Mandatory notification of data breach

Queensland government agencies1 must handle personal information2 in accordance with the Information Privacy Act 2009 (Qld) (IP Act). Chapter 3A of the IP Act creates a mandatory notification of data breach (MNDB) scheme, which requires agencies (other than local government3) to notify individuals and the Information Commissioner about eligible data breaches involving personal information held by the agency.

In addition to the MNDB guidelines,4 agencies may find these templates and quick guides helpful:

Policies and registers

Chapter 3A also requires agencies to create an internal register of eligible data breaches and publish a data breach policy on an accessible agency website.

Refer to Data breach registers and policies and the Data breach policy template and Data breach register template for more information.

Data breaches and eligible data breaches

Chapter 3A of the IP Act applies to personal information held5 by an agency, unless the personal information is contained in a document to which the privacy principle requirements do not apply.

For chapter 3A, a data breach occurs if there is unauthorised access to, or unauthorised disclosure of, personal information, or personal information is lost in circumstances where there is likely to be unauthorised access to, or unauthorised disclosure of, the personal information.6

A data breach will be an eligible data breach if the actual or potential unauthorised access to, or disclosure of, personal information is likely to result in serious harm to an individual to whom the personal information relates (an affected individual).

Refer to Assessing a data breach for guidance on what constitutes unauthorised access, disclosure, loss and serious harm.

When is personal information held by an agency

Personal information is held by an agency if the personal information is contained in a document in the possession, or under the control, of the agency. A document is in an agency’s control if agency is legally entitled to access it, even if it is in the possession of another entity, eg documents held by an external legal services or IT provider.7

Documents held by contracted service providers

Chapter 2, part 3 of the IP Act requires agencies to bind some service providers to comply with the privacy principles requirements in the IP Act. This does not include the MNDB scheme, but because the MNDB scheme applies to personal information in documents held by an agency, a data breach by a service provider may be a data breach of the agency, depending on the nature of the service and the contract.

Refer to Contractors and data breaches for more information.

MNDB Scheme Obligations

If an agency knows or reasonably suspects that a data breach is an eligible data breach, it must immediately take, and continue to take, all reasonable steps to contain and mitigate the data breach.

If an agency knows or reasonably believes that the data breach is an eligible data breach, the agency notify the Information Commissioner and particular individuals as soon as practicable.

If an agency is not certain whether a data breach is an eligible data breach, it must, within 30 days, assess whether there are reasonable grounds to believe the data breach is an eligible data breach of the agency.

Contain and mitigate

If an agency knows or reasonably suspects that a data breach is an eligible data breach involving personal information held by the agency, it must immediately take, and continue to take, all reasonable steps to contain the data breach and mitigate its harm. This can include:

  • making efforts to recover the personal information
  • securing, restricting access, or shutting down to breached systems
  • suspending the activity that led to the data breach, or
  • revoking or changing access codes or passwords.

If a third party is in possession of the personal information and declines to return it, it may be necessary to seek legal advice on what actions can be taken to recover the information. When recovering information, agencies should also take steps to ascertain whether the information has been shared or disseminated and ensure copies have not been made or that all copies are recovered.

Agencies should ensure that containing an eligible or suspected eligible data breach does not destroy information that may be required for an internal or external investigation into the breach.

An agency’s data breach policy should clearly identify the steps to be followed in responding to, containing, and mitigating an eligible or suspected eligible data breach, including appropriate escalation pathways. Depending on the circumstances of the data breach and the agency’s data breach policy, this may include informing:

  • the agency’s privacy officer and/or senior management responsible for the area in which the breach occurred being informed immediately about the breach; and
  • the head of the agency, and senior personnel responsible for information security, communications, legal services, human resources, and employee misconduct (eg internal audit, ethical standards or Crime and Corruption Commission liaison officer), as appropriate.

Assess the breach

If an agency does not know but reasonably suspects that a data breach is an eligible data breach, it must assess whether there are reasonable grounds to believe it is an eligible data breach. This assessment must be completed within 30 days unless the assessment time is extended under section 49 of the IP Act.

An agency’s assessment and reasons for its decision about whether a data breach is an eligible data breach should be recorded in writing and include the material facts of the specific breach. The assessment should address the matters listed in section 47(2) of the IP Act and any other relevant factors.

Refer to Assessing a data breach for guidance on assessing whether a data breach is an eligible data breach under the MNDB scheme.

Data breaches affecting another agency

If the agency becomes aware that an eligible or suspected eligible data breach may affect another agency, it must give the other agency a written notice of the data breach that includes:

  • a description of the data breach; and
  • a description of the kind of personal information involved in the data breach, without including any personal information in the description.8

Notification obligations

If an agency knows or reasonably believes that there has been an eligible data breach involving personal information held by the agency, it must:

  • prepare a statement which includes the information stated in section 51(2) of the IP Act
  • give the statement to the Information Commissioner; and
  • notify individuals whose personal information was involved in the breach, including the information in section 53(2) of the IP Act.

Refer to Notification under the mandatory notification of data breach scheme for information on the MNDB scheme’s notification obligations.

Exemptions from notification obligations

The MNDB scheme includes exemption from some or all of the MNDB scheme’s notification obligations.

Refer to Mandatory notification of data breach exemptions for information on these exemptions.

Additional notification

Depending on the nature of the information and the circumstances of the breach, it may be appropriate to notify other entities of a data breach.

Refer to Notification under the mandatory notification of data breach scheme for more information.

Information Commissioner's role

Chapter 3A, part 4 of the IP Act sets out the Information Commissioner's role in relation to eligible data breaches, including:

  • giving directions and recommendations to agencies when certain criteria are satisfied; and
  • monitoring and investigating agency compliance with the MNDB scheme.

Non-eligible data breaches and voluntary reporting to OIC

Prior to the commencement of the MNDB scheme, OIC administered a voluntary data breach reporting scheme. With the commencement of the MNDB scheme, OIC continues to encourage agencies to advise the OIC of data breaches that do not meet the threshold of an eligible data breach.

OIC agency portal

Agencies can make voluntary and mandatory notification of data breaches through the OIC agency portal.

Information gathered from voluntary reports will allow OIC to provide agencies with assistance and advice in relation to a data breach and to assist the Information Commissioner in fulfilling their broader performance and monitoring statutory functions under section 135, including:

  • promoting understanding of and compliance with the privacy principles
  • providing best practice leadership and advice, including by providing advice and assistance to relevant entities on the interpretation and administration of this Act
  • conducting compliance audits to assess relevant entities’ compliance with the privacy principles
  • initiating privacy education and training, including education and training programs targeted at particular aspects of privacy administration, and education and training programs to promote greater awareness of the operation of this Act in the community and within the public sector environment
  • commenting on any issues relating to the administration of privacy in the public sector environment; and
  • issuing guidelines about any matter relating to the Information Commissioner’s functions, including guidelines on how the IP Act should be applied and on privacy best practice generally.

Regulation to collect, use and disclose relevant personal information

Under section 54 of the IP Act, a regulation may provide for the collection, use, and disclosure of ‘relevant personal information’ between agencies where the receiving agency is involved in an eligible data breach, and the information is needed to confirm the name and contact details of a notifiable individual or whether a notifiable individual is deceased.

For section 54(1), the Information Privacy Regulation 2025 (IP Regulation) prescribes:

  • the registrar under the Births, Deaths and Marriages Registration Act 2023 as an agency that may disclose relevant personal information to another agency (disclosing agency)
  • that all agencies are receiving agencies that may collect and use relevant personal information from a disclosing agency and disclose relevant personal information to the disclosing agency

Neither the disclosing agency or receiving agency are required to comply with a QPP in relation to this disclosure, collection, or use.

‘Notifiable individual’ and ‘relevant personal information’ are defined in section 54.

  • 1 Agency includes a Minister.
  • 2 Information about an identified or identifiable individual. Refer to section 12 of the IP Act and Key privacy concepts – personal and sensitive information for more information.
  • 3 The application of the MNDB scheme to local governments is delayed until 1 July 2026. Until that time, local government agencies should refer to Privacy breach management and notification for local government.
  • 4 Which are based on and include material from guidelines developed by the NSW Information and Privacy Commission.
  • 5 As defined in section 13 of the IP Act.
  • 6 As defined in schedule 5 of the IP Act.
  • 7 Because a similar definition is used in the RTI Act, agencies should refer to Documents of an agency and documents of a Minister for more information.
  • 8 Section 48(4).

Current as at: July 31, 2025