DCS Data Breach Public Notification Register
The purpose of the register is to ensure individuals can determine whether they may have been affected by a Department of Customer Service (DCS) data breach and to take action to protect their personal information where necessary.
Why we have a data breach register
If we are unable to notify any of the affected individuals directly, a public notice will be placed on this page.
Part 6A of the Privacy and Personal Information Protection Act 1998 introduces the Mandatory Notification of Data Breach (MNDB) scheme. Under the MNDB scheme, the DCS must notify the affected individuals of data breaches involving personal or health information that are likely to result in serious harm unless an exemption applies.
When data breaches are published on this register
DCS must provide notification of an eligible data breach as soon as practicable after the data breach has been assessed and after notification exemptions have been considered.
The notification must be available for at least 12 months after the date of publication and include specific legislated information.
Information published in the register
We must record the following details of the eligible data breach on this register:
- Data breach title
- Date of data breach
- Date notification published
- Description of data breach
- How the data breach occurred
- Type of data breach
- Type of personal information that was the subject of the data breach
- Amount of time the personal information was disclosed
- Actions DCS have taken or are planned to take ensure the personal information is secure, or to control or mitigate the harm done
- Recommendations about the steps the individual should take in response to the data breach
- Information on how to make a privacy complaint and request an internal review
- Agency(s) name that are the subject of the data breach
- Contact details for this data breach
Data Breach Register
Have Your Say eligible data breach - Published 4 July 2024
The Department of Customer Service (DCS), which administers the Have Your Say consultation platform, has proactively discovered a possible, but unlikely, exposure of personal information in document submissions uploaded to the platform.
From November 2023 (or the date a submission was uploaded if later than November 2023) until 22 May 2024, submissions were potentially accessible on the internet, but only if someone had or could guess the complex and specific URL. A regular internet search could not have found the information. This issue was the result of the configuration of the platform and not a cyber attack.
There is no evidence that submissions were accessed as a result of this vulnerability and the chance of unauthorised access to submissions is considered very low. This issue related only to the storage of written submission files uploaded to the platform. Feedback received through surveys, ideas, quick polls and other feedback tools was not impacted.
A fix was applied on 22 May 2024, which has ensured that this issue is resolved.
The types of personal information in uploaded submissions included:
- first name
- last name
- work address
- residential address
- work or personal mobile numbers
- signatures
- pictures
- personal opinions.
As a precaution, we recommend that if you uploaded a submission you:
- confirm who you are speaking to when making and taking phone calls
- don't click on links in emails and text messages unless you are sure they are legitimate
- change online passwords regularly.
Fact sheets containing further information are available from the Information and Privacy Commission.
The NSW Information and Privacy Commission has more information about making a complaint as well as your review rights.
If you require support or would like to discuss this matter in more detail, please do not hesitate to visit the NSW Government’s ID Support service or call 1800 001 040.