Skip to Content
From Monday 12 September 2020, OVIC's website will no longer be supported in Internet Explorer (IE).
We recommend installing Microsoft Edge, Google Chrome, Safari, Firefox, or Opera to visit the site.

Data breaches

Prevention is better than cure when it comes to data breaches – and by effectively carrying out the other aspects of your role (as covered in the toolkit), you can help make sure personal information is handled appropriately and securely in your organisation.

But it won’t be possible to completely eliminate the risk of a data breach. And you will likely play a key role in preparing your organisation for a potential data breach as well as responding to any data breach that eventuates.

The below content summarises what this may involve but you should consult OVIC’s guide on Managing the privacy impacts of a data breach and complete our online learning module for more detailed support on fulfilling this aspect of your role.

What is a data breach?

A data breach occurs when personal information that is held by your organisation is subject to misuse, loss, unauthorised access, modification or disclosure.

Data breaches can be caused by malicious acts, human error, or systemic failures. Importantly, they can have serious consequences both for affected individuals whose information is affected as well as for your organisation.

How can you prepare for a data breach?

One of the main ways you can minimise the potential consequences of a data breach is to be prepared by developing a Data Breach Response Plan. This will assist your organisation respond to a data breach quickly and efficiently.

A Data Breach Response Plan should set out:

  • An explanation to staff about what constitutes a data breach and how to detect a breach.
  • A strategy for what actions your organisation will take in response to a data breach.

The roles and responsibilities of staff involved in responding to the breach.

How should you respond to a data breach?

You will likely play a key role in your organisation’s response to a data breach. The main goal when managing a data breach is to minimise the potential harm to individuals affected by the breach.

Your organisation should follow the four-step process:

  1. Contain the breach immediately to prevent further compromise of personal information;
  2. Assess the risks of harm to affected individuals by investigating circumstances of the breach;
  3. Notify affected individuals if deemed appropriate in the circumstances;
  4. Review the breach and your organisation’s response to consider action to prevent future incidents of a similar nature and improve the handling of future breaches

Reporting a breach to OVIC

We encourage you to report data breaches to us that may involve a foreseeable risk of harm to affected individuals. We’ll provide you with guidance about how to minimise harm associated with the breach. We can also give feedback about how you’ve handled a breach once finalised.

For example, we might talk through the circumstances and the different relevant factors that could affect the types of harm associated with the breach and how likely they are. We might also discuss different factors that weigh for or against notifying affected individuals.

Like you, our aim is to help minimise harm to affected individuals. So we don’t mind how you first get in contact with us. You may want to contact us by phone in the early stages and then provide a written report later down the track.

You can report to us in writing by completing our incident notification form.

Notifying affected individuals

One of the main issues you’ll consider when handling a data breach is whether to notify those people who have been affected by the breach.

While there is no legislative obligation to do so, this is an important way to help individuals reduce the risk of harm from the breach or to seek redress for harm they have suffered. It also demonstrates transparency and is in line with community expectations – people usually expect to be told when their privacy has been breached.

OVIC’s guide sets out the factors you should consider when deciding whether to notify. Where you decide to notify, you may find it useful to consult our template for notifying affected individuals.



Back to the Privacy Officer Toolkit


Back to Index
Back to top
Back to Top