Mandatory Notification of Data Breach Scheme
The Mandatory Notification of Data Breach Scheme (‘MNDB Scheme’) is a mandatory notification requirement under the Privacy and Personal Information Protection Act 1998 for NSW public sector agencies in the event of an ‘eligible data breach’.
An ‘eligible data breach’ occurs when there is:
- Unauthorised access to, or unauthorised disclosure of, personal information held by Council that would be likely to result in serious harm to an individual to whom the information relates
- The loss of personal information held by Council in circumstances where unauthorised access or disclosure is likely to occur and which would be likely to result in serious harm to an individual to whom the information relates.
A data breach most commonly results in unauthorised access to, or the unauthorised collection, use, or disclosure of, personal information.
- Accidental loss or theft of classified material data or equipment on which such data is stored (e.g. loss of paper record, laptop, tablet or mobile phone, compact disk or USB stick)
- Unauthorised use, access to or modification of data or information systems (e.g. sharing of user login details (deliberately or accidentally) to gain unauthorised access or make unauthorised changes to data or information systems)
- Unauthorised disclosure of classified material or personal information (e.g. email sent to an incorrect recipient or document posted to an incorrect address or addressee), or personal information posted onto our website without consent
- Compromised user account (e.g. accidental disclosure of user login details through phishing) or malware infection
Personal information is any information that identifies you and could include:
- a written record which may include your name, address and other details about you
- photographs, images, video or audio footage
Council holds varying amounts of personal information, from ratepayer contact information to staff personnel details. You can refer to Council’s Privacy Management Plan or Agency Information Guide for further information.
- Financial loss through fraud
- A likely risk of physical or psychological harm, such as by an abusive ex-partner
- Identity theft, which can affect your finances and/or credit record
- Serious harm to an individual’s or Council’s reputation.
An assessment will be undertaken to determine the seriousness of the breach. Council will consider a range of factors including but not limited to the types of personal information involved, the sensitivity of the information, who has access to the information, whether there were protected security measures in place, the nature of any harm and whether there is a potential for malicious intent.
If Council decides there has been an eligible data breach in relation to your personal information, we must notify you as soon as practicable about that breach. Council will notify you in writing and provide you with information about the eligible data breach, including:
- actions Council has taken or plans to take to control or mitigate the harm done to you
- steps you should consider taking following an eligible data breach
- information about how to seek an internal review of the agency’s conduct or make a privacy complaint to the Privacy Commissioner.
If Council is unable to notify you directly we will publish a notification on our website and take reasonable steps to publicise the notification. The notification must remain on our public notification register for at least 12 months. Please see the register here.
Register of Public Notifications
Port Stephens Council Data Breach Identifier
Date of data breach
Date Port Stephens Council became aware of data breach
Description of data breach
Type of data breach
N/A - There have been no notifications made in the previous 12-months.
If you wish to report a suspected data breach, please contact council by emailing [email protected] with details of the breach and any additional information you may think is relevant.