What is a personal information breach and why do they occur?

A breach occurs when personal information that is not already publicly available, is lost or subjected to unauthorised collection, access, use, modification, disclosure or misuse.

A breach can be the result of:

  • accidental loss
  • internal errors
  • deliberate actions
  • theft of physical assets, or
  • the theft or misuse of electronic information.

What to do when a personal information breach occurs

When a breach occurs, the agency should take prompt action to:

  1. contain the breach, if possible
  2. identify the risks
  3. report the breach to the relevant authorities
  4. notify affected parties, and
  5. implement remedial action.

See the Personal Information Breach Guideline for more information.

Planning for a personal information breach

The steps mentioned above can inform the implementation of an agency’s Breach Response Plan.

A Breach Response Plan provides guidance and prescribes procedures for reporting, recording and investigating information security incidents, which includes breaches.  Referring to an existing plan will improve the breach response time and therefore mitigate risks quicker.

The plan should be developed in accordance with PC030 Protective Security in the Government of South Australia. PC030 outlines the whole-of-government approach to adopting the South Australian Protective Security Framework as the protective security policy requirements for the South Australian government. PC030 describes the arrangements and expectations for personnel, physical and information security in South Australian government agencies.

PC030 applies to all South Australian public sector agencies (as defined in section 3(1) of the Public Sector Act 2009) and to any other person or organisation that is generally subject to the direction of a Minister of the Crown; all of which are referred to in the circular as “Agencies”.

Reporting personal information breaches

The Privacy Committee of South Australia must be notified of breaches relating to personal information as soon as possible after a breach has occurred.

See the Privacy Committee of South Australia webpage for notification details.

Breaches and you

If you are notified of a breach, there are some steps you can take to reduce your chances of experiencing harm.

  • Identify what information has been affected. If you don’t know, ask the organisation who has notified you.
  • For breaches that relate to contact and identity information
    o    Change passwords
    o    Contact IDCare for support
  • For breaches that involve financial information
    o    Advise your financial institution
    o    Monitor your financial transactions and check your statements for unusual activity
    o    Contact the Australian Tax Office if your Tax File Number has been affected
Page last updated: 14 June 2024