a person’s intent cannot be established, can result in agency’s inaccurately assigning a lower risk of harm.

The nature of the harm likely to result from the data breach

The types of harm that can occur as a result of a data breach will vary depending on the circumstances of the breach, including its cause, the personal information involved, and the individuals affected.

Financial loss

Financial loss can occur through identity theft or other fraud, eg loss of money or assets as a result of phishing or other scams. It can also result from the cost of responding to a data breach, eg reissue of identity documents, legal fees, or the cost of assistance with psychological or medical issues arising from the breach.

In cases involving physical or safety related harms, it could also include the cost of increasing personal security or relocating.

Identity theft

Identity theft can result in more than just financial loss, as the stress and time associated with restoring an individual to the state they were in before the breach can cause significant harms.

A stolen identity can also result in an inability to access online or other services, eg if the identify theft involves someone using individual’s login details take over the individual’s account. Identify theft can also result in:

• creation of fraudulent government documents
• gaining access to an individual’s banking and other financial accounts
• taking over social media profiles and accounts
• opening bank accounts in the victim’s name
• obtaining credit or loans in the victim’s name; and
• using the above examples to conduct additional criminal activity linked to the victim’s identity.

Emotional harm

Data breaches involving the publication of personal information can result in different kinds of emotional harm, particularly where it involves personal information the individual kept private or only shared with a trusted group of people. For example, information about students’ learning difficulties being released to members of a school community could result in distress and embarrassment to the involved students.

Disclosure of sensitive information, such as information relating to health or sexual orientation or practices, is more likely to result in serious emotional distress and embarrassment, which can have serious detrimental impacts on mental and physical wellbeing.

Reputational damage

Disclosure and misuse of personal information can result in individuals experiencing reputational damage, particularly if it causes embarrassment or is damaging to their career, social standing, or their professional  or business reputation. For example, an employer misusing personal information disclosed in an data breach to deny an individual a job, resulting in missed employment or career development opportunities.

Physical and personal safety harms

Some data breaches may lead to risks of serious harm to an individual’s physical and personal safety. These harms could occur, for example, where the disclosure of personal information identifies an individual’s home or work address, and due to the individual’s occupation or association with certain people, makes them susceptible to the risk of physical harm or being the victim of offences, such as stalking or harassment.

Domestic and family violence related harms

Data breaches also have the potential to increase the risk of harms related to domestic and family violence. For example, a breach that involves the disclosure of a family violence victim’s new address to the perpetrator of the violence could result in serious harms by exposing them to further family violence.

Other relevant matters

As discussed above, the list of matters in section 47(2) is non-exhaustive and includes any other relevant matters. Examples of other potentially relevant matters are discussed below.

Combination of personal information

Agencies should be aware that combinations of personal information can create a higher risk of serious harm compared to the release of one piece of information. For example, a breach involving contact details may not result in a risk of serious harm, but if the breach also involved those individuals’ health information there could be a risk of serious harm through embarrassment, prejudice, or susceptibility to being targeted for scams.

The combination of personal information can also increase the risk of personal information being used for impersonation activity, eg by using a combination of name, date of birth and other information to circumvent identity or user verification processes, allowing unauthorised access to the individual’s user accounts.

The amount of time the information was exposed or accessible

The amount of time that has elapsed between the data breach and the agency discovering it may be relevant to the consideration of the likelihood of serious harm. If the breach involves personal information being publicly available, the likelihood of serious harm to an individual will generally increase the longer the information was available.

Circumstances and vulnerabilities of the affected individuals

Another factor which may be relevant to determining the likelihood of serious harm is whether the involved individuals have any specific vulnerabilities or personal issues that make them more susceptible to harm, and/or less able to take action to protect themselves. This could include age, physical or mental health, disability, literacy issues, homelessness, financial difficulties, or a higher susceptibility to being a target due to the individual’s profession.

While these types of considerations primarily arise in smaller breaches, where agencies will be in a position to specifically consider each individual, breaches involving larger numbers of people may require an agency to consider that some people in the affected group will be more susceptible than others.

The actual individuals impacted

Similar to consideration of an individual’s specific vulnerabilities, agencies should also consider whether a data breach is more likely to result in harm due to the actual individuals involved. For example, a breach involving an individual’s email address, the disclosure of which would generally not result in serious harm, may cause serious harm if it is disclosed to someone with a history of harassing the individual.

The scale or size of the breach

The size of the breach, or the amount of people involved, may impact the level of risk. For breaches involving large number of people and/or large amounts of personal information, it may be appropriate to consider that, due to the amount of individuals involved, it is highly likely at least one of them will be at risk of serious harm.

Whether the type of breach affects the sensitivity of the information

The circumstances of the breach may change the level of risk or sensitivity that would normally be associated with certain types of information. This could occur when an individual’s name is released in association with a particular group or association, or when an individual’s information is linked to treatment for a physical or mental health issue.

Harm reduction actions

Agencies are required to take action to reduce the risk of harm from data breaches involving personal information held by the agency. The effectiveness of these actions is a factor when assessing the likelihood of serious harm.

If an agency has been able to reduce or remove the risk of harm for some or all of the individuals involved before it occurs, this will be a key consideration. The data breach may still be an eligible data breach, but the pool of affected individuals may be smaller.

Interaction between factors

Agencies should consider the way relevant factors, including the section 47(2) matters, overlap and interact. It is possible that one factor alone may not result in a breach being assessed as likely to result in serious harm. However, when combined with other factors, particularly if certain factors increase the likelihood of risk for other factors, this interaction will be a key part of the overall consideration of risk.

How this will occur practically will depend on the circumstances. For example, an individual’s name and address being disclosed publicly may not, on its own present a high risk of harm, but if that individual has recently relocated to a new address to escape a violent family relationship, the combination and interaction of factors changes the assessment of risk. If that individual also has medical vulnerabilities and their circumstances mean they have a diminished capacity to take protective steps, the interaction between factors can dramatically alter the risk level.

Assessing cyber related breaches

Assessing data breaches caused by a cyber-attack will generally rely on agencies being able to gather and analyse digital forensic evidence. Where required, agencies should consider consulting with forensic experts for assistance in assessment. Agencies should also ensure that requirements to report breaches and incidents to the Queensland Cyber Security Unit are met as required by the Queensland Government Enterprise Architecture.

If ICT systems do not allow for forensic examination, such as audit logging or retrospective analysis of internet gateway traffic, it may be difficult to confirm whether a breach has resulted in access to systems and removal of personal information.

A lack of evidence should not be the sole reason for deciding that access to ICT systems has not occurred. Where agencies face this type of situation, it is recommended that assessments are conducted with the presumption that unauthorised access to, and subsequent removal of, personal information has occurred. It is also recommended that, if possible, agencies consider improving their personal information security processes through investment in improving ICT systems, including enhanced incident response functionality.

Make a decision

After analysing the data breach as discussed above, the agency must decide whether an individual is likely to suffer serious harm as a result of the data breach, meaning that the breach is an eligible data breach of the agency.

If the agency is satisfied that its analysis supports a reasonable belief that there has been an eligible data breach of the agency, the obligation to notify the Information Commissioner and particular individuals applies, subject to the exemptions in the IP Act.

Extension of time to assess a breach

If an agency is satisfied that it will not be able to complete the assessment in 30 days, it can extend that time under section 49. It can only be extended for the length of time reasonably required to complete the assessment.

Before the initial 30 day assessment period expires, the agency must:

• start the assessment; and
• give the Information Commissioner written notice that the agency has extended the time.

The notice to the Information Commissioner must state:

• that the assessment has started
• the period within which the assessment must be completed has been extended; and
• the day the extended period ends.

The Information Commissioner can ask the agency to provide information or progress updates about the assessment.

Data breaches involving other agencies

If all of the personal information involved in a data beach is also the subject of a data breach of one or more other agencies, and at least one of the other agencies has undertaken to conduct the assessment under section 48(2) and (3) of the IP Act in relation to the data breach, the other involved agencies do not need to conduct the assessment.

The requirement to contain and mitigate still applies.

Notification

If an agency reasonably believes that there has been an eligible data breach involving personal information held by the agency, it must (unless an exemption applies):

• give a statement to the Information Commissioner that contains the information required by section 51(2) of the IP Act; and
• notify individuals whose personal information was involved in the breach.

Notifying the Information Commissioner

Unless an exemption applies, agencies must notify the Information Commissioner as soon as practicable after forming the belief that a data breach is an eligible data breach. Notification must be made using the online portal.

As set out in section 51 of the IP Act, the agency must prepare and give the Information Commissioner a statement which includes:

• the name of the agency and, if more than one agency was affected by the data breach, the name of any other agency
• whether the agency is reporting on behalf of other agencies affected by the same data breach and, if so, the details of the other agencies
• the contact details of the agency or a person nominated by the agency for the individual to contact in relation to the data breach
• the date the data breach occurred (if known)
• a description of the data breach, including the type of eligible data breach under section 47
• a description of the kind of personal information involved in the data breach, without including any personal information in the description
• information about how the data breach occurred
• if the data breach involved unauthorised access to or disclosure of personal information, the period during which the access or disclosure was available or made
• the steps the agency has taken or will take to contain the data breach and mitigate the harm caused to individuals by the data breach
• the agency's recommendations about the steps individuals should take in response to the data breach
• the total number or, if it is not reasonably practicable to work out the total number, an estimate of the total number of individuals whose personal information was accessed, disclosed or lost and affected individuals for the data breach
• whether the notified individuals have been advised how to make a privacy complaint to the agency under section 166A; and
• the total number of individuals notified of the data breach or, if it is not reasonably practicable to work out the total number, an estimate of the total number, or, if relying on section 57, the total number of individuals who would have been notified or, if it is not reasonably practicable to work out the total number, an estimate of the total number.

If it is not reasonably practicable to include some of this information in the initial notification to the Information Commissioner (eg the agency may not yet know the total number of affected individuals), the agency must take all reasonable steps to provide the required information to the Information Commissioner as soon as practicable.

Notifying particular individuals

Unless an exemption applies, as soon as practicable after forming a reasonable belief that a data breach is an eligible data breach, an agency must notify individuals as set out in section 53.

Section 53 provides three options for notifying individuals, depending on what is reasonably practicable in the circumstances. Whether an option is reasonably practicable will depend on a number of factors, including:

• the time, cost and the effort required to notify affected individuals; and
• the currency and accuracy of their contact details, which will affect the ability of the agency to notify the affected individuals.

Option 1: Notify each individual

If it is reasonably practicable to notify each individual whose personal information was accessed, disclosed or lost, the agency must take reasonable steps to notify each individual of the required information.

Option 2: Notify each affected individual

If option 1 does not apply, agencies must take reasonable steps to notify each affected individual whose personal information was accessed, disclosed or lost if it is reasonably practicable to do so.

Option 3: Publish information

If options 1 and 2 do not apply, an agency must publish the required information on an accessible agency website for a period of at least 12 months. An agency is not required to include information in its notice that would prejudice its functions.

An agency must also advise the Information Commissioner how to access the notice and the Information Commissioner is required to publish the notice on the Commissioner's website for at least 12 months.

Required information when notifying individuals

Section 53(2) of the IP Act sets out the information that agencies must, to the extent it is reasonably practicable, give to individuals or include in the public notice:

• the name of the agency and, if more than one agency was affected by the data breach, the name of any other agency
• the contact details of the agency or a person nominated by the agency for an affected individual to contact in relation to the data breach
• the date the data breach occurred (if known)
• a description of the data breach, including the type of eligible data breach under section 47
• information about how the data breach occurred
• the agency's recommendations about the steps an affected individual should take in response to the data breach
• if the data breach involved unauthorised access to or disclosure of personal information, the period during which the access or disclosure was available or made
• the steps the agency has taken or will take to contain the data breach and mitigate the harm caused to affected individuals due to the data breach; and
• information about how an individual can make a privacy complaint to the agency under section 166A.

If an individual is notified directly, the notice to the individual must also include a description of their personal information involved in the eligible data breach and the agency's recommendations about any steps they should take in response.

For public notification via an agency's website, the notification must include a description of the kinds of personal information involved in the data breach, but must not include any personal information in the description.

Notifying children

Where a data breach involves the personal information of a child, notification should generally be made to the child’s parent or legal guardian.

For minors aged 16 years or older, it may be appropriate to make the notification directly to the child.

Notifying other individuals

There is no requirement to notify individuals whose personal information was not involved in the breach. However, if an agency identifies an individual who is likely to suffer harm as a result of the breach despite their personal information not being involved, agencies may wish to consider notifying these individuals if it can be done without the risk of further breaches.

Notifying other entities

While not required by the IP Act, in some circumstances it may be appropriate, or agencies may be required, to notify other entities of a data breach. For example:

• If the breach involves ‘corrupt conduct’ within the meaning of the Crime and Corruption Act 2001 (Qld), the Crime and Corruption Commission Queensland must be notified.
• Requirements to report cyber and information security incidents to Queensland Government Information Security Virtual Response Team, according to the Business Impact Level.
• If the breach involves a cyber security incident that results in a loss and the entity is an agency covered by the Queensland Government Insurance Fund (QGIF), QGIF should be notified.
• If the breach appears to involve theft or other criminal activity, the Queensland Police Service (QPS) should be notified as a matter of course. The QPS website has links and assistance to report cybercrime and other offences.
• If the breach involves the loss or unauthorised destruction of a public record, an entity subject to the Public Records Act 2023 (Qld) must notify the State Archivist.
• Entities with obligations under the Privacy Act 1988 (Cth) National Data Breach (NDB) scheme (e.g. Tax File Number recipients) may be obliged under the NDB scheme to report the breach to the Office of the Australian Information Commissioner.
• If the breach involves information obtained through the Data Availability Scheme under the Data Availability and Transparency Act 2022 (Cth), agencies may need to notify the National Data Commissioner.

It may also be appropriate to notify the agency’s portfolio Minister, financial institutions, or credit card companies, or professional or other regulatory bodies.

MNDB Notification Template

This template will assist Queensland government agencies to complete a notification to affected individuals under the MNDB.

Exemption from notifications

Under section 50(2) of the IP Act, an agency is not required to comply with its notification obligations if an exemption applies. These exemptions are set out in section 55-60 of the IP Act.

Reliance on an exemption is discretionary. When deciding whether to rely on an exemption, agencies should to take into account that the policy intent of the MNDB scheme is to empower individuals, enhance transparency, and build trust in agency management of personal information. In most cases, notification of individuals affected by an eligible data breach can be presumed to be beneficial, as it empowers those individuals to take steps to protect themselves. Notification delays can have significant impacts on affected individuals. Exemptions to notification are intended to apply only in exceptional circumstances.

If an agency decides to rely on an exemption, it should keep appropriate records of the assessment and decision making process, including accurate records of information and evidence used to support that decision.

Exemption from notification to individuals

These exemptions only exempt agencies from the obligation to notify individuals. Agencies must still notify the Information Commissioner under section 52 of the IP Act.

Agency has taken remedial action

Section 57 provides that an agency is not required to notify individuals if the agency has taken remedial action to mitigate the breach so that the breach is no longer likely to result in serious harm to any individual.

If the data breach involves unauthorised access to, or disclosure of, personal information, the agency can rely on section 57 if:

• it takes action to mitigate the harm caused by the data breach before the access or disclosure results in serious harm to any individual; and
• as a result of the action taken, the data breach is no longer likely to result in serious harm to any individual.

If the data breach involves loss of personal information, the agency can rely on section 57 in two circumstances:

• Where the agency takes action to mitigate the loss before there is unauthorised access to or disclosure of the personal information and as a result there is no unauthorised access to, or disclosure of, the personal information.
• Where the agency takes action to mitigate the loss after there is unauthorised access or disclosure but before it results in serious harm to any individual and as a result the data breach is no longer likely to result in serious harm to any individual.

Serious risk of harm to health or safety

Under section 59 of the IP Act, an agency is not required to notify individuals of an eligible data breach to the extent that compliance with section 53 would create a serious risk of harm to an individual's health or safety. It is important to note that:

• this exemption encompasses serious risk of harm to any individual, not just the individual affected by the eligible data breach
• the test is whether there exists a serious risk of harm, rather than serious harm, which is the test for an eligible data breach under section 47; and
• the agency can decide to rely on this exemption permanently or temporarily.

When determining whether this exemption applies, the agency must have regard to whether the harm caused by complying with notification obligations is greater than the harm of not complying, the currency of the information the agency is relying on to make its decision, and any other relevant matters.

Health refers to an individual’s mental and physical wellbeing. Safety refers to freedom from danger, risk, or injury. Whether notification would create a serious risk of harm to an individual’s health or safety should be assessed objectively, based on best available information and a careful evaluation of all relevant circumstances.

Determining whether notification would result in a serious risk of harm to an individual requires consideration of both the likelihood and consequence of harm to an individual. A high likelihood of detrimental impact on the health or safety of an individual would constitute a serious risk of harm.

However, a lower likelihood could still amount to a serious risk of harm if the potential consequences would be extremely detrimental to an individual’s health or safety. For example, the threshold for application of the exemption may be met where the agency makes an assessment that there is a serious risk:

• that notification will exacerbate the mental health condition of an affected individual
• of harm to the physical safety of agency staff members – for example where an affected individual has a documented history of actual or threatened violence against staff
• of an individual disengaging from treatment for a significant or life-threatening medical condition; or
• of at-risk individuals disengaging with domestic violence or child protection services in circumstances where the agency is aware that is a real risk of serious physical harm or death to the individual and/or their family if service provision is discontinued.

A serious risk of harm to the health or safety of an individual other than the person to whom the information relates may be a relevant risk for the purpose of section 59. For example, circumstances may exist where notification would cause a serious risk of harm to the affected individual’s spouse or another family member.

Individuals for whom notification would create a serious risk of harm may be a sub-group of those affected by the breach. If the broader group can be notified without creating a serious risk of harm to the at-risk subgroup, the exemption will not apply in relation to notification to the broader group.

Systematic risks such as harm to the individual’s confidence in a service or system will not usually meet the threshold for this exemption. However, in exceptional and limited circumstances where notification is likely to damage an individual’s trust in an agency to such an extent that they would completely disengage from a medical or other essential services, the exemption may apply.

Balancing impacts

When deciding whether to rely on section 59, the agency must consider whether the harm of notification outweighs the harm of not notifying. It must be satisfied that the harm that could result from notifying is real, substantial and, in practice, not unlikely to result.

Taking into account the policy intent of the MNDB scheme and the starting point that notification to affected individuals is usually beneficial, agencies should only rely on section 59 in circumstances where the harm posed by notification is substantively greater than the potential harm from failing to notify.

Actions to mitigate risk

When making a decision on whether to rely on this exemption, agencies should consider whether there are additional steps or actions available that could lessen or manage the anticipated harms. If there is a practical means of delivering the notification in a way that will mitigate the risks to an individual’s health or safety, the exemption will not apply.

Actions to mitigate risk of harm could include:

• In person notification and/or provision of support – if an agency is concerned that receiving a notification might cause significant distress to an affected individual, this may be mitigated by providing notice in person with a support person and clinical staff in attendance.
• Redaction of some information – an agency should consider whether identified risks could be mitigated by redacting specific information or providing a high-level summary. For example, if a law enforcement officer investigating serious organised crime inappropriately accessed information held about individuals in an organised crime group, it may be open to the relevant agency to form the reasonable belief that notification would create a real risk of harm to the relevant officer’s health or safety. When balancing the relevant impacts, the agency should consider whether notification of the data breach can be provided without identifying the individual officer.
• Notification to an authorised representative – in circumstances where an affected individual lacks decision making capacity, the agency may make the notification to the individual’s authorised representative. The notification should include information about the health or safety risks to the affected individual and the services available to support the authorised representative to inform the affected person of the breach after they regain capacity.

Agencies are expected to take all reasonable steps to identify any actions they could reasonably take to mitigate the identified harms and enable notification to occur.

Currency of information

Before relying on section 59, the agency must consider the currency of the information it is relying on to assess whether notification could create a serious risk of harm. This is because individuals’ vulnerability to harm is dynamic and relative rather than being a fixed trait, and agency records may be old and reflect a particular moment in time.

If agency records indicate that a situational factor or a particular characteristic of the individual gives rise to a risk of harm, consideration should be given to the age of those records and the likelihood that the individual’s circumstances may have changed in the intervening time.

Determining the duration of the exemption

The agency can decide to rely on section 59 permanently or temporarily. In keeping with the policy intent of the MNDB scheme, the exemption should be applied for the minimum amount of time required to avoid or mitigate the anticipated harm.

Where notification would create a serious risk of harm to an individual’s health or safety and the risk cannot be mitigated or removed over time, it may be appropriate to apply the exemption permanently.

A permanent exemption should only be granted in exceptional circumstances and where the agency has a high degree of confidence that harm mitigation measures, alternative methods of notification and/or the passage of time will not substantially lessen the risk. For example, a permanent exemption may be appropriate where an affected individual has a persistent, serious mental health condition and a documented history of violence or self-harm.

Where the risk of harm arises from a particular factual scenario or a temporary vulnerability, agencies should consider applying section 59 only until notification can be safely made. For example, if an individual is suffering a mental illness that puts them at risk of causing harm to themselves or others if notified of a breach, consideration should be given to whether that mental illness is episodic or likely to resolve, and whether notification obligations could be deferred until the individual is well enough to safely receive notification.

Notifying the Information Commissioner

If an agency relies on this exemption it must give written notice to the Information Commissioner setting out:

• that the agency is relying on the exemption and the extent to which it is relying on it, e.g., to not notify only a sub-class of affected individuals
• whether the exemption is temporary or permanent; and
• if temporary, the expected duration of the exemption.

This is in addition to the statement it must give the Commissioner under section 51 of the IP Act. OIC recommends that agencies also provide the Commissioner with the following information, if it is practicable to do so:

• the number of individuals to whom the exemption has been applied
• the total number of individuals affected by the breach
• the nature of the serious risk of harm to health or safety expected to arise from notification
• an explanation of why the risk arising from notifying affected individuals outweighs the risk of not notifying
• the nature and age of information the agency relied on to form its reasonable belief; and
• whether agency records were searched to assess the impact of notification and the grounds on which the search was authorised.

This can be a high-level summary and must not include any personal information.

Compromise to cybersecurity

Section 60 exempts an agency from the obligation to notify an individual to the extent that complying with that notification obligation is likely to:

• compromise or worsen the agency’s cybersecurity; or
• lead to further data breaches.

Exemption under section 60 is temporary. It only applies for the period that notification to individuals is likely to result in either of the above outcomes.

Cybersecurity is not defined in the IP Act. The Queensland Government’s Cyber Security Hazard Plan uses the relevant International Standard definition ’actions required to preclude unauthorised use of, denial of service to, modifications to, disclosure of, loss of revenue from, or destruction of critical systems or informational assets‘.

The cybersecurity exemption in section 60 requires that notification would likely have a detrimental impact on these measures. There is no specific threshold or degree to which an agency’s cybersecurity must be negatively affected to trigger section 60, however the effect must be non-trivial.

Before relying on section 60, the agency must be satisfied that there is a real risk that notification would compromise or worsen the agency’s cybersecurity or lead to a further data breach. A mere possibility is not sufficient; it must be more likely than not to occur. Reliance on this exemption should be tightly framed and exercised for the least amount of time necessary to avoid cybersecurity detriment or further data breaches.

The Information Commissioner recommends that departments, Ministers, statutory bodies and other State government agencies consider seeking advice from the Queensland Government Cybersecurity Unit when contemplating use of this exemption. Local government, universities, and other non-State agencies should consult with their internal or external cybersecurity specialists.

Circumstances where notification would likely compromise or worsen an agency’s cybersecurity or lead to further data breaches could include:

• Where notification could lead to further unauthorised access to, or disclosure of information. For example, where a system upgrade reconfigures access restrictions, making personal information available online to users who should not be able to access it, and the access restrictions have not yet been rectified, notification could alert individuals to the issue and result in further unauthorised access. In this example, it is likely the exemption would only apply for a short period while containment and mitigation activities were undertaken by the agency.
• Where the notification could allow the breach, or a similar breach, to be replicated. For example, if the breach was caused by a cyber-attack which took advantage of a system vulnerability or a new or emerging cyber method, and steps to protect the system from similar attacks have not been finalised, notification could result in compromising the agency’s cyber security, and also lead to further data breaches.

When agencies could choose not to rely on the exemption

When deciding whether to rely on section 60, agencies should consider whether there are options available to notify affected individuals without increasing the risk to the agency. It may be possible to comply with the notification obligations without revealing specific details of how the breach occurred, or the actions the agency is conducting to contain or mitigate the impact of the breach. For example, a notification could include a high-level statement that the breach occurred due to a cyberattack on agency systems, without providing detailed information on the methods used or the vulnerabilities exploited.

If an agency takes this approach, it may be appropriate to advise individuals that further information will be provided as investigation and remedial action is undertaken by the agency.

Resolving any cybersecurity flaws or weaknesses giving rise to the exemption

Exemption from notification to individuals under section 60 is only temporary. Agencies should address any cybersecurity or information security weaknesses as promptly as possible, so as to mitigate any risks giving rise to reliance on the cybersecurity exemption and permit notification as soon as is possible.

Notifying the Information Commissioner

In addition to the statement it must give the Commissioner under section 51 of the IP Act, if an agency relies on this exemption it must give written notice to the Information Commissioner setting out:

• the agency is exempt from complying with notification obligations under the scheme; and
• when it expects the exemption will no longer apply; and
• how the application of the exemption will be reviewed.

The agency must also review the application of the exemption for each month during the period it is relying on the exemption and provide the Information Commissioner with a summary of the monthly review as soon as practicable.

OIC recommends that agencies also provide the Commissioner with the following information, if it is practicable to do so:

• the number of individuals to whom the exemption has been applied
• an explanation of why notification is likely to compromise or worsen the agency’s cybersecurity or lead to further breaches
• confirm whether the agency has consulted with the Queensland Government Cybersecurity Unit or, for non-State government agencies, its cybersecurity adviser; and
• an explanation of the timelines and work planned to remedy the issue and enable notification.

Monthly review

Issues that may be considered during the mandatory monthly review of the use of the cybersecurity exemption could include considering whether:

• the risks identified during the initial assessment continue to apply
• mitigation action removed the risk to agency cybersecurity
• notification to affected individuals is still likely to compromise or worsen the agency’s cybersecurity, or lead to further data breaches
• mitigation activities can be completed within the estimated timeframe; and
• the timeframe of the exemption should be amended.

The agency must give the Information Commissioner a summary of every review as soon as practicable after the review is completed.

Exemption from notification to individuals and the Information Commissioner

Investigations and proceedings

Section 55 exempts an agency from notifying both individuals and the Information Commissioner to the extent that providing those notifications would likely prejudice:

• an investigation that could lead to the prosecution of an offence; or
• proceedings before a court or tribunal.

There must be more than a mere possibility of the prejudice occurring; it must be more likely than not to occur.

The agency relying on this exemption does not need to be the agency conducting the investigation. It is sufficient that notifying would prejudice an investigation being conducted by another agency or entity.

This exemption is not confined to criminal investigations by law enforcement agencies such as the Queensland Police Service. It can apply to any investigation which may result in a prosecution, for example:

• investigations by agency compliance officers into breaches of environmental regulations or permit conditions
• investigations by local government officers into breaches of local or other laws
• investigations into breaches of liquor licensing laws; and
• investigations into official misconduct or police misconduct which could result in prosecution.

The exemption can apply to any proceedings before any court or tribunal, regardless of jurisdiction. It does not need to be a court or tribunal of Queensland and the agency the subject of the data breach does not need to have instigated or be involved in the proceedings.

The investigation or proceedings can be at any stage of the process. Finalised investigation or proceedings, however, would not enliven this exemption.

Before relying on this exemption, agencies should carefully consider whether it is possible to undertake notification under section 52 or 53 in a way that would avoid likely prejudice to relevant investigation or proceedings. If an agency can provide some of the information required under sections 52 and 53, without causing the anticipated prejudice, the exemption will not apply to that information.

Multiple agency breach

If a data breach involves more than one agency, an agency may be able to rely on section 56 to not notify individuals and the Commissioner. Section 56 will apply where:

• all of the personal information the subject of the breach is also the subject of a data breach of one or more other agencies; and
• at least one of the other agencies is undertaking assessment and is required to notify individuals and the Commissioner in relation to the data breach.

Section 56 does not apply where the other entity or entities involved in the breach are not agencies as defined in the IP Act. In those circumstances, the agency must comply with its notification obligations, even if another entity, including an agency of the Commonwealth or another state or territory, was also required to notify affected individuals under Commonwealth or other law.

Where a breach involves multiple agencies, the agencies should consult with each other to determine which agency will be responsible for assessment and notification of the data breach. Agencies should work together during the assessment process to ensure all affected individuals are identified.

The notification should identify all agencies involved in the breach and include a central contact for further enquiries.

Agencies relying on section 56 should ensure they assess the data breach in terms of mitigating future or current risks, preventing future data breaches, and identifying if the data breach is also a breach of another law, or if they may have non-IP Act obligations to notify or mitigate.

Section 56 does not remove the agency's obligation to update its data breach register with details of the breach.

Inconsistency with confidentiality and secrecy provisions

Most agencies are subject to confidentiality or secrecy provisions in addition to their obligations under the IP Act. These may be contained in agency-specific legislation or in laws that apply to certain kinds of information, regardless of who holds it, or certain actions or functions, regardless of who undertakes them.

Under section 58, if notifying individuals or the Commissioner would be inconsistent with a provision of a Commonwealth or State Act that prohibits or regulates the use or disclosure of the information, agencies are not required to notify in relation to that information.

Careful consideration must be given to the relevant provision and its specifics to determine if and how much of the information required by section 52 or 53 would breach the relevant provisions if it was provided to individuals or the Commissioner. If an agency can provide some of the required information without breaching the relevant provisions, the exemption will not apply to that information.

Data breach registers

Section 72 of the IP Act requires agencies to keep an internal register of eligible data breaches. The register must include:

• a description of the eligible data breach, including the type of data breach under section 47
• the date the agency gave a statement to the Information Commissioner about the eligible data breach and the date any additional information was provided to the Commissioner under section 51 and 52
• if individuals were directly notified about the eligible data breach, the register must include the individuals who were notified and the date and method by which they were notified
• if the agency relied on an exemption to not notify the Information Commissioner or individuals, details of the exemption
• details of the steps taken by the agency to contain the eligible data breach and mitigate its harm; and
• details of the actions taken by the agency to prevent future data breaches of a similar kind occurring.

Depending on the circumstances, agencies may find it useful to include additional information about a data breach in the register, for example:

• if an eligible data breach is also a breach of another Act, details of that Act; or
• if the agency was required by contract, another law, or circumstances to notify an external party, details of that party and the date of notification.

In addition to being a requirement under the MNDB scheme, maintaining an eligible data breach register will:

• contribute to accurate record keeping and reporting processes
• assist with tracking and analysing data breach risk and reviewing the efficacy of response methods; and
• assist agencies in responding to requests for information from the Information Commissioner.

The Data breach register template (69494) and example register at Appendix A will assist agencies to develop a compliant data breach register.

Data Breach Policies

Section 73 of the IP Act requires agencies to prepare and publish a Data Breach Policy (DBP) outlining how it will respond to a data breach, including a breach the agency suspects is an eligible data breach.

The DBP is not required to contain detailed information about an agency’s information security systems, practices or procedures.

What is a DBP and what are the benefits?

A DBP is a documented policy or plan setting out the procedures to be followed if an agency experiences a data breach, including a breach that is a suspected eligible data breach. It should establish the roles and responsibilities of agency staff in responding to and managing a breach.

Data breaches can vary in size and complexity, and the consequences can be significant for individuals whose information is involved. The range of actual or potential harms they can cause include financial fraud, identity theft, damage to reputation, violence, or psychological harms.

Agencies may also experience serious consequences as a result of a data breach. Depending on the data or information involved, breaches may have negative impacts on an agency’s reputation, finances, interests, or operations. Data breaches can result in a loss of confidence and trust in an agency, including in the service it provides.

Having a robust, documented and operationalised DBP can facilitate a timely and effective response to a data breach, in turn avoiding or mitigating potential harms to affected individuals, and reducing the risks to agencies.

Publication of the DBP

Agencies are required to publish their DBP on an accessible agency website. This will generally be the agency's website, but if the agency does not have a website, it can be included on the website of another appropriate agency. For example, Ministerial DBPs could be published on the departmental website.

Agencies should link to their DBP policy from their Queensland Privacy Principle Policy (QPP Policy) and intranet or other central staff repository, and ensure all staff know how to access the policy.

What should a DBP include?

A DBP should set out an agency’s plan for dealing with data breaches from start to finish. A clear and precise DBP will enable agencies to:

• prepare for, identify, contain, assess, respond to and report on data breaches at the appropriate level and in a timely fashion
• identify who in the agency is responsible for taking what action in response to a data breach
• take action to mitigate potential harm to individuals and the agency; and
• meet obligations under the IP Act.

At a minimum, a DBP should include:

• The agency’s preparations for responding to a data breach.
• The definition of data breach and eligible data breach.
• The agency’s strategy for identifying, reporting, containing, assessing, and managing eligible and suspected eligible data breaches.
• How notification obligations will be met if a data breach is assessed as an eligible data breach.
• A description of the roles and responsibilities of staff members.
• Record keeping requirements.
• Post-breach review and evaluation procedures.

It should align with and cross reference other relevant policies and procedures, such as cyber security response plans and QPP Policies. The DBP should be integrated into existing incident or crisis management processes align with relevant Queensland government information security reporting and incident response protocols.

The Data breach policy template (69496) and checklist in Appendix B will help agencies develop a compliant and effective DBP.

The agency’s preparations for responding to a data breach

A DBP should provide a high-level outline of the actions the agency has taken to prepare for a data breach, including how these actions fit within the agency’s broader systems, policies, and procedures, eg cyber response, general incident or emergency management processes, communications strategies, and risk management frameworks.

The DBP should also include the key controls, systems, and processes that the agency has established for identifying suspected or actual data breaches and ensuring data breaches are effectively managed.

Training and awareness

Well trained and risk aware staff contribute to a strong frontline defence against privacy risks, including from data breaches involving personal information. The Office of the Australian Information Commissioner’s Notifiable data breaches report - July to December 2023 indicates that breaches caused by human error are a significant component of all breaches involving government agencies. Prompt identification of breaches and timely reporting by staff is also an important factor in ensuring agencies can effectively respond to and manage breaches.

An agency’s DBP should outline its approach to staff training and awareness in identifying, responding to, and managing data breaches, and any training or awareness activities about other aspects of privacy protection, eg enhancing staff awareness of privacy and cyber principles and current threat trends.

Processes for identifying and reporting breaches

Developing and documenting processes for promptly detecting data breaches will improve an agency’s ability to contain a breach and mitigate potential harms.

An agency’s DBP should clearly explain how internal staff and external entities, eg the public or another agency, can report an actual or suspected data breach and outline the agency's processes for identifying data breaches. This should not include details of specific controls which could place the agency at additional risk.

The appropriate processes for identifying and preventing data breaches will depend on the size and sophistication of an agency, its information holdings, and its security program and controls, but could include:

• technical controls (such as Data Loss Prevention tools)
• monitoring services (such as dark web monitoring, or social media monitoring)
• audits and reviews; and
• staff training and awareness.

Defining and identifying a data breach

A DBP should include a clear explanation of what a data breach and an eligible data breach are, how data breaches can occur, and that identifying, assessing, and responding to data breaches must be conducted on a case-by-case basis. Including examples of the different ways a data breach can occur will be helpful, eg:

• loss or theft of physical devices
• misconfiguration or overprovisioning of access to systems
• accidental or inadvertent disclosure
• deliberate disclosure; and
• social engineering or hacking.

Scenarios will help raise awareness of high-risk activities and processes that could lead to a breach and how data breaches impact the agency, its functions, and the individuals whose information it handles. For example, an agency that handles a large amount of health information could provide examples or scenarios touching on the actual ways that health information is collected, used, stored, and disclosed in practice, reflecting any known risk factors for that agency.

Strategy for containing, assessing, and mitigating eligible data breaches

A DBP should outline the steps an agency will take to respond to a data breach, including a suspected eligible data breach.

Plan to contain, mitigate harm, assess, notify and prevent

To help ensure responses to data breaches are easily and quickly put into action, the DBP should clearly outline the agency’s process for:

• Initial identification and evaluation of suspected breaches and breach reports.
• Containing a breach or suspected breach to minimise any harms.
• Taking steps to mitigate any harms which may result from the breach. The plan should also make clear that the requirements to contain and mitigate are ongoing obligations which continue while the breach is being managed.
• Assessing or evaluating the information involved in the breach and the risks associated with the breach, so as to determine next steps. This should also include steps to assess whether the breach is an eligible data breach as required under the MNDB scheme, including a list of factors which should be considered in this assessment process.
• Notifying individuals and the Information Commissioner if the breach is assessed as an eligible data breach.
• Post incident review and preventative efforts, based on the type and seriousness of the breach.

Where these processes require decisions about how to manage the breach response, the DBP should identify who is responsible for making those decisions.

Strategies for breaches involving more than one agency

The DBP should include strategies for managing, responding to, and providing notice of data breaches involving other agencies. Section 48(4) provides that where an agency becomes aware an eligible or suspected eligible data breach may affect another agency, the first agency must give that other agency written notice of the breach.

This could include documenting key contacts and defining roles and responsibilities regarding assessment, remediation, information flow, and notification.

Notification strategy

The DBP should include a clear notification strategy that is consistent with sections 51 to 54 of the IP Act and enables quick and effective communication with affected individuals and the Information Commissioner.

The strategy should outline:

• responsibilities for implementing the notification strategy
• how to determine when affected individuals or organisations must be notified
• key contacts for communications
• responsibilities for notifying the Information Commissioner, consistently with the obligations imposed by sections 51 and 52
• how affected individuals will be contacted and notified in accordance with section 53, and communications with affected individuals managed, including how inquiries will be made of disclosing agencies under section 54; and
• responsibilities for consulting with any other external stakeholders (such as other agencies who may be impacted by the data breach).

Additional obligations or reporting

Agencies may be required by contract, other laws, or the circumstances of the breach to take additional specific steps in response to a data breach. These could include taking specific containment or remediation actions or engaging with or notifying external stakeholders. A DBP should outline the situations in which external reporting or engagement is necessary. If reporting is discretionary, it should include guidance on making the decision.

Depending on the circumstances of the data breach and the categories of data involved, agencies may need to report to or engage with:

• Queensland Police Service
• Crime and Corruption Commission Queensland
• Queensland Government Chief Information Officer
• The Office of the Australian Information Commissioner
• Australian Federal Police
• The Australian Taxation Office
• The Australian Digital Health Agency
• The Australian Cyber Security Centre
• Any third-party organisations or agencies whose data may be affected
• Financial services providers
• Professional associations, regulatory bodies, or insurers; or
• Foreign regulatory agencies.

Agencies may also wish to canvass media and general communications strategies in their DBP.

Roles and responsibilities

Clearly establishing data breach roles and responsibilities will help ensure prompt responses to a data breach. A DBP should set out the roles and functions of agency heads, executive officers, privacy officers, staff generally and any other relevant internal parties in identifying, reporting, and responding to an actual or suspected data breach.

The DBP should identify the breach response team including:

• roles and functions within the team
• subject matter expertise required in the team—this could include incident response specialists, legal, communications, cybersecurity, physical security, human resources, key agency operations staff and key outsourcing/relationship managers; and
• who in the team is responsible for dealing with the relevant elements of the breach.

It should contain escalation procedures for staff, including how to immediately report a suspected breach, when line managers can handle a breach, and the circumstances in which a breach should be escalated to the response team, eg due to the severity of the breach or the level of response required.

It should also identify who is responsible for:

• making escalation decisions at each level
• assessing and identifying the agency's reporting obligations, including notification to the Information Commissioner, individuals, external stakeholders, or other bodies
• maintaining, testing, and updating the DBP
• data breach recordkeeping; and
• post-breach review and evaluation. 

Capability, expertise, and resourcing

Prompt action is critical when responding to a data breach. Response strategies will only be effective if they can be quickly and effectively implemented and actioned. This depends on staff, or other people such as external contractors, having the relevant skillsets and being available to deal with the breach.

A DBP should outline the agency’s strategy for ensuring:

• That it has resourcing and personnel with the necessary expertise to respond effectively. To be properly prepared for complex incidents, this may involve engaging (in advance) an outsourced cyber incident response service provider.
• That agency staff who are likely to be required to assess a data breach or make an escalation decision, are trained and capable of adequately assessing the breach and its impact. Where possible, these staff should be involved in policy testing and review processes.

Recordkeeping

The agency's processes for documenting breach and suspected breach management and response should be included in the DBP. Keeping appropriate records will provide evidence of how the agency actually responded to a breach or suspected breach, including breaches that do not get escalated to the breach response team or do not meet the eligible data breach threshold.

Accurate records will also assist in tracking and analysing data breaches, including the effectiveness of the response methods. This may enable agencies to identify and remedy weaknesses in security or processes that present a higher risk of error.

Recordkeeping responsibility should be clarified in the DBP. This should include:

• assigning responsibility for keeping the register of eligible data breaches required under section 72; and
• publishing, monitoring and reviewing the currency of public notifications of data breaches published to the agency website under section 53(1)(c).

Post-breach review and evaluation

Understanding which processes worked well, how issues were handled, and areas for improvement in the management of a data breach is an important component of the data breach administration process. This is particularly relevant to mitigating future risks, preventing reoccurrence of similar breaches, and improving personal information handling processes in line with expectations of the community and regulators.

DBPs should include:

• A strategy to identify and remediate any processes or weaknesses in data handing that may have contributed to the breach.
• A post-response assessment of how the agency responded to the breach and the effectiveness of the DBP.

Post-breach review and evaluation will identify any changes needed to process or procedures and is a key part of ensuring agencies can proactively and effectively manage data breaches.

Testing and review schedule

Agencies should consider regular testing and review of the DBP to ensure it is operationally effective, up to date, and properly considers internal agency structure and function, and the changeability of the external threat environment.

Regular testing will also contribute to staff understanding their roles and responsibilities and becoming familiar with escalation procedures for more complex breach incidents. It will also allow for the checking of response processes, such as contact numbers, approval processes and reporting lines to ensure that they are current.

DBPs should be reviewed, tested, and updated at least annually, but agencies should consider developing a schedule for reviewing and updating their DBPs appropriate to their specific agency. The testing and review schedule should be set out in the DBP.

Privacy breach management for local government

The MNDB scheme will not apply to local governments until 1 July 2026, however local governments are still required to respond appropriately to privacy breaches which occur before that date.

This guide will help local government manage a privacy breach and decide whether to notify individuals whose privacy has been affected by the breach. Local government is encouraged to use the MNDB scheme as a guide for when it would be appropriate to notify.

Privacy breaches

Local government must handle personal information in compliance with the IP Act and its Queensland Privacy Principles. A privacy breach occurs when a local government fails to comply with the IP Act.

Privacy breaches can result from technical issues, human error, inadequate policies and training, a misunderstanding of the law, or deliberate acts. A common cause of a breach is the loss, theft, or mistaken disclosure of personal information, eg a USB flash drive is lost or an email is sent to unintended recipients.

Privacy breach notification

While local government is not yet required to comply with the MNDB scheme, the Office of the Information Commissioner (OIC) strongly encourages local government to notify the OIC and/or affected individuals in the event of a privacy breach.

Notifying the OIC means we can provide information about responding to the breach and assists us to respond to community enquiries about the breach.

OIC also strongly encourages local government to notify affected individuals in appropriate circumstances. Doing so is good privacy practice and promotes openness and transparency.

Responding to a privacy breach

Effective response to a privacy breach has four key steps:

1. Contain the breach.
2. Evaluate the foreseeable harm to individuals.
3. Consider notifying affected individuals and OIC.
4. Prevent a repeat.

Each step is detailed below. Where possible, the first three steps should be undertaken concurrently. The last step includes longer term solutions and prevention strategies.

Step one: Contain the breach

Local government should take whatever steps are necessary and possible to contain the breach and minimise any resulting damage. This could include recovering the personal information, shutting down systems, suspending activities or revoking or changing access codes or passwords.

If a third party is in possession of the personal information and declines to return it, it may be necessary to seek legal advice on what action can be taken to recover it. When recovering information, ensure copies have not been made or that all copies are recovered.

Care must be taken when containing the breach not to destroy information that may be needed to investigate its cause.

The breach should be escalated internally as appropriate. Senior management responsible for the area where the breach occurred should immediately be informed of the breach. Depending on the breach's circumstances, it may also be appropriate to inform the media relations unit, legal services team, information security manager, the team responsible for managing employee misconduct (such as internal audit, ethical standards or Crime and Corruption Commission liaison officer), and/or the chief executive or relevant Councillors.

In some circumstances, it may be appropriate or necessary to notify a third party of the breach, for example:

• If the breach involves the loss or unauthorised destruction of a public record, the State Archivist must be notified under the Public Records Act 2023 (Qld)
• If the breach involve theft or other criminal activity, the Queensland Police Service (QPS) should be notified.
• If the breach involves a cybersecurity incident, the local government's cybersecurity specialists should be notified. The QPS website also has information about reporting cybercrime.
• If the breach involves a tax file number, the local government may be a Tax File Recipient required to notify the Office of the Australian Information Commissioner under the Privacy Act 1988 (Cth).

• If the breach involves corrupt conduct within the meaning of the Crime and Corruption Act 2001, the Crime and Corruption Commission must be notified.

Depending on the circumstances of the breach and the information involved, other notifications may be appropriate, such as:

• insurance companies
• relevant financial institutions or credit card companies; or
• professional or other regulatory bodies.

Step two: Evaluate the associated risks

To identify other appropriate actions, assess the type of personal information involved in the breach and the risks associated with the breach. Factors to consider include:

• What type of personal information is involved? Some types of personal information are more likely to cause an individual harm when compromised. For example, government issued identifiers, like Medicare or drivers licence numbers, health information, and financial information, like credit card numbers, will generally be more significant than names and email addresses of newsletter subscribers. A combination of personal information will typically create a greater potential for harm than a single piece of personal information (for example, an address, date of birth and driver licence number if combined could be used for identity theft).
• Who is affected by the breach? What individuals have been affected by the breach, how many individuals have been affected and do any of the individuals have personal circumstances which may put them at particular risk of harm?
• What caused the breach? Did the breach occur as part of a targeted attack or through inadvertent oversight? Was it a one off incident or does it expose a more systemic vulnerability?  What steps have been taken to contain the breach? Has the personal information been recovered?  Is the personal information encrypted or otherwise not readily accessible?
• What is the foreseeable harm to the affected individuals? Who is the recipient of the information? Is there evidence that suggests theft, and was the information the target? Evidence of theft could suggest a greater intention to do harm and heighten the need to provide notification to the individual, as well as law enforcement. What possible use is there for the personal information?  For example, could it be used for identity theft, threats to physical safety, financial loss, workplace bullying, loss of employment opportunities, and humiliation or damage to reputation? What is the risk of further access, use or disclosure, including via media or online?

Step three: Consider notifying affected individuals

The IP Act does not yet require local government to notify individuals who have been affected by a privacy breach. However, a failure to notify may compound the damage those individuals experience and reflect negatively on a local government’s reputation. Notification can also demonstrate a commitment to open and transparent governance.

In general, if a data breach creates a risk of harm to an individual, the affected individuals should be notified. Prompt notification in these cases can help mitigate the damage by enabling individuals to take steps to protect themselves.

In some circumstances, notification may be counterproductive and/or cause more harm than good to the individual, particularly if the breach is unlikely to have a negative impact on the individual. For example, if a laptop containing personal information is lost and recovered and it can be confirmed that its data was not accessed, notifying the individuals could cause unnecessary anxiety and desensitise them to significant, potentially harmful, privacy breaches.

Factors local government should consider when deciding whether to notify include:

• What is the risk of harm to the individual (as determined in the previous step)?
• What steps has the local government taken, or will the local government take, to prevent, mitigate or remedy any actual or potential harm?
• What ability does the individual have to take steps to avoid or remedy harm if they are notified?  For example, can the individual have a new credit card number issued to avoid potential financial harm?
• Even if the individual would not be able to take steps to fix the situation, is the information that has been compromised sensitive, or likely to cause humiliation or embarrassment for the individual?
• Are there any applicable legislative provisions or contractual obligations that requires the local government to notify affected individuals?

Example: notification not warranted

A local government officer transfers local government information onto an encrypted memory stick to work on from home. The memory stick contains names, phone numbers, and email correspondence of members of the public who are participating in a community consultation project.

At some point between leaving work and arriving home by bus, the officer loses the memory stick. They report it missing the next day to their supervisor and the privacy officer. The bus company's lost property section advises it was not handed in.

While this is a significant amount of personal information, the memory stick was encrypted. If it can be confirmed, eg with IT services, that the data on the memory stick is inaccessible without the proper key to decrypt the information, notifying the individuals whose personal information was held on the memory stick is not warranted.

Example: notification is warranted

A local government officer leaves a paper file containing employee records in a café. The personal information in the records includes the names, home addresses, phone numbers, birth dates, salary information and bank account numbers. Enquiries with the café fail to locate the file.

Due to the potential risk of identity theft represented by the amount and types of personal information, notifying the officers affected by the breach is warranted.

In these circumstances, an appropriate notification would be sent by a sufficiently senior officer of the local government and include an apology, a description of the personal information lost, steps the officers can take in response, how the local government will assist and resources to help mitigate the risk of identity theft. Best practice would also be to outline the measures put in place to prevent any recurrences of the breach and inform officers of their right to make a privacy complaint.

In this example, only local government officers were affected, so notification is relatively simple. The logistics of notifying affected individuals in other circumstances will depend on the type and scale of the breach and whether the local government has current contact details for the affected individuals.

When to notify

In general, individuals affected by the breach should be notified as soon as practicable. Circumstances where it may be appropriate to delay notification include where notification would compromise an investigation into the cause of the breach or reveal a software vulnerability.

How to notify

It is recommended that affected individuals be notified directly, eg by telephone, letter, email or in person. Indirect notification—eg by posting information on the local government website, placing a public notice in a newspaper, or by way of media release—should generally only be used where the contact information of affected individuals is not known, or where direct notification is prohibitively expensive or could cause further harm (for example, by alerting a person who stolen a laptop as to the value of the information on it).

What to say

Tailor the content of the notification to the circumstances of the particular breach and the individuals affected. Content of a notification could include:

• information about the breach, including when it happened
• a description of what personal information was affected by the breach
• assurances (as appropriate) about what personal information has not been disclosed
• what the local government is doing to control or reduce the harm
• what steps the person can take to further protect themselves and what the local government will do to assist people with this
• contact details within the local government where questions or requests for information can be directed; and
• information about the right to lodge a privacy complaint and how to do so, including the option to bring it to the OIC if dissatisfied with the local government's response.

Where a risk of harm to the individual has been identified, local governments are strongly encouraged to also notify the OIC.

Step four: Prevent a repeat

Once the breach has been contained, the local government should investigate all relevant causes of the breach and identify short or long term measures to prevent a reoccurrence.

Preventative actions could include a:

• security audit of both physical and technical security controls
• review of policies and procedures
• review of employee training practices; or
• review of contractual obligations with contracted service providers.