NSW to Introduce Mandatory Notification of Data Breach Scheme

NSW will become the first Australian state or territory to introduce a mandatory scheme that requires state public sector agencies to notify the Privacy Commissioner and affected individuals of data breaches.


Unlike the Privacy Act 1988 (Cth) (Privacy Act), there are currently no requirements under the Privacy and Personal Information Protection Act 1988 (NSW) (PPIP Act) for NSW public sector agencies to notify individuals who are affected by data breaches. Rather, the Information and Privacy Commission encourages a voluntary policy where NSW public sector agencies voluntarily report data breaches to the Privacy Commissioner.

In July 2019, the NSW Department of Communities and Justice opened consultation to consider whether a mandatory reporting scheme should be implemented in NSW. The consultation found “overwhelming public support” in favour of such a scheme in NSW. Two years after the consultation, Attorney General, Mark Speakman has proposed a mandatory data breach scheme in NSW’s privacy framework (MNDB Scheme).

On 7 May 2021, the NSW Government announced that the MNDB scheme will create new standards of accountability and transparency to protect personal information. The response is prompted by the increasing number of reported data breaches such as the Service NSW data breach in May 2020, which was heavily criticised in the NSW Auditor-General’s Report to Parliament.

How will the MNDB Scheme work?

The Privacy and Personal Information Protection Amendment Bill 2021 (The PPIP Amendment Bill) creates the MNDB scheme and extends the PPIP Act to include NSW state-owned corporations that are not regulated by the Privacy Act. It is intended that the MNDB Scheme will fill in the gaps of the Commonwealth Notifiable Data Breaches Scheme (NDB Scheme) which was introduced in early 2018.

Public sector agencies that are regulated by the PPIP Act will be required to immediately notify the Privacy Commissioner of an eligible data breach that would likely result in serious harm to an individual.

The PPIP Amendment Bill defines an eligible data breach where:

1. there is unauthorised access or unauthorised disclosure of personal information, and a reasonable person would conclude that it would lead to serious harm to an individual; or
2. personal information is lost where unauthorised disclosure or information is likely to occur and a reasonable person would conclude that it would lead to serious harm to an individual.

The PPIP Amendment Bill Factsheet defines serious harm as financial, psychological physical and reputational harm and intends to apply the serious harm threshold in the NDB Scheme to the MDNB Scheme.


Following public consultation on 18 June 2021, it is anticipated that the PPIP Amendment Bill will be introduced in the NSW Parliament in 2021. The MNDB Scheme will commence 12 months following the passing of the PPIP Amendment Bill. Considering the above, we recommend that public sector agencies should begin review of their internal processes to ensure compliance with the proposed notification obligations.

The content of this article is intended to provide a general guide to the subject matter. Specific advice should be sought about your specific circumstances.

Related News

Walton Construction Class Action – Media Release

MEDIA RELEASE 16 May 2024 Subcontractors Alliance confirms that Williams & Kersten Pty Ltd, the Lead Applicant in a Federal Court class action against National

Read More

The duty of utmost good faith

In life, they say that honesty is the best policy. But did you know that it is actually also one of the most important provisions in

Read More

Recoveries against third party insurers direct

Did you know? When an at-fault third party cannot be found or is dead, or a third party company is deregistered, a cause of action

Read More

Get in touch

Contact our team today

Stay informed

Keep up-to-date with our regular news and insights

This field is for validation purposes and should be left unchanged.
William Roberts Lawyers


Level 22
66 Goulburn Street


Level 21
535 Bourke Street


Level 8
300 Ann Street


Level 19
Singapore Land Tower
50 Raffles Place