Previous Page

Data breaches

Information about data breaches and how organisations, including Legal Aid NSW, handle your personal and health information.

About data breaches

A data breach happens when personal information held by an organisation or agency is lost, accessed, used or disclosed without authorisation.

Personal information is any information that identifies you, including, your name, address, or other details about you. Health information includes details about your physical or mental health, or any health services provided to you.

Privacy laws cover the way that certain organisations or government agencies handle the collection, use, access, disclosure, and storage of your personal and health information.

Organisations and government agencies must take all reasonable security safeguards to protect your personal and health information. They should let you know if your personal or health information is exposed in a data breach particularly when this could cause you serious harm. They should also do their best to ensure the breach doesn’t affect you.

If your personal or health information is compromised in a data breach, it could have serious consequences. Your information may be used in a scam or used to commit fraud.

Your rights following a data breach

Being made aware of a data breach promptly is important. You need to take steps quickly to minimise any harm caused to you.

In NSW the Privacy and Personal Information Protection Act 1998 (NSW) ((PPIP Act)) and Health Records and Information Privacy Act 2002 (NSW) (HRIP Act) outline the legal obligations that NSW public sector agencies must follow when they handle personal or health information. These are called the ‘information protection principles’ and ‘health privacy principles’.

For more information, see the factsheet A Guide to protecting your privacy in NSW on the Information and Privacy Commission NSW website.

The PPIP Act requires NSW government agencies to notify you if your personal or health information has been compromised in a data breach and has put you at risk of serious harm. Agencies must also tell you what steps they have taken to minimise the harm done to you. This is known as the Mandatory Notification of Data Breach (MNDB) Scheme.

Find more information about the MNDB Scheme, see Mandatory Notification of Data Breach Scheme on the Information and Privacy Commission NSW website.  

How Legal Aid NSW protects your personal and health information

Personal information and sometimes health information is needed to access Legal Aid NSW services. Legal Aid NSW must comply with privacy laws and the MNDB Scheme when collecting, storing, using or disclosing your personal and health information.

Legal Aid NSW has a Privacy Management Plan that explains how we comply with legal requirements.

For more information, see Privacy Policy and Privacy Management Plan (PDF, 946 kb).

How Legal Aid NSW responds to a data breach

In the event of a data breach, the PPIP Act requires Legal Aid NSW to report an eligible data breach to the Privacy Commissioner. As noted above, this is called the Mandatory Notification of Data Breach (MNDB) Scheme.

Under the MNDB scheme, Legal Aid NSW has published a Data Breach Policy. This policy explains the steps we take after a data breach and how we respond to eligible data breaches under the MNDB scheme.

Legal Aid NSW has two main categories to classify data breaches:

  1. Eligible Data Breaches - when there is unauthorised access or disclosure of personal or health information stored by Legal Aid NSW, and this is likely to result in serious harm to an individual. These breaches are covered under the MNDB Scheme.
  2. Other Data Breaches - these breaches are covered under the MNDB Scheme and include:
    • Minor incidents as a result of an accident or a systems error, involving a small number of documents and individuals
    • Formal/written complaints as a result of an internal or external privacy review or a court or tribunal action
    • Serious breach that may be intentional or malicious, or involve a large volume of information or multiple affected individuals, and which is not an Eligible data breach.

After becoming aware of a breach Legal Aid NSW will take a number of steps:

  1. Immediately contain the breach to minimise any resulting damage.
  2. Evaluate the type of information that has been breached and the likely risks of harm to the affected person.
  3. Notify affected individuals except where it is not reasonably practicable, if the breach is an Eligible Data Breach. Staff will also generally notify an affected person about any other data breach, regardless of whether it is covered by the MNDB Scheme. In the case of a minor breach, we may however decide not to notify an affected individual if it may cause undue distress or it is not reasonably practicable.
  4. Act to mitigate the risks and take any additional actions to minimise the damage.
  5. Take additional precautions based on the type and seriousness of the breach. We may review our technical or administrative processes and training, to prevent it from happening again. 
  6. Report the breach. We will collect data about each breach and actions taken in response to the breach, and compile this information in an internal report twice per year. We also report Eligible Data Breaches, and Serious Breaches externally to the NSW Privacy Commissioner. 
  7. Take the additional actions required by the MNDB Scheme.

For more information, see Data Breach Policy (PDF, 169 kb).

Privacy complaints

If you have a problem with the way an organisation or business handles your personal or health information, there are different ways you can make a complaint.

You should contact the organisation or agency you think has mishandled your personal or health information to make a complaint. If they don’t respond to your complaint, or you’re not satisfied with their response, you have other options depending on the type of organisation.

For more information on how to make a complaint about how a NSW public sector agency has handled your personal or health information, see How do I make a complaint? on the Information and Privacy Commission NSW website.  

For information about the Legal Aid NSW process for complaints, see Feedback and Complaints

For specific information about making privacy complaints, see Part 10 of the Legal Aid NSW Privacy Management Plan (PDF, 946 kb).

If your issue is not about NSW public sector agency, for complaints about federal government agencies and organisations with an annual turnover of more than three million you can contact the Office of the Australian Information Commissioner (OAIC). 

For more information, see  What you can complain about on the OIAC’s website.