Mandatory Notification of Data Breach Scheme
The Mandatory Notification of Data Breach Scheme (‘MNDB Scheme’) is a mandatory notification requirement under the Privacy and Personal Information Protection Act 1998 for NSW public sector agencies in the event of an ‘eligible data breach’.
An ‘eligible data breach’ occurs when there is:
- Unauthorised access to, or unauthorised disclosure of, personal information held by Council that would be likely to result in serious harm to an individual to whom the information relates
- The loss of personal information held by Council in circumstances where unauthorised access or disclosure is likely to occur and which would be likely to result in serious harm to an individual to whom the information relates.
A data breach most commonly results in unauthorised access to, or the unauthorised collection, use, or disclosure of, personal information.
- Accidental loss or theft of classified material data or equipment on which such data is stored (e.g. loss of paper record, laptop, tablet or mobile phone, compact disk or USB stick)
- Unauthorised use, access to or modification of data or information systems (e.g. sharing of user login details (deliberately or accidentally) to gain unauthorised access or make unauthorised changes to data or information systems)
- Unauthorised disclosure of classified material or personal information (e.g. email sent to an incorrect recipient or document posted to an incorrect address or addressee), or personal information posted onto our website without consent
- Compromised user account (e.g. accidental disclosure of user login details through phishing) or malware infection
Personal information is any information that identifies you and could include:
- a written record which may include your name, address and other details about you
- photographs, images, video or audio footage
Council holds varying amounts of personal information, from ratepayer contact information to staff personnel details. You can refer to Council’s Privacy Management Plan or Agency Information Guide for further information.
- Financial loss through fraud
- A likely risk of physical or psychological harm, such as by an abusive ex-partner
- Identity theft, which can affect your finances and/or credit record
- Serious harm to an individual’s or Council’s reputation.
If you suspect a data breach has occurred, you must immediately submit an incident form via our website. You may alternatively call Council and ask to speak with a member of our Governance team.
An assessment will be undertaken to determine the seriousness of the breach. Council will consider a range of factors including but not limited to the types of personal information involved, the sensitivity of the information, who has access to the information, whether there were protected security measures in place, the nature of any harm and whether there is a potential for malicious intent.
If Council decides there has been an eligible data breach in relation to your personal information, we must notify you as soon as practicable about that breach. Council will notify you in writing and provide you with information about the eligible data breach, including:
- actions Council has taken or plans to take to control or mitigate the harm done to you
- steps you should consider taking following an eligible data breach
- information about how to seek an internal review of the agency’s conduct or make a privacy complaint to the Privacy Commissioner.
If Council is unable to notify you directly we will publish a notification on our website and take reasonable steps to publicise the notification. The notification must remain on our public notification register for at least 12 months. Please see the register here.
- The Information and Privacy Commission publishes helpful information which can be found here: https://www.ipc.nsw.gov.au/privacy/MNDB-scheme
- Council’s Privacy Management Plan
- Council’s Agency Information Guide
- Council's Data Breach Policy
Register of Public Notifications
Port Stephens Council Data Breach Identifier | Date of data breach | Date Port Stephens Council became aware of data breach | Description of data breach | Type of data breach |
PSC2024-03825 | 23 September 2024 | 23 September 2024 | Theft of electronic devices at Council premises. | Lost information |
PSC2024-04311 | 23 October 2024 | 23 October 2024 | Contractor unlawfully disclosed personal information pertaining to functions of Council. | Unauthorised disclosure |
If you wish to report a suspected data breach, please contact council by emailing databreach@portstephens.nsw.gov.au with details of the breach and any additional information you may think is relevant.