- Privacy breach or near miss is discovered by a University staff member/student/community member.
- Do not try and manage the situation yourself.
- Inform the potential privacy breach to your line Manager (if applicable) and to the Information and Records Management (IRM) team via firstname.lastname@example.org. Please include as much information as possible about the situation.
- If this is a system breach please also contact the helpdesk (0508 824 843 or +64 3 369 5000) to get the issue stopped immediately.
The IRM team will assess:
- What has happened
- How it has happened
- What systems or processes are involved
- Whose information has been affected – staff, student, third party etc.
- The scale of the breach – internal/external, email, system etc.
- The type of information included e.g. medical info, home addresses
- What could be done with this information by the recipient
- What can be done to retrieve or secure the personal information
They will make a plan for response considering the risks associated with the breach. They will include appropriate individuals and teams across the campus as needed.
The team will decide who needs to be informed about the incident. This may be the:
- Individuals affected
- Privacy Commissioner
Some breaches need to be notified to the Privacy Commissioner. This must happen for all breaches involving medical information. All breaches which meet a threshold for ‘serious harm’ must be notified. The IRM team will decide this in line with the Privacy Act and guidance from the Privacy Commission.
A key part of responding to Privacy breaches is reporting on them. All privacy breaches are tracked internally and reported on to senior management. Please note – no individuals will be named in the report, the reporting is about the issue and solutions, not blame.
Reviewing what happened is the last key component. A review of the incident to check if there are system or process issues which can be improved. If so recommendations will be made from the team.