Mandatory notification of data breach register
Part 6A of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) establishes the Mandatory Notification of Data Breaches (MNDB) scheme. From 28 November 2023 every public sector agency bound by the PPIP Act must notify the Privacy Commissioner and affected individuals of eligible data breaches involving personal or health information that is likely to result in serious harm.
Agencies are required to maintain a public register of any notifications made under section 59ZE(2). The information recorded in the register must be publicly available for at least 12 months after the date of publication and include the information specified under section 59O.
Register of data breaches
| Title |
Response |
| Date the breach occurred |
19 April 2024 |
| Description of the breach |
Personal information made available on Council’s website |
| How the breach occurred |
A software error during an upgrade, due to incorrect system settings on a set of documents available as attachments on the Application Tracking section of the Council website. |
| Type of breach that occurred |
Unauthorised disclosure |
| Personal information that was the subject of the breach |
Email addresses, a telephone number, correspondence addresses, for a total of 16 individuals. |
| Amount of time the personal information was disclosed for |
19 April to 3 May 2024 |
| Actions that have been taken or are planned to ensure the personal information is secure, or to control or mitigate the harm done to the individual |
We removed the 'Application Tracking' function from being accessed by the public on the afternoon of 3 May. The software vendor subsequently implemented a software patch on the weekend of 4-5 May to prevent recurrence. During the following week we reviewed the software patch and confirmed that it had been successfully applied. The 'Application Tracking' function was restored on 10 May.
Council's ICT team reviewed the reports of the system interactions as supplied by the software vendor and, in conjunction with Council's Privacy Officer, identified the 16 affected parties and the occasions on which their personal information was viewed on the website.
|
| Recommendations about the steps the individual should take in response to the eligible data breach |
- Advice to closely scrutinise incoming emails for any suspicious links and to contact us if concerned
- If concerned about identity theft, contact IDCARE, the National Identity and Cyber Support Service
- if requiring further information, contact the nominated Council officer using the supplied contact details.
|
Making a privacy-related complaint
If an affected party wishes to request an internal review, under the Privacy and Personal Information Protection Act 1998, you can do so by writing to:
The General Manager
Inner West Council
PO Box 14
Petersham NSW 2049
or by lodging a complaint with the Information and Privacy Commission of NSW:
Enquire about a breach
If you have an enquiry about a breach listed above, please contact Ian Russell by phone at 02 9392 5350, or by mail at PO Box 14, Petersham NSW 2049.