Skip to Content
From Monday 12 September 2020, OVIC's website will no longer be supported in Internet Explorer (IE).
We recommend installing Microsoft Edge, Google Chrome, Safari, Firefox, or Opera to visit the site.

PAW blog series 2019: Data breaches: What can you do? Read our new guidance!

“We forgot to BCC the email addresses”

“We sent an email to the wrong recipient and the email had attachments with the personal information of another individual”.

“An employee’s bag was stolen and there were client files in the bag”.

Data breaches involving personal information are not uncommon and these are just some examples of the data breach notifications that we receive from public sector organisations.

Where we receive data breach notifications like those quoted above, they are often followed by a question to the effect of “what can we do now”?

To assist in answering this question, we have developed updated guidance to assist agencies prepare for and respond to data breaches: ‘Managing the privacy impacts of data breaches’.

Preparing for a data breach

A data breach can result in harm to impacted individuals including financial loss, identity theft, physical harm, emotional harm and reputational damage.

The updated guidance therefore highlights the importance of organisations preparing for a data breach. This can improve the speed and quality of an organisation’s response and can reduce the impact of any potential harm to affected individuals.

The guidance points out that the main way an organisation can prepare for a breach is to have a data breach response plan that all staff are aware of. It should generally include guidance on how to identify a data breach, who to contact when the data breach occurs and what steps to take to manage the breach.

Responding to a data breach

The updated guidance highlights that the primary goal of responding to a data breach is to minimise potential harm to affected individuals by following a four-step process.

Contain the breach as soon as possible – organisations should take steps to limit the extent of the breach

Assess the potential harm to affected individuals – by investigating considering a range of factors depending on the circumstances.

Notify the affected individuals – organisations should be as transparent as possible when a data breach occurs. Notifying the affected individuals may enable them to take steps to reduce the likelihood of harm.

Review breach to prevent similar incidents in the future – by identifying the root causes and taking steps to improve practices and processes.

Contact OVIC

 We hope that you find the updated guidance useful. But don’t forget that you can contact us when things go wrong. It is not mandatory to report a data breach to our office but we encourage organisations to do so as we can provide guidance on how to manage the privacy aspects of the incident.

You can contact us on via 1300 006 842 or

For tips on preventing data breaches, read our helpful tip sheet here.


Back to top
Back to Top