Complying with the MNDB Scheme

Under the MNDB Scheme, agencies are required to comply with the mandatory notification provisions under Part 6A of the PPIP Act.

Agencies have an obligation to:

• immediately make all reasonable efforts to contain a data breach
• undertake an assessment within 30 days where there are reasonable grounds to suspect there may have been an eligible data breach
• during the assessment period, make all reasonable attempts to mitigate the harm done by the suspected breach
• decide whether a breach is an eligible data breach or there are reasonable grounds to believe the breach is an eligible data breach
• notify the Privacy Commissioner and affected individuals of the eligible data breach
• comply with other data management requirements.

In support of these obligations, the IPC has released the Data Breach Self-assessment Tool for MNDB, and the Data Breach Notification to the Privacy Commissioner form, which sets out the information that agencies must supply to the Privacy Commissioner when making a notification of an eligible data breach.

• Roles & responsibilities – agencies should have clear roles and responsibilities for managing a data breach or suspected data breach. This may include a data breach response team or the appointment of a specific staff member to lead the agencies data breach response.
   
• Privacy Management Plan – agencies should annually review and update their plan in compliance with section 33(2)(c1) which requires the plan to include provisions relating to “the procedures and practices used by the agency to ensure compliance with the obligations and responsibilities set out in Part 6A for the mandatory notification of data breach scheme.” Agencies are required to include reference to their data breach policy in their plan. 
   
• Data Breach Policy – agencies must have a publicly available data breach policy in compliance with section 59ZD. The Data Breach Policy should set out how the agency will respond to a data breach. It should establish the roles and responsibilities of agency staff in relation to managing a breach and the steps the agency will follow if a breach occurs.
   
• Policies and Procedures – agencies should regularly review and update any relevant policies and procedures to comply with obligations under the MNDB Scheme.
   
• Incident register – agencies are required to establish and maintain an internal register of eligible data breaches under section 59ZE. This register should record the information specified under section 59ZE(2).
   
• Public notification register – agencies are required to maintain a public notification register of any notifications made under section 59N(2). The information recorded in the register must be publicly available for at least 12 months after the date of publication and include the information specified under section 59O.

The IPC has published resources for agencies to assist them with meeting and managing their compliance under the Scheme. See the MNDB Scheme resources page for further information.