Draft Data Breach Policy

Share Draft Data Breach Policy on Facebook Share Draft Data Breach Policy on Twitter Share Draft Data Breach Policy on Linkedin Email Draft Data Breach Policy link

Consultation has now concluded.

Changes to the Privacy and Personal Information Protection Act 1998 (PPIP Act) requires local government agencies to provide a publicly available data breach policy. We have developed a draft policy and are now seeking feedback on it.

The report to Council (available for download to the right) outlines the changes to the PPIA Act which includes Council's obligations if a data breach occurs.

Summary of changes to the PPIA Act

  • The Privacy Commissioner is creating a Mandatory Notification of Data Breach (MNDB) Scheme which will require us to notify the Privacy Commissioner and affected individuals of data breaches involving personal or health information likely to result in serious harm.
  • If there is a suspected data breach we will be required to:
    • Make all reasonable efforts to contain the breach
    • Assess whether there has been unauthorised access, disclosure or loss of personal information held by the agency within a 30-day period.
    • Assess if there is a likelihood of serious harm to any affected individual within a 30-day period.
    • Make all reasonable attempts to mitigate the harm done by the suspected breach.
  • We must maintain a public register on the website of data breach notifications. Each notification must be made available for at least 12-months and must contain specified information.

Submissions on the draft policy are open until close of business Monday 29 January 2024.

Submissions may be made:

Privacy: Submissions with the author’s name and contact details will be provided to Councillors for consideration. However, names and contact information will be removed when the submissions are included in public documents such as Council Business Papers.

Changes to the Privacy and Personal Information Protection Act 1998 (PPIP Act) requires local government agencies to provide a publicly available data breach policy. We have developed a draft policy and are now seeking feedback on it.

The report to Council (available for download to the right) outlines the changes to the PPIA Act which includes Council's obligations if a data breach occurs.

Summary of changes to the PPIA Act

  • The Privacy Commissioner is creating a Mandatory Notification of Data Breach (MNDB) Scheme which will require us to notify the Privacy Commissioner and affected individuals of data breaches involving personal or health information likely to result in serious harm.
  • If there is a suspected data breach we will be required to:
    • Make all reasonable efforts to contain the breach
    • Assess whether there has been unauthorised access, disclosure or loss of personal information held by the agency within a 30-day period.
    • Assess if there is a likelihood of serious harm to any affected individual within a 30-day period.
    • Make all reasonable attempts to mitigate the harm done by the suspected breach.
  • We must maintain a public register on the website of data breach notifications. Each notification must be made available for at least 12-months and must contain specified information.

Submissions on the draft policy are open until close of business Monday 29 January 2024.

Submissions may be made:

Privacy: Submissions with the author’s name and contact details will be provided to Councillors for consideration. However, names and contact information will be removed when the submissions are included in public documents such as Council Business Papers.