What is a privacy breach?
A privacy breach occurs when an organisation or individual either intentionally or accidentally:
- Provides unauthorised or accidental access to someone's personal information
- Discloses, alters, loses or destroys someone's personal information
- A privacy breach also occurs when someone is unable to access their personal information due to, for example, their account being hacked
If you aren’t sure if what has happened is a breach – tell us anyway and we can confirm if it was a privacy breach or a near miss. Contact us on email@example.com.
Privacy Breaches occur. They are usually minor and most commonly caused by human error – often sending an email to an incorrect email address.
After discovering a privacy breach, the focus is on the protection of the person or people whose privacy has been breached, minimising the impact where possible, and preventing further breaches, not blaming individuals.
It is important to follow the below steps if you create or discover a privacy breach at UC.
- Privacy breach or near miss is discovered by a University staff member/student/community member.
- Do not try and manage the situation yourself.
- Inform the potential privacy breach to your line Manager (if applicable) and to the Information and Records Management (IRM) team via firstname.lastname@example.org. Please include as much information as possible about the situation.
- If this is a system breach please also contact the helpdesk (0508 824 843 or +64 3 369 5000) to get the issue stopped immediately.
The IRM team will assess:
- What has happened
- How it has happened
- What systems or processes are involved
- Whose information has been affected – staff, student, third party etc.
- The scale of the breach – internal/external, email, system etc.
- The type of information included e.g. medical info, home addresses
- What could be done with this information by the recipient
- What can be done to retrieve or secure the personal information
They will make a plan for response considering the risks associated with the breach. They will include appropriate individuals and teams across the campus as needed.
The team will decide who needs to be informed about the incident. This may be the:
- Individuals affected
- Privacy Commissioner
Some breaches need to be notified to the Privacy Commissioner. This must happen for all breaches involving medical information. All breaches which meet a threshold for ‘serious harm’ must be notified. The IRM team will decide this in line with the Privacy Act and guidance from the Privacy Commission.
A key part of responding to Privacy breaches is reporting on them. All privacy breaches are tracked internally and reported on to senior management. Please note – no individuals will be named in the report, the reporting is about the issue and solutions, not blame.
Reviewing what happened is the last key component. A review of the incident to check if there are system or process issues which can be improved. If so recommendations will be made from the team.