An ‘eligible data breach’ occurs where:

• There is an unauthorised access to, or unauthorised disclosure of, personal information held by a public sector agency or there is a loss of personal information held by a public sector agency in circumstances that are likely to result in unauthorised access to, or unauthorised disclosure of, the information, and
• A reasonable person would conclude that the access or disclosure of the information would be likely to result in serious harm to an individual to whom the information relates.

The MNDB scheme applies to breaches of ‘personal information’ as defined in section 4 of PPIPA, meaning information or an opinion about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. It also applies to ‘health information,’ defined in section 6 of the Health Records and Information Privacy Act 2002 (HRIPA), about an individual’s physical or mental health, disability, and information connected to the provision of a health service.

Examples of activities that may lead to an eligible data breach are:

• accidental loss or theft of classified material data or equipment on which personal information is stored (e.g. loss of paper record, laptop, tablet or mobile phone, compact disk or USB stick)
• unauthorised use, access to or modification of data or information systems (e.g. sharing of user login details (deliberately or accidentally) to gain unauthorised access or make unauthorised changes to data or information systems)
• unauthorised disclosure of classified material or personal information (e.g. email sent to an incorrect recipient or document posted to an incorrect address or addressee), or personal information posted on to Council’s website without consent
• compromised user account (e.g. accidental disclosure of user login details through phishing)
• failed or successful attempts to gain unauthorised access to Council information or information systems
• equipment failure
• malware infection
• disruption to or denial of IT services

• Financial loss through fraud
• A risk of physical or psychological harm, such as by an abusive ex-partner
• Identity theft, which can affect your finances and/or credit record
• Serious harm to an individual’s or Council’s reputation.

Personal information is any information that identifies you.

Council holds varying amounts of personal information, from ratepayer contact information to staff personnel details. Click here for more information about accessing or altering personal and Council information.

If you suspect a data breach has occurred, please immediately contact Council via council@wollondilly.nsw.gov.au or call 02 4677 1100 and ask to speak with a member of our Governance team.

If a breach has occurred, Council will first assess the seriousness of the breach. Council will consider a range of factors including but not limited to the types of personal information involved, the sensitivity of the information, who has access to the information, whether there were protected security measures in place, the nature of any harm and whether there is a potential for malicious intent.

If Council determines there has been an eligible data breach in relation to your personal information, we must notify you as soon as practicable.

If Council is unable to notify you directly we will publish a notification on this webpage and take reasonable steps to publicise the notification. The notification must remain on our public notification register for at least 12 months.