As described in the Government’s Personal Information Data Breach Guideline, a privacy breach occurs when personal information “that is not already publicly available, is lost or subjected to unauthorised access, use modification, disclosure or misuse.”
A breach may have happened as a result of accidental loss, internal errors, deliberate actions, theft of physical assets, or the theft or misuse of electronic information.
The Privacy Committee of South Australia (PCSA) must be notified of breaches relating to personal information as soon as possible after the breach has occurred.
Form of notification
Following is the mandatory information the PCSA expects to be included in the Privacy Breach Notifications it receives.
A template is attached that agencies can use to notify the PCSA. However, it’s acknowledged that there may also be other internal agency specific reports and notifications completed as a result of the breach, eg Clinical Incident Briefs. If an agency specific report includes the information outlined below it can be submitted to the PCSA as a Privacy Breach Notification without the need to use the attached template.
Description of the incident including:
- What led to the breach occurring?
- Whose personal information, and what type of information, was involved? [Do not include any unnecessary personal information about affected parties]
- Which SA Government agencies, branches, and staff roles were involved?
- Whether third party organisations or individuals were involved.
- Dates of the incident, and when your agency became aware.
Advice of agency response:
- What risk of harm exists or existed for affected parties?
- Was your Chief Executive advised of the breach and when?
- Details of communication with affected parties, or your decision not to notify.
- Details of any support or assistance offered to affected parties.
- Implemented or planned changes to training, policy, procedures, systems or culture to prevent a reoccurrence.
- Contact details for further correspondence.
Privacy Breach Notifications should be emailed to firstname.lastname@example.org. If you need assistance to prepare your notification, you may contact State Records for advice.
The PCSA will be briefed on the breach at its next meeting and will seek further advice from the agency if required.