Welcome to the Mandatory Notification of Data Breach (MNDB) scheme assessment tool, designed to assist Queensland government agencies determine whether a data breach is an eligible data breach as defined in section 47 of the Information Privacy Act 2009 (IP Act).

When a data breach occurs and an agency reasonably suspects the breach to be eligible under the MNDB scheme, it must conduct an assessment to determine whether there are reasonable grounds to believe this to be the case. The assessment must be conducted promptly and completed within 30 days unless an extension of time is reasonably required.

This tool provides agencies with a structure to conduct the assessment with associated advice for consideration at each step of the process.

However, the tool can also be used to support the initial consideration of a data breach to help inform an agency's next steps.

The result or recommendation provided by the tool is only a guide, and nothing in this tool comprises legal advice.

Each breach requires consideration of its specific circumstances, and while this tool assists agencies, a comprehensive and objective assessment is required before decisions are made.

The Office of the Information Commissioner (OIC) recommends that this tool, and other OIC MNDB Guidelines or Resources are used in combination with an agency's own policies and procedures. Assessment decisions should consider an agency's own systems, including its decision-making delegations, the type of personal information held, its IT systems and data breach security posture, its functions, and the environment in which it operates.

If a crime is happening now, your own or another life or property is in immediate danger, or an event is time critical, call Triple Zero (000). If you need to contact the police and it is non-urgent, call Queensland Police Service - Policelink on 131 444 or (07) 3055 6206.

Using this tool

This tool uses questions to help structure the assessment process.

An asterisk * highlights a mandatory response.

Guidance information to help inform your consideration of each step is displayed in blue boxes.

Your responses to the questions determine the result or recommendation provided.

The OIC will not collect or retain any information entered into the tool.

On completion of the questions, an option is provided for agencies to receive the results via email for record keeping purposes and/or to support decision-making processes.

When an agency reasonably suspects an eligible data breach, section 48(2)(a) of the IP Act requires an agency to immediately, and continue to, take all reasonable steps to contain the data breach and mitigate the harm caused by the data breach.

When considering the likelihood of a data breach resulting in serious harm, agencies must have regard to the matters stated in section 47(2) of the IP Act, and any other relevant matter.

MNDB assessment tool

1. Are you from a Queensland government agency? *

Any reference to government agency (or agency) includes Ministers, departments, statutory bodies, universities, and government owned corporations which are bound by the IP Act.

The purpose of this assessment tool is to assist Queensland government agencies to conduct assessments of data breaches, but you have indicated you are not from a Queensland government agency.

If you want to notify the OIC about a privacy breach of your own information, or the information of someone you are acting on behalf of, please make a privacy complaint.

If you have received someone else’s personal information and you want to alert the OIC of a privacy breach, please contact our enquiry line on (07) 3234 7373 or 1800 642 753

To report a cyber scam or incident, please complete the Australian Signals Directorate online form.

2. Has a data breach of a Queensland government agency occurred? *

Schedule 5 of the IP Act defines a data breach, of an agency, as either of the following in relation to information held by the agency:

1. unauthorised access to, or unauthorised disclosure of, the information;

2. the loss of the information in circumstances where unauthorised access to, or unauthorised disclosure of, the information is likely to occur.

Importantly, the definition of a data breach applies to any information, not just personal information. Examples include:

• loss of physical record

• loss of electronic storage device or laptop

• deliberate theft of data, cyber attack

• agency employees accessing restricted information without authorisation

• human error, for example, an email sent to an incorrect recipient

• system error.

The purpose of this assessment tool is to assist Queensland government agencies to conduct assessments of data breaches, but you have indicated a data breach has not occurred.

If you want to notify the OIC about a privacy breach of your own information, or the information of someone you are acting on behalf of, please make a privacy complaint.

If you have received someone else’s personal information and you want to alert the OIC of a privacy breach, please contact our enquiry line on (07) 3234 7373 or 1800 642 753

To report a cyber scam or incident, please complete the Australian Signals Directorate online form.

3. Does the data breach involve personal information held by the agency? *

Personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable from the information or opinion –

• whether the information or opinion is true or not; and

• whether the information or opinion is recorded in a material form or not.

Section 13 of the IP Act defines “held or holds” in relation to personal information as:

Personal information is held by a relevant entity, or the entity holds personal information, if the personal information is contained in a document in the possession, or under the control, of the relevant entity.

Examples of physical possession include:

• documents stored in an agency’s records management or IT systems, and

• hard copy documents on a ‘paper’ file or in a physical storage repository.

Examples of having control over a document include:

• where an agency has a present legal entitlement to physical possession, or a power to handle the information, such as by way of a contractual or other legal right,

• documents provided to a legal services provider by an agency for the purposes of seeking advice, or

• documents an agency may require a service provider to provide to the agency under the terms of a service agreement.

The purpose of this assessment tool is to assist Queensland government agencies to assess whether data breaches involving personal information are likely to cause serious harm and, therefore, if the breach is an eligible data breach requiring notification to the OIC.

You have indicated that the breach does not involve personal information. If no personal information is involved, the MNDB scheme does not apply.

Please note you may have other notification obligations, including reporting and management of cyber security responsibilities. 

4. Does the data breach involve: *

Under section 47 of the IP Act, an eligible data breach of an agency is a data breach of the agency that occurs in relation to personal information held by the agency if:

a. both of the following apply:

1. the data breach involves unauthorised access to, or unauthorised disclosure of, the personal information; and

2. the access or disclosure is likely to result in serious harm to an individual (an affected individual) to whom the personal information relates, having regard to the matters stated in subsection (2); or

b. the data breach involves the personal information being lost in circumstances where:

1. unauthorised access to, or unauthorised disclosure of, the personal information is likely to occur; and

2. if the unauthorised access to or unauthorised disclosure of the personal information were to occur, it would be likely to result in serious harm to an individual (also an affected individual) to whom the personal information relates, having regard to the matters stated in subsection (2).

The harm which can potentially arise from a data breach will vary based on the nature of the personal information involved, and the context of the breach.

Serious harm is defined in schedule 5 of the IP Act as including:

a. serious physical, psychological, emotional, or financial harm to the individual because of the access or disclosure; or

b. serious harm to the individual's reputation because of the access or disclosure.

This is not an exhaustive definition, and other kinds of harm can meet the serious threshold where the breach would result in a real and substantial detrimental effect to an individual. The effect on an individual must be more than mere irritation, annoyance, or inconvenience.

When considering the likelihood of serious harm, agencies must have regard to the factors listed in section 47(2) of the IP Act. The following questions address these matters.

5. Does the breach involve sensitive or another type of personal information which may be more likely to cause an individual serious harm if breached or compromised? *

The IP Act contains specific rules for the collection, use and disclosure of sensitive information, such as racial or ethnic origin, political opinions or associations, religious beliefs or affiliations, and sexual orientation or practices. Data breaches involving these types of personal information may be more likely to result in serious harm.

Additionally, there are other types of information that may not meet the IP Act definition of sensitive information, but depending on the circumstances may lead to more significant risks of harm in the case of compromise. Identity information which can be misused in fraud related activities would fit within this category. Misuse of financial information may also be more likely to result in serious harm to an individual. Another example could be personal information related to a certain vulnerability which could result in an individual suffering some form of prejudice if it were made public.

6. Is the information protected by one or more security measures? *

Any security measures which protect the information may have a strong influence on the risk of harm occurring as a result of a data breach. Generally, robust encryption will decrease the risk of serious harm, but other measures, such as controls restricting access and a capability to remotely remove or wipe data, can also affect the risks of harm. When considering the effect of security measures, agencies should take into account both the strength or effectiveness of the measure, and the potential ability of the person in possession of the information to circumvent the measure.

For example, if encrypted data is lost or accidentally disclosed to the wrong recipient, the perceived capability or motive of this person to circumvent the encryption will lead to a different assessment of risk when compared to a situation involving a hacker gaining access to information which is protected by a weak security measure.

6.1 Is there a likelihood that the security measures could be overcome or circumvented? *

Not all security measures remove or significantly decrease the risk of harm. Agencies need to assess the perceived strength of protection measures such as encryption, and the anticipated abilities of any unauthorised recipient of the information to negate or circumvent the security measures. For example, the risk from protection via a weak password is significantly higher than protection afforded by a highly regarded industry recognised security or encryption measure.

7. Is the recipient of the information likely to have intent to cause harm? *

If an agency has information about the identity or motives of peoples who have, or may have had, access to the personal information, this may enable a more thorough assessment of the likelihood of serious harm. For instance, personal information obtained through a targeted cyber-attack is more likely to result in serious harm to an individual, when compared to a breach which involves the same type of information being incorrectly emailed to a law firm or other trusted or cooperative recipient.

If there is a relationship between the individual to whom the personal information relates and the recipient of the information, this may increase the risk of serious harm. For example, information about a person’s medical information could result in serious harm through distress or embarrassment if disclosed to a family member or work colleague; or the disclosure of an address, which may seem innocuous if disclosed to a person unrelated to the individual, may well pose a significant risk of harm if the recipient is the person’s former partner and there has been a history of family violence.

Data breaches involving a cyber element should alert agencies to a higher risk of harm when compared to breaches caused by human error or a system issue. The level of complexity of a cyber breach may also be an indicator of higher degrees of criminal intent.

8. What types of harm may be caused to individuals whose personal information has been accessed, disclosed, or lost as a result of the data breach? * Select all that apply:

If there is immediate harm, please call Triple Zero (000).

• Physical harm:  Data breach may expose an individual to situations where their physical safety is at risk.

• Threats of harm: Data breach may expose an individual to situations where their physical safety is threatened, or to situations where there are threats to the individual's reputation.

• Financial harm: Data breach may result in an individual incurring financial harm or loss through being a victim of identity theft and other financial crimes.

• Emotional harm: Data breach may result in an individual being exposed to a risk of emotional harm as a direct result of the breach, or as a consequence of other types of harm which, in turn, cause emotional harm.

• Psychological harm: Data breach may result in an individual being exposed to a risk of psychological harm as a direct result of the breach, or as a consequence of other types of harm which could then result in, or exacerbate, psychological problems.

• Reputational harm: Data breach may result in an individual being exposed to a risk of reputational harm if their personal information is released.

• Loss of opportunity: Data breach may result in an individual missing out on a personal or professional opportunity where the information involved in the breach is used in some type of prejudicial way to the detriment of the individual.

• Loss of access: Data breach may result in an individual losing access to online accounts for both private and government services. May occur where the type of information could be used to impersonate an individual to take over their accounts.

9. Has the agency taken any steps to mitigate or prevent harm from occurring? *

10. After gathering and analysing information about the breach, including a consideration of the matters listed in section 47(2) and your answers above, is the data breach likely to result in serious harm to an individual to whom the personal information relates? *

The MNDB scheme obligations are dependent on the agency’s knowledge, reasonable belief or reasonable suspicion that there has been an eligible data breach of the agency.

When an agency knows, or reasonably believes a data breach is an eligible data breach of the agency, it must immediately take, and continue to take all reasonable steps to:

• contain the data breach, and

• mitigate the harm caused by the data breach.

If an agency only reasonably suspects that there has been an eligible data breach of the agency, it must also move quickly to resolve this suspicion by assessing whether there are reasonable grounds to believe the data breach is an eligible data breach of the agency. This assessment must be completed within 30 days, although this can be extended if reasonably required.

11. Based on your analysis, how certain are you that the breach meets the definition of an eligible data breach? *

Your responses indicate that the data breach involves personal information and is likely to result in serious harm to an individual to whom the personal information relates.

This indicates an eligible data breach has occurred.

When an agency knows that a data breach is an eligible data breach of the agency, it must immediately take, and continue to take all reasonable steps to:

• contain the data breach; and

• mitigate the harm caused by the data breach.

Notification to the OIC and particular individuals is also required as soon as practicable after forming the belief, pursuant to Part 3 of Chapter 3A of the IP Act.

To notify the OIC of the eligible data breach, submit a notification on the OIC's site.

Your responses indicate that the data breach involves personal information and could result in serious harm to an individual to whom the personal information relates.

This indicates reasonable belief that the data breach is an eligible data breach.

When an agency reasonably believes a data breach is an eligible data breach of the agency, it must immediately take, and continue to take all reasonable steps to:

• contain the data breach, and

• mitigate the harm caused by the data breach.

Where an agency reasonably believes that there has been an eligible data breach of the agency, notification to the OIC and particular individuals is also required as soon as practicable after forming the belief, pursuant to Part 3 of Chapter 3A of the IP Act.

To notify the OIC of the eligible data breach, submit a notification on the OIC's site.

Your responses indicate that the data breach involves personal information and may result in serious harm to an individual to whom the personal information relates.

This indicates reasonable suspicion that the data breach is an eligible data breach.

When an agency reasonably suspects a data breach is an eligible data breach of the agency, it must immediately take, and continue to take all reasonable steps to:

• contain the data breach, and

• mitigate the harm caused by the data breach.
  

Within 30 days, an agency must also:

• assess whether there are reasonable grounds to believe the data breach is an eligible data breach.

The assessment must be completed within these 30 days, unless an extension of time is reasonably required.

Your responses indicate that the data breach involves personal information and is not likely to result in serious harm to an individual to whom the personal information relates.

This indicates it is not an eligible data breach.

However, you may wish to report this incident to OIC as a voluntary notification.

Reconsider your assessment

You have indicated that serious harm has already occurred. If serious harm has already occurred as a result of the data breach, and the serious harm is to an individual to whom the personal information relates, this is an eligible data breach.

If this is the case, then pursuant to section 48 of the IP Act, you must immediately take, and continue to take, all reasonable steps to:

• contain the data breach, and

• mitigate the harm caused by the data breach.

Unless an exemption applies, you must also as soon as practicable, comply with your obligations to notify as required by Part 3 of Chapter 3A of the IP Act.

It is recommended you reconsider your assessment to reach a more definite position.

Reconsider your assessment

Your responses indicate that the data breach involves personal information and is not likely to result in serious harm to an individual to whom the personal information relates.

However, your responses also indicate that an eligible data breach has actually occurred, meaning that your analysis has identified serious harm is likely to occur (or already occurred) to an individual to whom the personal information relates as a result of the data breach.

There is an inconsistency in this outcome, and it is recommended you conduct further analysis.

Reconsider your assessment

Your responses indicate that the data breach involves personal information and is not likely to result in serious harm to an individual to whom the personal information relates.

However, your responses also indicate a reasonable belief that the data breach is an eligible data breach.

There is an inconsistency in this outcome, and it is recommended you conduct further analysis.

Reconsider your assessment

Your responses indicate that the data breach involves personal information and is not likely to result in serious harm to an individual to whom the personal information relates.

However, your responses also indicate a reasonable suspicion that the data breach is an eligible data breach.

There is an inconsistency in this outcome, and it is recommended you conduct further analysis.

Reconsider your assessment

Your responses indicate that the data breach involves personal information, but you are not sure if it is likely to result in serious harm to an individual to whom the personal information relates.

However, your responses also indicate knowledge that the data breach is an eligible data breach.

There is an inconsistency in this outcome, and it is recommended you conduct further analysis.

Reconsider your assessment

Your responses indicate that the data breach involves personal information, but you are not sure if it is likely to result in serious harm to an individual to whom the personal information relates.

However, your responses also indicate a reasonable belief that the data breach is an eligible data breach.

There is an inconsistency in this outcome, and it is recommended you conduct further analysis.

Reconsider your assessment

Your responses indicate that the data breach involves personal information, but you are not sure if it is likely to result in serious harm to an individual to whom the personal information relates.

However, your responses also indicate a reasonable suspicion that the data breach is an eligible data breach.

There is an inconsistency in this outcome, and it is recommended you conduct further analysis.

Reconsider your assessment

Your responses indicate that the data breach involves personal information, but you are not sure if it is likely to result in serious harm to an individual to whom the personal information relates.

You have also indicated there is insufficient information to determine whether the data breach is an eligible data breach.

It is recommended you conduct further assessment to reach a more certain position on whether serious harm is likely and whether the data breach is an eligible data breach.