Request accessible format of this publication.
Data breaches
What is a data breach?
A breach of a person's privacy occurs when their personal and/or health information is compromised.
A breach can occur:
- when there is unauthorised access to, or disclosure of, personal information held by DCS, or
- where personal information held by DCS is lost in circumstances where unauthorised access or disclosure of the information is likely to occur.
When responding to a privacy breach DCS will investigate using the following steps:
- Contain - Immediately take steps to minimise the impact of the breach and to prevent any further compromise of personal information.
- Assess - Gather facts about the incident to determine the extent of the breach, identify the individual's affected, and what type of information was involved.
- Notify - Determine who needs to be notified of the incident.
- Review – Conduct a review of the privacy breach and compile a report with recommendations about preventing a recurrence of a similar event and reduce future risk.
DCS has a Data Breach Response Plan that outlines our procedures for responding to a privacy breach, including how we manage a breach and the process for notifying people affected by the breach.
If you think your personal information has been handled incorrectly, contact the business area you have been dealing with or email privacy@customerservice.nsw.gov.au.
Mandatory notification of data breaches
The Mandatory Notification of Data Breach (MNDB) Scheme commenced on 28 November 2023.
The MNDB amendment applies to all NSW public sector agencies who are subject to the PPIP Act. Such agencies are required to notify the NSW Privacy Commission and affected individual(s) if an eligible data breach of the individual's personal or health information held by DCS occurs.
A data breach is “eligible” under the amendment if it is likely to result in serious harm to any of the individuals to whom the information relates. Whether a data breach is likely to result in serious harm requires an assessment, determined from the viewpoint of a reasonable person. Serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.
More information about how DCS handles data breaches involving personal information can be found in the DCS Data Breach Policy.