Previous Page

Data breaches

Information about data breaches and how organisations, including Legal Aid NSW, handle your personal and health information.

About data breaches

A data breach happens when personal information held by an organisation or agency is lost, accessed, used or disclosed without authorisation.

Personal information is any information that identifies you, including, your name, address, or other details about you. Health information includes details about your physical or mental health, or any health services provided to you.

Privacy laws cover the way that certain organisations or government agencies handle the collection, use, access, disclosure, and storage of your personal and health information.

Organisations and government agencies must take all reasonable security safeguards to protect your personal and health information. They should let you know if your personal or health information is exposed in a data breach particularly when this could cause you serious harm. They should also do their best to ensure the breach doesn’t affect you.

If your personal or health information is compromised in a data breach, it could have serious consequences. Your information may be used in a scam or used to commit fraud.

Your rights following a data breach

Being made aware of a data breach promptly is important. You need to take steps quickly to minimise any harm caused to you.

In NSW the Privacy and Personal Information Protection Act 1998 (NSW) ((PPIP Act)) and Health Records and Information Privacy Act 2002 (NSW) (HRIP Act) outline the legal obligations that NSW public sector agencies must follow when they handle personal or health information. These are called the ‘information protection principles’ and ‘health privacy principles’.

For more information, see the factsheet A Guide to protecting your privacy in NSW on the Information and Privacy Commission NSW website.

The PPIP Act requires NSW government agencies to notify you if your personal or health information has been compromised in a data breach and has put you at risk of serious harm. Agencies must also tell you what steps they have taken to minimise the harm done to you. This is known as the Mandatory Notification of Data Breach (MNDB) Scheme.

Find more information about the MNDB Scheme, see Mandatory Notification of Data Breach Scheme on the Information and Privacy Commission NSW website.

How Legal Aid NSW protects your personal and health information

Personal information and sometimes health information is needed to access Legal Aid NSW services. Legal Aid NSW must comply with privacy laws and the MNDB Scheme when collecting, storing, using or disclosing your personal and health information.

Legal Aid NSW has a Privacy Management Plan that explains how we comply with legal requirements.

For more information, see Privacy Policy and Privacy Management Plan (PDF, 1MB).

How Legal Aid NSW responds to a data breach

In the event of a data breach, the PPIP Act requires Legal Aid NSW to report an eligible data breach to the Privacy Commissioner. As noted above, this is called the Mandatory Notification of Data Breach (MNDB) Scheme.

Under the MNDB scheme, Legal Aid NSW has published a Data Breach Policy. This policy explains the steps we take after a data breach and how we respond to eligible data breaches under the MNDB scheme.

Legal Aid NSW has two main categories to classify data breaches:

  1. Eligible Data Breaches - when there is unauthorised access or disclosure of personal or health information stored by Legal Aid NSW, and this is likely to result in serious harm to an individual. These breaches are covered under the MNDB Scheme.
  2. Other Data Breaches - these breaches are not covered under the MNDB Scheme. They can include:
    • Minor incidents as a result of an accident or a systems error, involving a small number of documents and individuals
    • Formal/written complaints as a result of an internal or external privacy review or a court or tribunal action
    • Serious breach that may be intentional or malicious, or involve a large volume of information or multiple affected individuals, and which is not an Eligible Data Breach.

After becoming aware of a data breach, Legal Aid NSW will take a number of steps:

  1. Contain the breach to minimise any resulting damage.
  2. Evaluate and identify the type of information that has been breached, any affected people and organisations, the cause of the breach and the likely risks of harm.
  3. Notify affected people and organisations, except where it is not reasonably practicable.
  4. Act to mitigate the risks and take any additional actions to minimise the damage.
  5. Prevent recurrences by taking preventative action based on the type and seriousness of the breach. We may review our technical or administrative processes and training to prevent it from happening again.
  6. Report the breach. We will collect data about each breach and actions taken in response to the breach, and compile this information in an internal report twice per year. We also report Eligible Data Breaches, and Serious Breaches externally to the NSW Privacy Commissioner.
  7. Comply with the Mandatory Notification of Data Breach Scheme if applicable.

For more information, see Data Breach Policy (PDF, 265KB).

Privacy complaints

If you have a problem with the way we have handled your personal or health information, there are different ways you can make a complaint.

You can make an informal complaint via the complaints process set out on the Legal Aid NSW website. We will respond to your complaint in accordance with the process outlined on the website.

If you are concerned that Legal Aid NSW or its staff have breached the privacy laws you have the right to seek an internal review.

Formal complaints about the conduct of Legal Aid NSW or its staff in relation to the collection, storage, use or disclosure of personal information or health information should be put in writing and sent to the Manager, In-house Counsel Unit of Legal Aid NSW within six months of the complainant becoming aware of a possible breach.

  • Legal Aid NSW will acknowledge receipt of an application for Internal Review in writing.
  • The Internal Review will be completed within 60 days from the date that the application is received.
  • Legal Aid NSW will write to a complainant within 14 days of completing the Internal Review advising of:
    • the findings of the review and reasons for those findings,
    • proposed actions to be taken (if any), and
    • the right of the complainant to have those findings, and proposed actions reviewed by the NSW Civil and Administrative Tribunal.

External Reviews: If you are not satisfied with the outcome of an Internal Review you can apply to have the matter considered by the NSW Civil and Administrative Tribunal within 28 days of being notified of the Internal Review decision.

The Privacy Commissioner also has the power to review and investigate complaints including complaints related to privacy issues. For more information about the review process, see Privacy Commissioner’s website.

For specific information about making privacy complaints, see Part 10 of the Legal Aid NSW Privacy Management Plan (PDF, 1MB).

Your rating will help us improve our website.