Published on Office of the Information Commissioner Queensland (https://www.oic.qld.gov.au)

Home Guidelines  >  For government  >  Guidelines - Privacy principles  >  Data breaches  >  Breach management for local government

Breach management for local government

Queensland government agencies, with the exception of local government, are required to comply with the mandatory notification of data breach (MNDB) scheme in the Information Privacy Act 2009 (Qld) (IP Act).

The MNDB scheme will not apply to local governments until 1 July 2026, however local governments are still required to respond appropriately to privacy breaches which occur before that date. This guideline will help local government manage a privacy breach and decide whether to notify individuals whose privacy has been affected by the breach. Local government is encouraged to use the MNDB scheme as a guide for when it would be appropriate to notify.

Privacy breaches

Local government must handle personal information in compliance with the IP Act and its Queensland Privacy Principles. A privacy breach occurs when a local government fails to comply with the IP Act.

Privacy breaches can result from technical issues, human error, inadequate policies and training, a misunderstanding of the law, or deliberate acts. A common cause of a breach is the loss, theft, or mistaken disclosure of personal information, eg a USB flash drive is lost or an email is sent to unintended recipients.

Privacy breach notification

While local government is not yet required to comply with the MNDB scheme, the Office of the Information Commissioner (OIC) strongly encourages local government to notify the OIC and/or affected individuals in the event of a privacy breach.

Notifying the OIC means we can provide information about responding to the breach and assists us to respond to community enquiries about the breach.

OIC also strongly encourages local government to notify affected individuals in appropriate circumstances. Doing so is good privacy practice and promotes openness and transparency.

Responding to a privacy breach

Effective response to a privacy breach has four key steps:

  1. Contain the breach.
  2. Evaluate the foreseeable harm to individuals.
  3. Consider notifying affected individuals and OIC.
  4. Prevent a repeat.

Each step is detailed below. Where possible, the first three steps should be undertaken concurrently. The last step includes longer term solutions and prevention strategies.

Step one: Contain the breach

Local government should take whatever steps are necessary and possible to contain the breach and minimise any resulting damage. This could include recovering the personal information, shutting down systems, suspending activities or revoking or changing access codes or passwords.

If a third party is in possession of the personal information and declines to return it, it may be necessary to seek legal advice on what action can be taken to recover it. When recovering information, ensure copies have not been made or that all copies are recovered.

Care must be taken when containing the breach not to destroy information that may be needed to investigate its cause.

The breach should be escalated internally as appropriate. Senior management responsible for the area where the breach occurred should immediately be informed of the breach. Depending on the breach's circumstances, it may also be appropriate to inform the media relations unit, legal services team, information security manager, the team responsible for managing employee misconduct (such as internal audit, ethical standards or Crime and Corruption Commission liaison officer), and/or the chief executive or relevant Councillors.

Notify the privacy officer

The local government’s privacy contact officer must be informed of all breaches. This officer can provide advice on the application and interpretation of the IP Act and assist in responding to public inquiries about, and managing any complaints that result from, the breach.

Reporting all privacy breaches to a designated position will also support a local government to maintain a central log of breaches that can be used to identify training opportunities or improvements to information handling practices.

In some circumstances, it may be appropriate or necessary to notify a third party of the breach, for example:

  • If the breach involves the loss or unauthorised destruction of a public record, the State Archivist must be notified under the Public Records Act 2023 (Qld)
  • If the breach involve theft or other criminal activity, the Queensland Police Service (QPS) should be notified.
  • If the breach involves a cybersecurity incident, the local government's cybersecurity specialists should be notified. The QPS website also has information about reporting cybercrime.
  • If the breach involves a tax file number, the local government may be a Tax File Recipient required to notify the Office of the Australian Information Commissioner under the Privacy Act 1988 (Cth).
  • If the breach involves corrupt conduct within the meaning of the Crime and Corruption Act 2001, the Crime and Corruption Commission must be notified.

Depending on the circumstances of the breach and the information involved, other notifications may be appropriate, such as:

  • insurance companies
  • relevant financial institutions or credit card companies; or
  • professional or other regulatory bodies.

Step two: Evaluate the associated risks

To identify other appropriate actions, assess the type of personal information involved in the breach and the risks associated with the breach. Factors to consider include:

  • What type of personal information is involved? Some types of personal information are more likely to cause an individual harm when compromised. For example, government issued identifiers, like Medicare or drivers licence numbers, health information, and financial information, like credit card numbers, will generally be more significant than names and email addresses of newsletter subscribers. A combination of personal information will typically create a greater potential for harm than a single piece of personal information (for example, an address, date of birth and driver licence number if combined could be used for identity theft).
  • Who is affected by the breach? What individuals have been affected by the breach, how many individuals have been affected and do any of the individuals have personal circumstances which may put them at particular risk of harm?
  • What caused the breach? Did the breach occur as part of a targeted attack or through inadvertent oversight? Was it a one off incident or does it expose a more systemic vulnerability?  What steps have been taken to contain the breach? Has the personal information been recovered?  Is the personal information encrypted or otherwise not readily accessible?
  • What is the foreseeable harm to the affected individuals? Who is the recipient of the information? Is there evidence that suggests theft, and was the information the target? Evidence of theft could suggest a greater intention to do harm and heighten the need to provide notification to the individual, as well as law enforcement. What possible use is there for the personal information?  For example, could it be used for identity theft, threats to physical safety, financial loss, workplace bullying, loss of employment opportunities, and humiliation or damage to reputation? What is the risk of further access, use or disclosure, including via media or online?

Step three: Consider notifying affected individuals

The IP Act does not yet require local government to notify individuals who have been affected by a privacy breach. However, a failure to notify may compound the damage those individuals experience and reflect negatively on a local government’s reputation. Notification can also demonstrate a commitment to open and transparent governance.

In general, if a data breach creates a risk of harm to an individual, the affected individuals should be notified. Prompt notification in these cases can help mitigate the damage by enabling individuals to take steps to protect themselves.

In some circumstances, notification may be counterproductive and/or cause more harm than good to the individual, particularly if the breach is unlikely to have a negative impact on the individual.For example, if a laptop containing personal information is lost and recovered and it can be confirmed that its data was not accessed, notifying the individuals could cause unnecessary anxiety and desensitise them to significant, potentially harmful, privacy breaches.

Factors local government should consider when deciding whether to notify include:

  • What is the risk of harm to the individual (as determined in the previous step)?
  • What steps has the local government taken, or will the local government take, to prevent, mitigate or remedy any actual or potential harm?
  • What ability does the individual have to take steps to avoid or remedy harm if they are notified?  For example, can the individual have a new credit card number issued to avoid potential financial harm?
  • Even if the individual would not be able to take steps to fix the situation, is the information that has been compromised sensitive, or likely to cause humiliation or embarrassment for the individual?
  • Are there any applicable legislative provisions or contractual obligations that requires the local government to notify affected individuals?

Example: notification not warranted

A local government officer transfers local government information onto an encrypted memory stick to work on from home. The memory stick contains names, phone numbers, and email correspondence of members of the public who are participating in a community consultation project.

At some point between leaving work and arriving home by bus, the officer loses the memory stick. They report it missing the next day to their supervisor and the privacy officer. The bus company's lost property section advises it was not handed in.

While this is a significant amount of personal information, the memory stick was encrypted. If it can be confirmed, eg with IT services, that the data on the memory stick is inaccessible without the proper key to decrypt the information, notifying the individuals whose personal information was held on the memory stick is not warranted.

Example: notification is warranted

A local government officer leaves a paper file containing employee records in a café. The personal information in the records includes the names, home addresses, phone numbers, birth dates, salary information and bank account numbers. Enquiries with the café fail to locate the file.

Due to the potential risk of identity theft represented by the amount and types of personal information, notifying the officers affected by the breach is warranted.

In these circumstances, an appropriate notification would be sent by a sufficiently senior officer of the local government and include an apology, a description of the personal information lost, steps the officers can take in response, how the local government will assist and resources to help mitigate the risk of identity theft. Best practice would also be to outline the measures put in place to prevent any recurrences of the breach and inform officers of their right to make a privacy complaint.

In this example, only local government officers were affected, so notification is relatively simple. The logistics of notifying affected individuals in other circumstances will depend on the type and scale of the breach and whether the local government has current contact details for the affected individuals.

When to notify

In general, individuals affected by the breach should be notified as soon as practicable. Circumstances where it may be appropriate to delay notification include where notification would compromise an investigation into the cause of the breach or reveal a software vulnerability.

How to notify

It is recommended that affected individuals be notified directly, eg by telephone, letter, email or in person. Indirect notification—eg by posting information on the local government website, placing a public notice in a newspaper, or by way of media release—should generally only be used where the contact information of affected individuals is not known, or where direct notification is prohibitively expensive or could cause further harm (for example, by alerting a person who stolen a laptop as to the value of the information on it).

What to say

Tailor the content of the notification to the circumstances of the particular breach and the individuals affected. Content of a notification could include:

  • information about the breach, including when it happened
  • a description of what personal information was affected by the breach
  • assurances (as appropriate) about what personal information has not been disclosed
  • what the local government is doing to control or reduce the harm
  • what steps the person can take to further protect themselves and what the local government will do to assist people with this
  • contact details within the local government where questions or requests for information can be directed; and
  • information about the right to lodge a privacy complaint and how to do so, including the option to bring it to the OIC if dissatisfied with the local government's response.

Where a risk of harm to the individual has been identified, local governments are strongly encouraged to also notify the OIC.

Step four: Prevent a repeat

Once the breach has been contained, the local government should investigate all relevant causes of the breach and identify short or long term measures to prevent a reoccurrence.

Preventative actions could include a:

  • security audit of both physical and technical security controls
  • review of policies and procedures
  • review of employee training practices; or
  • review of contractual obligations with contracted service providers.

Current as at: July 1, 2025