Explaining the MNDB scheme

The mandatory notification of data breach (MNDB) scheme in the Information Privacy Act 2009 (Qld) (IP Act) requires all agencies other than local government to notify individuals and the Office of the Information Commissioner (OIC) if they have an eligible data breach. The MNDB scheme will apply to local government from 1 July 2026.

What is an eligible data breach?

An eligible data breach occurs when both of the following apply:

• there is unauthorised access to, or unauthorised disclosure of, personal information held by the agency, or there is a loss of personal information held by the agency in circumstances where unauthorised access to, or unauthorised disclosure of, the information is likely to occur; and
• the unauthorised access to, or disclosure of the information is likely to result in serious harm to an individual to whom the personal information relates (an ‘affected individual’).[1]

What is unauthorised access and unauthorised disclosure?

Unauthorised access to personal information can occur when someone accesses information without permission. This can occur from:

• within an agency
• outside an agency; and
• between different agencies.

Examples of unauthorised access include:

• an agency employee intentionally opens an electronic or paper file containing personal information when they do not have permission or authorisation to access that information.
• a cyber-attack on a database containing personal information; or
• where one agency is provided with permission to access information of another agency for a specific purpose, but someone from that agency accesses information outside of the terms of the permission or agreement.

Unauthorised disclosure of personal information can occur if information is provided to or accessible by people outside the agency.[2] This could be the result of:

• human error without any malicious intent, for example where personal information is emailed to an incorrect recipient or accidental release of information
• technical errors, for example where a system upgrade inadvertently results in information being incorrected disclosed to unauthorised people; or
• a third party downloading data from an unsecured computer system or platform.

Loss

Personal information held by an agency can also be accidentally lost (including where it is stolen) in circumstances where it is likely to result in unauthorised access to or disclosure of that information. For example:

• a file containing personal information is accidently left in a public place; or
• a laptop containing the personal information of an agency’s clients is stolen from the agency’s office.

What is personal information?

Personal information is any information about you that identifies (or could reasonably identify) you and may include:

• a written record which may include your name, address and other details about you
• photographs, images, video or audio footage; and
• fingerprints, blood, or DNA samples.

What is serious harm?

The harms which can potentially arise from a data breach will vary based on the nature of the personal information involved and the context of the breach.   Serious harm can include serious physical, psychological, emotional, reputational, or financial harm to the individual because of the access or disclosure.

For harm to be considered serious, it must result in a real and substantial detrimental effect to an individual to whom the personal information relates.   The impact of the harm can vary from person to person, but may include:

• identity theft and financial loss through fraud, including negative effects on a person’s finance or credit rating
• a risk of, or actual, physical or psychological harm, such as by an abusive ex-partner
• emotional harm; or
• serious harm to an individual’s reputation.

Who decides if a data breach is likely to cause serious harm?

Under the MNDB scheme, agencies will be responsible for deciding whether a data breach is likely to result in serious harm.  This will require agencies to make an objective assessment of the circumstances of a breach, and determining whether the unauthorised access, disclosure or loss of personal information is likely to result in serious harm to involved individuals.

In making this determination, the agency may consider the following:

• the kind of personal information accessed, disclosed or lost, for example, an email address may be considered less likely to cause serious harm when compared to identity information such as a passport number
• the sensitivity of the personal information, for example, information regarding a person’s health or a disability may be more likely to cause serious harm than a person’s name alone
• whether the personal information is protected by one or more security measures, and if so, the likelihood that any of those security measures could be overcome
• the persons, or the kinds of persons, who have obtained, or who could obtain, the personal information, for example, a data breach involving personal information being inadvertently emailed to another government agency is less likely to result in serious harm than a cyber attack involving the exfiltration of personal information
• the nature of the harm likely to result from the data breach, for example different types of data breach can result in different types of harm; and
• any other relevant matter, which will depend on the circumstances of the specific breach.

When will you be notified of an eligible data breach involving your personal information?

When an agency has a data breach which it reasonably suspects is an eligible data breach, it must immediately, and continue to, take all reasonable steps to contain the data breach and mitigate any harm caused by the breach.

Agencies must then rapidly assess the data breach to identify whether that data breach is likely to result in serious harm.  If the agency decides that there has been an eligible data breach, it must as soon as practicable notify individuals whose personal information is involved in the breach. This notification must provide you with information regarding the breach, including:

• The name of the agency and if more than one agency was affected by the eligible data breach.
• Contact details of the agency or the nominated person an individual can contact in relation to the eligible data breach.
• The date the eligible data breach occurred.
• A description of the breach, including the type of data breach, unauthorised access, unauthorised disclosure, or loss of information.
• How the breach occurred.
• A description of the personal information subject of the breach, e.g. financial information, identity (Medicare number, passport number).
• Recommendations about the steps an individual should take in response to the breach.
• Information about how to make a privacy complaint to the agency.

If it is not reasonably practicable for an agency to notify individuals directly, it must publish a notification on its website and notify the OIC. The OIC is then required to also post the same information about the eligible data breach on their website to further publicise the breach. The notification must remain on the agency’s, and the OIC’s, website for at least 12 months.

Notification exemptions

There are certain exemptions to the requirement that agencies notify affected individuals of a data breach. For example, if an agency acts quickly to mitigate a data breach, and because of this action the data breach is no longer likely to result in serious harm, there is no requirement to notify any affected individuals.  There are also exemptions where notification could:

• lead to a serious risk of harm to an individual’s health or safety
• compromise an agency’s cybersecurity or lead to further data breaches; or
• prejudice investigations and proceedings.

There are also exemptions where more than one agency is involved, and where notification would be inconsistent with confidentiality or secrecy provisions.

What other assistance is available?

• For additional information you can access the OIC website or contact the OIC Enquiries Service on 07 3234 7373 or enquiries@oic.qld.gov.au.
• Connect with IDCare who help individuals respond when personal information is subject of a breach. Refer to their website https://www.idcare.org/ or phone IDCare on 1800 595 160.