Notification under the mandatory notification of data breach scheme

Overview

Queensland government agencies¹ must handle personal information² in accordance with the Information Privacy Act 2009 (Qld) (IP Act). Chapter 3A of the IP Act creates a mandatory notification of data breach (MNDB) scheme, which requires agencies (other than local government³) to notify individuals and the Information Commissioner about eligible data breaches involving personal information held by the agency.

This guideline is intended to assist agencies in making the notifications required by the MNDB scheme. It must be read in conjunction with Mandatory notification of data breach.

In addition to the MNDB guidelines,⁴ agencies may find these templates and quick guides helpful:

• MNDB Assessment Tool
• Quick guide to the MNDB scheme.
• Data breach response plan template.

Notification obligations

If an agency reasonably believes that there has been an eligible data breach involving personal information held by the agency, it must give a statement to the Information Commissioner that contains the information required by section 51(2) of the IP Act and notify individuals whose personal information was involved in the breach.

There are a number of exemptions to the notification requirements. These are explained in Mandatory notification of data breach exemptions.

Notifying the Information Commissioner

Unless an exemption applies, agencies must notify the Information Commissioner as soon as practicable after forming the belief that a data breach is an eligible data breach. Notification can be made using the online portal.

As set out in section 51 of the IP Act, the agency must prepare and give the Information Commissioner a statement which includes:

• the name of the agency and, if more than one agency was affected by the data breach, the name of any other agency
• whether the agency is reporting on behalf of other agencies affected by the same data breach and, if so, the details of the other agencies
• the contact details of the agency or a person nominated by the agency for the individual to contact in relation to the data breach
• the date the data breach occurred (if known)
• a description of the data breach, including the type of eligible data breach under section 47
• a description of the kind of personal information involved in the data breach, without including any personal information in the description
• information about how the data breach occurred
• if the data breach involved unauthorised access to or disclosure of personal information, the period during which the access or disclosure was available or made
• the steps the agency has taken or will take to contain the data breach and mitigate the harm caused to individuals by the data breach
• the agency's recommendations about the steps individuals should take in response to the data breach
• the total number or, if it is not reasonably practicable to work out the total number, an estimate of the total number of individuals whose personal information was accessed, disclosed or lost and affected individuals for the data breach
• whether the notified individuals have been advised how to make a privacy complaint to the agency under section 166A; and
• the total number of individuals notified of the data breach or, if it is not reasonably practicable to work out the total number, an estimate of the total number, or, if relying on section 57, the total number of individuals who would have been notified or, if it is not reasonably practicable to work out the total number, an estimate of the total number.

If it is not reasonably practicable to include some of this information in the initial notification to the Information Commissioner (eg the agency may not yet know the total number of affected individuals), the agency must take all reasonable steps to provide the required information to the Information Commissioner as soon as practicable.⁵

Notifying particular individuals

Unless an exemption applies, as soon as practicable after forming a reasonable belief that a data breach is an eligible data breach, an agency must notify individuals as set out in section 53.

Section 53 provides three options for notifying individuals, depending on what is reasonably practicable in the circumstances. Whether an option is reasonably practicable will depend on a number of factors, including:

• the time, cost and the effort required to notify affected individuals; and
• the currency and accuracy of their contact details, which will affect the ability of the agency to notify the affected individuals.⁶

Option 1: Notify each individual

If it is reasonably practicable to notify each individual whose personal information was accessed, disclosed or lost, the agency must take reasonable steps to notify each individual of the required information.

Option 2: Notify each affected individual

If option 1 does not apply, agencies must take reasonable steps to notify each affected individual⁷ whose personal information was accessed, disclosed or lost if it is reasonably practicable to do so.

Option 3: Publish information

If options 1 and 2 do not apply, an agency must publish the required information on an accessible agency website for a period of at least 12 months. An agency is not required to include information in its notice that would prejudice its functions.

An agency must also advise the Information Commissioner how to access the notice and the Information Commissioner is required to publish the notice on the Commissioner's website for at least 12 months.

Figure 1: Option for individual notification (must be attempted in sequence)

Required information when notifying individuals

Section 53(2) of the IP Act sets out the information that agencies must, to the extent it is reasonably practicable, give to individuals or include in the public notice:

• the name of the agency and, if more than one agency was affected by the data breach, the name of any other agency
• the contact details of the agency or a person nominated by the agency for an affected individual to contact in relation to the data breach
• the date the data breach occurred (if known)
• a description of the data breach, including the type of eligible data breach under section 47
• information about how the data breach occurred
• the agency's recommendations about the steps an affected individual should take in response to the data breach
• if the data breach involved unauthorised access to or disclosure of personal information, the period during which the access or disclosure was available or made
• the steps the agency has taken or will take to contain the data breach and mitigate the harm caused to affected individuals due to the data breach; and
• information about how an individual can make a privacy complaint to the agency under section 166A.

If an individual is notified directly, the notice to the individual must also include a description of their personal information involved in the eligible data breach and the agency's recommendations about any steps they should take in response. Refer to the MNDB notification template guideline for a template for individual notification.

For public notification via an agency's website, the notification must include a description of the kinds of personal information involved in the data breach, but must not include any personal information in the description.

Notifying other individuals

There is no requirement to notify individuals whose personal information was not involved in the breach. However, if an agency identifies an individual who is likely to suffer harm as a result of the breach despite their personal information not being involved, agencies may wish to consider notifying these individuals if it can be done without the risk of further breaches.

Notifying other entities

While not required by the IP Act, in some circumstances it may be appropriate, or agencies may be required, to notify other entities of a data breach. For example:

• If the breach involves ‘corrupt conduct’ within the meaning of the Crime and Corruption Act 2001 (Qld), the Crime and Corruption Commission Queensland must be notified.
• Requirements to report cyber and information security incidents to Queensland Government Information Security Virtual Response Team, according to the Business Impact Level.
• If the breach involves a cyber security incident that results in a loss and the entity is an agency covered by the Queensland Government Insurance Fund (QGIF), QGIF should be notified.
• If the breach appears to involve theft or other criminal activity, the Queensland Police Service (QPS) should be notified as a matter of course. The QPS website has links and assistance to report cybercrime and other offences.
• If the breach involves the loss or unauthorised destruction of a public record, an entity subject to the Public Records Act 2023 (Qld) must notify the State Archivist.
• Entities with obligations under the Privacy Act 1988 (Cth) National Data Breach (NDB) scheme (e.g. Tax File Number recipients) may be obliged under the NDB scheme to report the breach to the Office of the Australian Information Commissioner.

It may also be appropriate to notify the agency’s portfolio Minister, financial institutions, or credit card companies, or professional or other regulatory bodies.