Notification under the mandatory notification of data breach scheme

Overview

Chapter 3A of the Information Privacy Act 2009 establishes a mandatory notification of data breach (MNDB) scheme for agencies, other than for local government, for whom it will commence on 1 July 2026.¹

The MNDB scheme imposes various obligations on agencies² regarding data breaches and suspected eligible data breaches. Two of the main obligations are to notify the Information Commissioner and to notify particular individuals when an agency knows or reasonably believes that there has been an eligible data breach of the agency.³

This guideline is intended to help agencies understand and comply with these obligations to notify.

The Office of the Information Commissioner (OIC) has also developed the OIC Agency Portal, an online platform that enables agencies to act on their voluntary or mandatory reporting obligations under the MNDB scheme.

This guideline should be read in conjunction with other MNDB guidelines.

Notification obligations

If an agency reasonably believes that there has been an eligible data breach involving personal information held by the agency, it must:⁴

• prepare a statement which includes the information stated in section 51(2)
• give the statement to the Information Commissioner; and
• notify any individuals affected by the breach, including notifying the information stated in section 53(2).

Notifying the Information Commissioner

Unless an exemption applies, agencies must notify the Information Commissioner as soon as practicable after forming the belief that a data breach is an eligible data breach. Notification can be made using the online portal.

Under section 51, the agency must prepare and give the Information Commissioner a statement, which must include:

• the name of the agency and, if more than one agency was affected by the data breach, the name of any other agency
• whether the agency is reporting on behalf of other agencies affected by the same data breach and, if so, the details of the other agencies
• the contact details of the agency or a person nominated the agency for the individual to contact in relation to the data breach
• the date the data breach occurred (if known)
• a description of the data breach, including the type of eligible data breach under section 47
• a description of the kind of personal information involved in the data breach, without including any personal information in the description
• information about how the data breach occurred
• if the data breach involved unauthorised access to or disclosure of personal information, the period during which the access or disclosure was available or made
• the steps the agency has taken or will take to contain the data breach and mitigate the harm caused to individuals by the data breach
• the agency's recommendations about the steps individuals should take in response to the data breach
• the total number or, if it is not reasonably practicable to work out the total number, an estimate of the total number of individuals whose personal information was accessed, disclosed or lost and affected individuals for the data breach
• whether the notified individuals have been advised how to make a privacy complaint to the agency under section 166A; and
• the total number of individuals notified of the data breach or, if it is not reasonably practicable to work out the total number, an estimate of the total number, or, if relying on section 57, the total number of individuals who would have been notified or, if it is not reasonably practicable to work out the total number, an estimate of the total number.

If it is not reasonably practicable to include some of the above information in the initial notification to the Information Commissioner (e.g. the agency may not yet know the total number of affected individuals), the agency must take all reasonable steps to provide the required information to the Information Commissioner as soon as practicable.⁵

Notifying particular individuals

Unless an exemption applies, as soon as practicable after forming a reasonable belief that a data breach is an eligible data breach, an agency must take the steps set out in section 53 to notify particular individuals and provide them with the information required in 53(2) (the required information).

Section 53 provides three options for notifying individuals, depending on what is reasonably practicable in the circumstances. Whether an option is reasonably practicable will depend on a consideration of factors, including:

• the time, cost and the effort required to notify affected individuals; and
• the currency and accuracy of their contact details, which will affect the ability of the agency to notify the affected individuals (noting however, the mechanism for confirming the contact details and other information of affected individuals prescribed in section 54, discussed below).⁶

Option 1: Notify each individual

If it is reasonably practicable to notify each individual whose personal information was accessed, disclosed or lost, the agency must take reasonable steps to notify each individual of the required information.

Option 2: Notify each affected individual

If Option 1 does not apply, agencies must take reasonable steps to notify each affected individual of the required information for the data breach, if doing so is reasonably practicable.

Under section 47(1)(a)(ii) and (b)(ii), an ‘affected individual’ is someone:

• to whom the personal information relates; and
• who is likely to suffer serious harm as a result of the data breach.

'To whom the information relates' is not defined in the IP Act. It should be given its ordinary meaning, which is the individual about whom the personal information concerns. An individual will be an affected individual if the information involved in an eligible data breach is about them, regardless of whether it was originally collected from that individual or a third party.

Option 3: Publish information

If options 1 and 2 do not apply, an agency must publish the required information on an accessible agency website for a period of at least 12 months. An agency is not required to include information in its notice if it would prejudice its functions.

An agency must advise the Information Commissioner how to access the notice and the Information Commissioner is required to publish the notice on the Commissioner's website for at least 12 months.

Figure 1: Option for individual notification (must be attempted in sequence)

Required information when notifying individuals

The information that must be given to an affected individual or included in the agency's public notice under section 53(2), must, to the extent it is reasonably practicable, include:

• the name of the agency and, if more than one agency was affected by the data breach, the name of any other agency
• the contact details of the agency or a person nominated by the agency for an affected individual to contact in relation to the data breach
• the date the data breach occurred (if known)
• a description of the data breach, including the type of eligible data breach under section 47
• information about how the data breach occurred
• the agency's recommendations about the steps an affected individual should take in response to the data breach
• if the data breach involved unauthorised access to or disclosure of personal information, the period during which the access or disclosure was available or made
• the steps the agency has taken or will take to contain the data breach and mitigate the harm caused to affected individuals due to the data breach; and
• information about how an individual can make a privacy complaint to the agency under section 166A.

If an individual is notified directly, the notice to the individual must also include a description of their personal information involved in the data breach, and the agency's recommendations about any steps they should take in response to the eligible data breach. Refer to the MNDB template guideline for a template for individual notification.

For public notification via an agency's website, the notification must include a description of the kind of personal information involved in the data breach, without including any personal information in the description

Notifying other individuals

There is no requirement to notify individuals whose personal information is not involved in a data breach. However, if an agency identifies an individual who is likely to suffer harm for reasons other than their personal information being involved, agencies may wish to consider notifying these individuals if it is possible to do so without the risk of further breaches - as this may assist in mitigating any risk of harm.

Exemptions from notification obligations

Chapter 3A, part 3, division 3 of the IP Act sets out the circumstances in which an agency is not required to comply with the notification obligations, including where:

• complying with the obligation would be likely to prejudice an investigation that could lead to the prosecution of an offence or proceedings before a court or tribunal
• the eligible data breach involves more than one agency, and another agency is undertaking the notification obligations
• the agency has taken specified remedial action under section 57
• compliance would be inconsistent with a provision of an Act of the Commonwealth or a State that prohibits or regulates the use or disclosure of the information
• compliance would create a serious risk of harm to an individual's health or safety; and
• compliance is likely to compromise or worsen the agency's cybersecurity or lead to further data breaches of the agency.

A number of these exemptions have limitations or impose additional obligations. Refer to Mandatory notification of data breach exemptions for more information.

Notifying other entities

While not required by the IP Act, in some circumstances it may be appropriate –or agencies may be required – to notify other entities of a data breach, for example:

• If the breach involves ‘corrupt conduct’ within the meaning of the Crime and Corruption Act 2001 (Qld), the Crime and Corruption Commission Queensland must be notified.
• Requirements to report cyber and information security incidents to Queensland Government Information Security Virtual Response Team, according to the Business Impact Level.
• If the breach involves a cyber security incident that results in a loss and the entity is an agency covered by the Queensland Government Insurance Fund (QGIF), QGIF should be notified.
• If the breach appears to involve theft or other criminal activity, the Queensland Police Service (QPS) should be notified as a matter of course. The QPS website has links and assistance to report cybercrime and other offences.
• If the breach involves the loss or unauthorised destruction of a public record, an entity subject to the Public Records Act 2023 (Qld) must notify the State Archivist.
• Entities with obligations under the Privacy Act 1988 (Cth) National Data Breach (NDB) scheme (e.g. Tax File Number recipients) may be obliged under the NDB scheme to report the breach to the Office of the Australian Information Commissioner.

Depending on the circumstances of the data breach and the information involved, other notifications may be appropriate. For example, the agency’s portfolio Minister, financial institutions, or credit card companies, or professional or other regulatory bodies.

Agencies should note that the above reporting obligations and considerations may apply to any breach or compromise of any type of information, and not only to those assessed as eligible data breaches under the MNDB scheme.

Non-eligible data breaches and voluntary reporting to OIC

Prior to the commencement of the MNDB scheme, OIC administered a voluntary data breach reporting scheme, which we continue to operate.

The Information Commissioner encourages agencies to advise the OIC of data breaches that do not meet the threshold of an ‘eligible data breach’. Information gathered from voluntary reports will allow the OIC to provide agencies with assistance and advice in relation to a data breach and to assist the Information Commissioner in fulfilling the broader performance and monitoring statutory functions under section 135, including:

• promoting understanding of and compliance with the privacy principles
• providing best practice leadership and advice, including by providing advice and assistance to relevant entities on the interpretation and administration of this Act
• conducting compliance audits to assess relevant entities’ compliance with the privacy principles
• initiating privacy education and training, including education and training programs targeted at particular aspects of privacy administration, and education and training programs to promote greater awareness of the operation of this Act in the community and within the public sector environment
• commenting on any issues relating to the administration of privacy in the public sector environment
• issuing guidelines about any matter relating to the Information Commissioner’s functions, including guidelines on how the IP Act should be applied and on privacy best practice generally; and
• supporting applicants of any type under the IP Act, and all relevant entities to the extent they are subject to the operation of the IP Act.

Regulation to collect, use and disclose relevant personal information

Under section 54, a regulation may provide for the collection, use, and disclosure of ‘relevant personal information’ between agencies where the receiving agency is involved in an eligible data breach, and the information is needed to confirm the name and contact details of a notifiable individual or whether a notifiable individual is deceased.

For section 54(1) of the IP Act, the Information Privacy Regulation 2025 (IP Regulation) prescribes:

• the registrar under the Births, Deaths and Marriages Registration Act 2023 as an agency that may disclose relevant personal information to another agency (disclosing agency)
• that all agencies are receiving agencies that may collect and use relevant personal information from a disclosing agency and disclose relevant personal information to the disclosing agency

Neither the disclosing agency or receiving agency are required to comply with a QPP in relation to this disclosure, collection, or use. ‘Notifiable individual’ and ‘relevant personal information’ are defined in section 54.