NSW IPC releases first report on data breaches scheme

  • Yasmine Raso
  • 9 October 2024
data breach

The Information and Privacy Commission (IPC) NSW has released its first report charting the inaugural seven months of the Mandatory Notification of Data Breaches (MNDB) Scheme.

The report, considering the period from 28 November 2023 to 30 June 2024, indicated there were 52 data breaches notified to the Privacy Commissioner in total, with the number of notifiable breaches received per month rising towards the end of the period.

According to the information collected across government, local government and university levels, 65 per cent of the notifications were made by the government sector, and only 29 per cent involved a ‘malicious or criminal attack’ while 79 per cent involved human error.

The report also said approximately 64 per cent of data breaches were discovered within 10 days of them first occurring. The university sector had the highest level of criminal involvement in notified data breaches (44 per cent), with the largest number of affected individuals compared to the other two cohorts (62,951 people versus 7,054 for local government and 1,173 for government).

“As a community we have seen the serious harms that data breaches have had on individuals whose personal information was disclosed – financial loss, identity theft, emotional distress, embarrassment and reputational damage,” Acting NSW Privacy Commissioner, Sonia Minutillo, said in the report.

“Whether caused by accidental human error or malicious actors seeking financial advantage, data breaches are a real and significant risk for NSW public sector agencies. A data breach has real consequences for both the agency and affected individuals.

“If not managed swiftly and effectively, data breaches undermine trust and confidence in an agency, its capacity to safeguard valuable personal information and in the services and functions undertaken by government agencies.

‘The number of people in Australia who have been impacted by a data breach has grown considerably due to a series of large-scale data breaches at the national level. In 2023, the Office of the Australian Information Commissioner (OAIC) reported that in the previous 12 months, 47% of adult Australians had been notified by an organisation that their personal information had been involved in a data breach.”

The results of the MNDB Scheme report also follow in the wake of the IPC’s own NSW Community Attitudes Survey 2024 released in March, which found the number of people in NSW who had been impacted by a data breach had surged compared to 2022.

Around 31 per cent of survey respondents reported being impacted by a data breach, increasing by 14 per cent from 2022. Only just over half (51 per cent) of respondents were advised by agencies on the next steps to take, with 22 per cent saying they were not offered advice or assistance – this figure was also up by 14 per cent from the previous period.

“The MNDB Scheme was established to ensure that NSW public sector agencies respond swiftly to data breaches when they occur and provide transparent information to those individuals affected by a breach. The Scheme imposes obligations on agencies to mitigate the harm that may arise from a data breach, make notifications to the affected individuals and the Privacy Commissioner when an eligible data breach occurs, take steps to prevent further breaches occurring and provide advice to individuals on the steps they should take following a data breach,” Minutillo said.

“The MNDB Scheme requires agencies to adopt privacy practices that go to the heart of accountability and transparency. The timely provision of notifications ensure that individuals are informed of risks to their personal information and equipped with the knowledge to protect their privacy, their identity and their financial security. How an agency prepares for and responds to a data breach will determine whether it retains the trust and confidence of the public. Open and transparent notifications are core to this process.

“Going forward, the IPC will continue to provide guidance and support to agencies as they operationalise their data breach response function and grow their maturity in complying with the requirements of the MNDB Scheme. As further data is collected, the IPC will provide additional insights and observations concerning agency practices in responding to data breaches.”

Share This Post
Related News
system upgrade
NSW DHPI seeks critical software upgrade partner
social media
Cyber security risks a key social media concern: NSW Govt
cyber security
ASD’s cyber centre develops new tech security principles
digital licence
New platform in play to standardise digital licence verification
digital strategy
NSW Govt heralds new and improved digital era with strategy