Mandatory Notification of data breaches - are QLD councils ready?

Published on 19 March 2026

Mandatory Notification of Data Breaches

Article by Joshua Brown, General Counsel & Compliance Manager

The MNDB scheme is introduced through the Information Privacy and Other Legislation Amendment Act 2023 (Qld) (IPOLA). The scheme will commence on 1 July 2025 for Queensland public sector agencies generally, and on 1 July 2026 for local governments.

From that date, councils must comply with a prescriptive legislative framework governing how data breaches are identified, assessed, managed and reported. This represents a significant shift from existing practices and will require councils to have appropriate policies, procedures and internal capability in place.

What does the MNDB scheme require councils to do?

Under the MNDB scheme, councils will be required to:

  • take reasonable steps to contain a data breach and mitigate harm as soon as practicable;
  • assess whether a data breach is an eligible data breach under the legislation;
  • where an eligible data breach has occurred, notify the Information Commissioner and affected individuals in accordance with prescribed requirements;
  • publish a data breach policy outlining how data breaches will be managed; and
  • maintain an internal register of all eligible data breaches.

These obligations apply regardless of whether a breach arises from a cyber incident, human error, system failure or the actions of a third-party service provider.

When is a data breach an eligible breach

A data breach will be an eligible data breach under the MNDB scheme where:

  • there is unauthorised access to, unauthorised disclosure of, or loss of personal information held by the council, in circumstances where unauthorised access or disclosure is likely to occur; and
  • the unauthorised access or disclosure is likely to result in serious harm to one or more individuals to whom the personal information relates (affected individuals).

What constitutes serious harm?

Serious harm is not exhaustively defined and must be assessed on a case-by-case basis. It may include serious physical, psychological, emotional, financial or reputational harm to an individual. The impact must be more than mere irritation, annoyance or inconvenience.

In determining whether serious harm is likely, councils should consider factors such as:

  • the type and sensitivity of the personal information involved;
  • whether the information was protected by security measures, and how likely those measures could be overcome;
  • the kind of person or persons who have obtained, or may obtain, the information;
  • the nature of the harm that could reasonably result from the breach; and
  • any other relevant circumstances.

How can councils start preparing now?

Although the MNDB scheme does not commence for local governments until 1 July 2026, councils should begin preparing well in advance.

A practical starting point is to develop a coordinated, whole-of-organisation approach to data breach management, involving relevant subject matter experts across privacy, information management and security, cyber, human resources, governance, records management, legal and incident response.

Councils should also review their existing data breach frameworks, including policies, procedures and systems, to ensure roles and responsibilities are clearly defined. This includes how breaches are identified, how personal information is assessed, how serious harm determinations are made, and how notifications and record-keeping will be handled.

This preparatory work will underpin a compliant and effective data breach policy, which must be published before the MNDB scheme commences.

Local Buy has various Arrangements that can assist councils in preparedness for upcoming MNDB scheme: 

LB311 – Legal Services (Goods & Services): Ensuring councils’ policies and procedures adhere to regulatory requirements. 

LB309 – Business Management Consulting Services: For assessment of councils’ business processes and procedures. 

LB308 – ICT Solutions, Products, Services & New Technologies: Provides cyber security services and solutions and related consultancy services. 

Conclusion

The MNDB scheme marks a step-change in how councils are expected to manage and respond to data breaches. From 1 July 2026, privacy incidents will no longer sit quietly behind the scenes. Councils that prepare early by strengthening governance, clarifying roles and embedding clear response processes will be best placed to meet their legal obligations and maintain community trust when it matters most.

 

 

Tagged as:
Back to top