If you identify or suspect that personal information is not being handled appropriately, notify the appropriate member of your school’s leadership team immediately and contact the Privacy Team.
What is a privacy incident?
A privacy incident is any incident where there is a suspected or confirmed loss, inappropriate access, modification, use or disclosure of personal information. Personal information is information about an individual that may identify them. Privacy incidents include:
- misdirected communications, for example, emailing the wrong recipient, using cc instead of bcc, or attaching the wrong document
- accidental access, for example, applying incorrect access controls to documents, or publishing sensitive documents online
- unauthorised access, for example, a student accessing school systems using staff login details
- loss, for example, theft of a USB containing student files, or misplacing a student file (electronic or hard copy)
- unauthorised disclosure, for example, uploading student photos on social media without parental consent.
What should I do if I think a privacy incident has occurred?
The team can offer immediate advice and work through the incident response process with you.
It is important that the Privacy Team is engaged early, so that they can help you throughout the incident and beyond. The team will ask questions to help remediate the issue, and they will also liaise with any other relevant teams (for example, Information Management and Technology Division and Legal Division) to provide coordinated support.
Note: Where the principal reasonably believes that the privacy incident is insignificant, it is at their discretion as to whether or not to contact the Privacy Team. An insignificant incident would include situations in which the personal information was not disclosed outside of the school or Department and did not include any sensitive or health information that would cause any harm or concern to a student or their family as a result of the mistaken disclosure.
Incident response process
The Privacy Team will evaluate any incident or suspected incident systematically on a case-by-case basis, following these steps:
- Preliminary assessment and containment: this happens very quickly to establish the type and scale of the incident, the kind of information and risk involved, and if containment steps are required. This forms the basis of what action needs to be taken and what needs to be done as soon as possible. The preliminary assessment is about documenting key details and containing the incident if it is still uncontained.
- Risk evaluation: this is a more detailed assessment of the privacy consequences of the incident. It assesses the scale and severity of the incident, what information has been compromised and any potential harm to individuals and/or the Department. This often includes reviewing the material involved and asking questions to understand how the incident occurred, how it can be contained and how it can be prevented from occurring again.
- Notification: in some cases, notification is required. This may involve engaging other areas of the Department, notifying affected individuals and potentially notifying any regulators. If you are considering notifying affected individuals, please contact the Privacy Team for advice.
- Prevention: a final incident review should be conducted to identify outstanding risks or opportunities that might be addressed to prevent similar incidents occurring.
For a quick reference guide on what to do in a privacy incident, refer to:
What is not a privacy incident?
If there is a data breach, loss or inappropriate sharing of information that does not include personal information, this is an information security incident rather than a privacy incident. Examples of information security incidents include:
- unauthorised access of an information system containing financial information, not personal information
- loss or theft of a USB containing planning documentation which doesn’t include any personal information
If the incident involves any commercial or sensitive information, you should also contact Legal Division for further guidance.
Reviewed 04 October 2021