Data breach registers and policies

Overview

Queensland government agencies¹ must handle personal information² in accordance with the Information Privacy Act 2009 (Qld) (IP Act). Chapter 3A of the IP Act creates a mandatory notification of data breach (MNDB) scheme, which requires agencies (other than local government³) to notify individuals and the Information Commissioner about eligible data breaches involving personal information held by the agency.

The MNDB scheme also requires agencies to keep an internal register of eligible data breaches and publish a data breach policy. This guideline is intended to assist agencies to develop their data breach policy and eligible data breach register. It must be read in conjunction with Mandatory notification of data breach.

In addition to the MNDB guidelines,⁴ agencies may find these templates and quick guides helpful:

Data breach registers

Section 72 of the IP Act requires agencies to keep an internal register of eligible data breaches. The register must include:

a description of the eligible data breach, including the type of data breach under section 47
the date the agency gave a statement to the Information Commissioner about the eligible data breach and the date any additional information was provided to the Commissioner under section 51 and 52
if individuals were directly notified about the eligible data breach, the register must include the individuals who were notified and the date and method by which they were notified
if the agency relied on an exemption to not notify the Information Commissioner or individuals, details of the exemption
details of the steps taken by the agency to contain the eligible data breach and mitigate its harm; and
details of the actions taken by the agency to prevent future data breaches of a similar kind occurring.

Depending on the circumstances, agencies may find it useful to include additional information about a data breach in the register, for example:

if an eligible data breach is also a breach of another Act, details of that Act; or
if the agency was required by contract, another law, or circumstances to notify an external party, details of that party and the date of notification.

In addition to being a requirement under the MNDB scheme, maintaining an eligible data breach register will:

contribute to accurate record keeping and reporting processes
assist with tracking and analysing data breach risk and reviewing the efficacy of response methods; and
assist agencies in responding to requests for information from the Information Commissioner.

The Data breach register template and example register at Appendix A will assist agencies to develop a compliant data breach register.

Data Breach Policies

Section 73 of the IP Act requires agencies to prepare and publish a Data Breach Policy (DBP) outlining how it will respond to a data breach, including a breach the agency suspects is an eligible data breach.

The DBP is not required to contain detailed information about an agency’s information security systems, practices or procedures.

What is a DBP and what are the benefits?

A DBP is a documented policy or plan setting out the procedures to be followed if an agency experiences a data breach, including a breach that is a suspected eligible data breach. It should establish the roles and responsibilities of agency staff in responding to and managing a breach.

Data breaches can vary in size and complexity, and the consequences can be significant for individuals whose information is involved. The range of actual or potential harms they can cause include financial fraud, identity theft, damage to reputation, violence, or psychological harms.

Agencies may also experience serious consequences as a result of a data breach. Depending on the data or information involved, breaches may have negative impacts on an agency’s reputation, finances, interests, or operations. Data breaches can result in a loss of confidence and trust in an agency, including in the service it provides.

Having a robust, documented and operationalised DBP can facilitate a timely and effective response to a data breach, in turn avoiding or mitigating potential harms to affected individuals, and reducing the risks to agencies.

Publication of the DBP

Agencies are required to publish their DBP on an accessible agency website.⁵ This will generally be the agency's website, but if the agency does not have a website, it can be included on the website of another appropriate agency. For example, Ministerial DBPs could be published on the departmental website.

Agencies should link to their DBP policy from their Queensland Privacy Principle Policy (QPP Policy)⁶ and intranet or other central staff repository, and ensure all staff know how to access the policy.

What should a DBP include?

A DBP should set out an agency’s plan for dealing with data breaches from start to finish. A clear and precise DBP will enable agencies to:

prepare for, identify, contain, assess, respond to and report on data breaches at the appropriate level and in a timely fashion
identify who in the agency is responsible for taking what action in response to a data breach
take action to mitigate potential harm to individuals and the agency; and
meet obligations under the IP Act.

At a minimum, a DBP should include:

The agency’s preparations for responding to a data breach.
The definition of data breach and eligible data breach.
The agency’s strategy for identifying, reporting, containing, assessing, and managing eligible and suspected eligible data breaches.
How notification obligations will be met if a data breach is assessed as an eligible data breach.
A description of the roles and responsibilities of staff members.
Record keeping requirements.
Post-breach review and evaluation procedures.

It should align with and cross reference other relevant policies and procedures, such as cyber security response plans and QPP Policies. The DBP should be integrated into existing incident or crisis management processes align with relevant Queensland government information security reporting and incident response protocols.

The Data breach policy template and checklist in Appendix B will help agencies develop a compliant and effective DBP.

The agency’s preparations for responding to a data breach

A DBP should provide a high-level outline of the actions the agency has taken to prepare for a data breach, including how these actions fit within the agency’s broader systems, policies, and procedures, eg cyber response, general incident or emergency management processes, communications strategies, and risk management frameworks.

The DBP should also include the key controls, systems, and processes that the agency has established for identifying suspected or actual data breaches and ensuring data breaches are effectively managed.

Training and awareness

Well trained and risk aware staff contribute to a strong frontline defence against privacy risks, including from data breaches involving personal information. Data breach reporting by the Office of the Australian Information Commissioner indicates that breaches caused by human error are a significant component of all breaches involving government agencies.⁷ Prompt identification of breaches and timely reporting by staff is also an important factor in ensuring agencies can effectively respond to and manage breaches.

An agency’s DBP should outline its approach to staff training and awareness in identifying, responding to, and managing data breaches, and any training or awareness activities about other aspects of privacy protection, eg enhancing staff awareness of privacy and cyber principles and current threat trends.

Processes for identifying and reporting breaches

Developing and documenting processes for promptly detecting data breaches will improve an agency’s ability to contain a breach and mitigate potential harms.

An agency’s DBP should clearly explain how internal staff and external entities, eg the public or another agency, can report an actual or suspected data breach and outline the agency's processes for identifying data breaches. This should not include details of specific controls which could place the agency at additional risk.

The appropriate processes for identifying and preventing data breaches will depend on the size and sophistication of an agency, its information holdings, and its security program and controls, but could include:

technical controls (such as Data Loss Prevention tools)
monitoring services (such as dark web monitoring, or social media monitoring)
audits and reviews; and
staff training and awareness.

Service providers and contract provisions

Agencies often outsource functions to external service providers (for example, payroll or IT services). These relationships are usually covered by legally binding contracts, memorandums of understanding, or non-disclosure agreements. The agency’s DBP should include information about its contractual or other controls over these service providers and how it monitors and manages service providers to ensure compliance.

Service providers who are not agencies may be bound to comply with aspects of the IP Act,⁸ but they cannot be bound to comply with the MNDB scheme; it only applies to agencies. Despite this, in some circumstances⁹ the agency’s MNDB obligations will apply if a service provider has a data breach, as discussed in Data breaches and contracted service providers.

Even where a service provider is not bound to comply with the IP Act, agencies should consider including data breach management and notification obligations in service provider contracts and agreements, including an obligation to notify the agency of any data breaches.

Defining and identifying a data breach

A DBP should include a clear explanation of what a data breach and an eligible data breach are, how data breaches can occur, and that identifying, assessing, and responding to data breaches must be conducted on a case-by-case basis. Including examples of the different ways a data breach can occur will be helpful, eg:

loss or theft of physical devices
misconfiguration or overprovisioning of access to systems
accidental or inadvertent disclosure
deliberate disclosure; and
social engineering or hacking.

Scenarios will help raise awareness of high-risk activities and processes that could lead to a breach and how data breaches impact the agency, its functions, and the individuals whose information it handles. For example, an agency that handles a large amount of health information could provide examples or scenarios touching on the actual ways that health information is collected, used, stored, and disclosed in practice, reflecting any known risk factors for that agency.

Strategy for containing, assessing, and mitigating eligible data breaches

A DBP should outline the steps an agency will take to respond to a data breach, including a suspected eligible data breach.

Plan to contain, mitigate harm, assess, notify and prevent

To help ensure responses to data breaches are easily and quickly put into action, the DBP should clearly outline the agency’s process for:

Initial identification and evaluation of suspected breaches and breach reports.
Containing a breach or suspected breach to minimise any harms.
Taking steps to mitigate any harms which may result from the breach. The plan should also make clear that the requirements to contain and mitigate are ongoing obligations which continue while the breach is being managed.
Assessing or evaluating the information involved in the breach and the risks associated with the breach, so as to determine next steps. This should also include steps to assess whether the breach is an eligible data breach as required under the MNDB scheme, including a list of factors which should be considered in this assessment process.
Notifying individuals and the Information Commissioner if the breach is assessed as an eligible data breach.
Post incident review and preventative efforts, based on the type and seriousness of the breach.

Where these processes require decisions about how to manage the breach response, the DBP should identify who is responsible for making those decisions.

Strategies for breaches involving more than one agency

The DBP should include strategies for managing, responding to, and providing notice of data breaches involving other agencies.[10]

This could include documenting key contacts and defining roles and responsibilities regarding assessment, remediation, information flow, and notification.

Notification strategy

The DBP should include a clear notification strategy that is consistent with sections 51 to 54 of the IP Act and enables quick and effective communication with affected individuals and the Information Commissioner.

The strategy should outline:

responsibilities for implementing the notification strategy
how to determine when affected individuals or organisations must be notified
key contacts for communications
responsibilities for notifying the Information Commissioner, consistently with the obligations imposed by sections 51 and 52
how affected individuals will be contacted and notified in accordance with section 53, and communications with affected individuals managed, including how inquiries will be made of disclosing agencies under section 54; and
responsibilities for consulting with any other external stakeholders (such as other agencies who may be impacted by the data breach).

Additional obligations or reporting

Agencies may be required by contract, other laws, or the circumstances of the breach to take additional specific steps in response to a data breach. These could include taking specific containment or remediation actions or engaging with or notifying external stakeholders. A DBP should outline the situations in which external reporting or engagement is necessary. If reporting is discretionary, it should include guidance on making the decision.

Depending on the circumstances of the data breach and the categories of data involved, agencies may need to report to or engage with:

Queensland Police Service
Crime and Corruption Commission Queensland
Queensland Government Chief Information Officer
The Office of the Australian Information Commissioner
Australian Federal Police
The Australian Taxation Office
The Australian Digital Health Agency
The Australian Cyber Security Centre
Any third-party organisations or agencies whose data may be affected
Financial services providers
Professional associations, regulatory bodies, or insurers; or
Foreign regulatory agencies.

Agencies may also wish to canvass media and general communications strategies in their DBP.

Roles and responsibilities

Clearly establishing data breach roles and responsibilities will help ensure prompt responses to a data breach. A DBP should set out the roles and functions of agency heads, executive officers, privacy officers, staff generally and any other relevant internal parties in identifying, reporting, and responding to an actual or suspected data breach.

The DBP should identify the breach response team including:

roles and functions within the team
subject matter expertise required in the team—this could include incident response specialists, legal, communications, cybersecurity, physical security, human resources, key agency operations staff and key outsourcing/relationship managers; and
who in the team is responsible for dealing with the relevant elements of the breach.

It should contain escalation procedures for staff, including how to immediately report a suspected breach, when line managers can handle a breach, and the circumstances in which a breach should be escalated to the response team, eg due to the severity of the breach or the level of response required.

It should also identify who is responsible for:

making escalation decisions at each level
assessing and identifying the agency's reporting obligations, including notification to the Information Commissioner, individuals, external stakeholders, or other bodies
maintaining, testing, and updating the DBP
data breach recordkeeping; and
post-breach review and evaluation.

Capability, expertise, and resourcing

Prompt action is critical when responding to a data breach. Response strategies will only be effective if they can be quickly and effectively implemented and actioned. This depends on staff, or other people such as external contractors, having the relevant skillsets and being available to deal with the breach.

A DBP should outline the agency’s strategy for ensuring:

That it has resourcing and personnel with the necessary expertise to respond effectively. To be properly prepared for complex incidents, this may involve engaging (in advance) an outsourced cyber incident response service provider.
That agency staff who are likely to be required to assess a data breach or make an escalation decision, are trained and capable of adequately assessing the breach and its impact. Where possible, these staff should be involved in policy testing and review processes.

Recordkeeping

The agency's processes for documenting breach and suspected breach management and response should be included in the DBP. Keeping appropriate records will provide evidence of how the agency actually responded to a breach or suspected breach, including breaches that do not get escalated to the breach response team or do not meet the eligible data breach threshold.

Accurate records will also assist in tracking and analysing data breaches, including the effectiveness of the response methods. This may enable agencies to identify and remedy weaknesses in security or processes that present a higher risk of error.

Recordkeeping responsibility should be clarified in the DBP. This should include:

assigning responsibility for keeping the register of eligible data breaches required under section 72; and
publishing, monitoring and reviewing the currency of public notifications of data breaches published to the agency website under section 53(1)(c).

Post-breach review and evaluation

Understanding which processes worked well, how issues were handled, and areas for improvement in the management of a data breach is an important component of the data breach administration process. This is particularly relevant to mitigating future risks, preventing reoccurrence of similar breaches, and improving personal information handling processes in line with expectations of the community and regulators.

DBPs should include:

A strategy to identify and remediate any processes or weaknesses in data handing that may have contributed to the breach.
A post-response assessment of how the agency responded to the breach and the effectiveness of the DBP.

Post-breach review and evaluation will identify any changes needed to process or procedures and is a key part of ensuring agencies can proactively and effectively manage data breaches.

Testing and review schedule

Agencies should consider regular testing and review of the DBP to ensure it is operationally effective, up to date, and properly considers internal agency structure and function, and the changeability of the external threat environment.

Regular testing will also contribute to staff understanding their roles and responsibilities and becoming familiar with escalation procedures for more complex breach incidents. It will also allow for the checking of response processes, such as contact numbers, approval processes and reporting lines to ensure that they are current.

DBPs should be reviewed, tested, and updated at least annually, but agencies should consider developing a schedule for reviewing and updating their DBPs appropriate to their specific agency. The testing and review schedule should be set out in the DBP.

Appendix A – Eligible Data Breach Register example

Register of Eligible Data Breaches (EDB) (as required by section 72 Information Privacy Act 2009)
Date of Breach	Description of EDB / type of data breach	Date statement provided to OIC	Date additional information supplied to OIC or N/A	Individuals notified, including date and method	Details of any exemption(s) relied on, or N/A	Steps taken to contain and mitigate	Actions taken to prevent similar breaches

Appendix B – Checklist for Data Breach Policy (DBP)

Information to be included	Yes/No	Comments
Steps the agency has taken to prepare for a data breach
What a data breach is and how staff or external parties can identify and report one
The agency’s plan for containing, assessing, and managing data breaches
Processes that outline when and how individuals are notified
Processes for responding to incidents that involve another entity
Circumstances in which external engagement, including with law enforcement, regulators (such as the Information Commissioner), or other third parties may be necessary
Requirements under agreements with third parties such as insurance policies or service agreements
A clear communication strategy
Clear escalation procedures and reporting lines for suspected data breaches
Members of the data breach response team, including roles, reporting lines and responsibilities
Details of any relevant external expertise or resources and when they should be engaged
A record-keeping policy to ensure that breaches are documented
A schedule for regular review and testing of the DBP
A review process for identifying and addressing any root causes that contributed to the breach
A system for a post-breach review and assessment of the data breach response and the effectiveness of the data breach policy

Appendix A – Eligible Data Breach Register example

Register of Eligible Data Breaches (EDB) (as required by section 72 Information Privacy Act 2009)
Date of breach
Description of eligible data breach/type of breach
Date statement provided to the OIC
Date additional information supplied to OIC or N/A
Individuals notified, including date and method
Details of any exemption(s) relied on, or N/A
Steps taken to contain and mitigate
Actions taken to prevent similar breaches

Appendix B – Checklist for Data Breach Policy (DBP)

Information to be included	Yes/No	Comments
Steps the agency has taken to prepare for a data breach
What a data breach is and how staff can identify one
The agency’s plan for containing, assessing, and managing data breaches
Processes that outline when and how individuals are notified
Processes for responding to incidents that involve another entity
Circumstances in which external engagement, including with law enforcement, regulators (such as the Information Commissioner), or other third parties may be necessary
Requirements under agreements with third parties such as insurance policies or service agreements
A clear communication strategy
Clear escalation procedures and reporting lines for suspected data breaches
Members of the data breach response team, including roles, reporting lines and responsibilities
Details of any relevant external expertise or resources and when they should be engaged
A record-keeping policy to ensure that breaches are documented
A schedule for regular review and testing of the DBP
A review process for identifying and addressing any root causes that contributed to the breach
A system for a post-breach review and assessment of the data breach response and the effectiveness of the data breach policy

1 Agency includes a Minister.
2 Information about an identified or identifiable individual. Refer to section 12 of the IP Act and Key privacy concepts – personal and sensitive information for more information.
3 The application of the MNDB scheme to local governments is delayed until 1 July 2026. Until that time, local government agencies should refer to Privacy breach management and notification for local government.
4 Which are based on and include material from guidelines developed by the NSW Information and Privacy Commission.
5 Section 73(2).
6 Under Queensland Privacy Principle (QPP) 1.3, all agencies must have a clearly expressed and up-to-date QPP privacy policy.
7 Office of the Australian Information Commissioner, February 2024, “Notifiable data breaches report - July to December 2023”, page 34..
8 Under chapter 2, part 3 of the IP Act.
9 The MNDB obligations apply to personal information in documents held by the agency; the definition of held includes documents that the agency has a legal right to access, even if they’re not currently in the agency’s physical possession.
10 Section 48(4) provides that where an agency becomes aware an eligible or suspected eligible data breach may affect another agency, the first agency must give that other agency written notice of the breach.

Current as at: July 31, 2025