Data breaches
Since the commencement of the Mandatory Notification of Data Breach (MNDB) scheme on 1 July 2025, Queensland government agencies have specific obligations to contain, mitigate and assess breaches containing personal information, and to notify individuals and the OIC when such breaches are assessed to be eligible under the scheme.
MNDB scheme obligations commence in local councils on 1 July 2026.
Community and agency support – Learnings from IDCARE
The Privacy Commissioner, Alexander White, is joined by interim CEO of IDCARE, Charlotte Davidson, to deliver a presentation that discusses the potential harms faced by people when their personal information is breached, how agencies can lessen the risk of serious breaches, and the importance of communicating with people who are affected by a data breach.
IDCARE is an independent, not-for profit organisation that supports people experiencing scams, identity theft, and cyber threats. Charlotte has over 20 years’ experience across Australian and NSW governments, including 12 years in cyber security and cybercrime intelligence.
Understanding data breach harms to inform agency risk management
Resources for the community
| Link / Download | Description |
|---|---|
| IDCARE: Identity theft and cyber support | IDCARE support is available via a web request or, in Queensland, by calling 07 3555 5900 (open Monday to Friday, 7am to 7pm). |
| Information sheets for the community | We offer guides and resources on Queensland’s privacy laws, including community-focused tips for online privacy, instructions for lodging a privacy complaint, as well as advice on what to do if your data has been breached. |
| At every opportunity...ask! | When an agency requests your personal information, ask these important questions to find out how your information will be handled. |
| Tips for protecting your personal data | Learn simple ways to protect your personal data and privacy. |
Data breaches
OIC’s Assistant Commissioner, Privacy, Helene Wells, highlights some of the challenges and opportunities agencies have been experiencing to ensure they are meeting their data breach notification obligations under the Information Privacy Act. Helene offers an opportunity to reflect on what has been happening since 1 July 2025 and identifies some key areas worthy of further focus.
Lessons learned from the MNDB – so far
Resources for agencies
| Link / Download | Description |
|---|---|
| Mandatory notification of data breach | All the tools, guidance and templates you need to support compliance with your agency’s obligations to contain, mitigate and assess data breaches containing personal information, and to notify individuals and the OIC when a breach is assessed to be eligible under the Mandatory Notification of Data Breach scheme. |
| Assessing a data breach | This guideline clearly explains the steps agencies must follow when assessing whether a data breach is an eligible data breach, and includes a handy flowchart for reference. |
| MNDB Assessment Tool | If a data breach occurs in your agency, use this online tool to help conduct an assessment and determine whether it is an eligible data breach under the MNDB scheme. |
| Quick guide to the MNDB scheme (PDF, 882.23 KB) | This handy reference guide provides a high-level overview of the MNDB scheme and includes tips for agencies to help you prepare. |
| Data breach response plan template (DOCX, 210.11 KB) | Developing a step-by-step plan that sets out how your agency will respond to a data breach is a key component in making sure that data breaches are detected, managed, reviewed and remediated appropriately. This template can be tailored to suit your agency, and should align with the Data Breach Policy and other relevant internal resources. |
