Privacy incidents
Defining privacy incidents
A privacy incident is any incident where there is a suspected or confirmed loss, inappropriate access, modification, use or disclosure of personal information.
Examples of privacy incidents include:
- emailing someone’s personal information to the wrong recipient
- misappropriation of staff login details to access a school administration system
- applying incorrect access controls to personal documents
- publishing sensitive documents online
- uploading student photos on social media without parental consent
- theft of a student file (electronic or hard copy)
- sharing information about a staff member’s health without consent.
If there is a data breach, loss or inappropriate sharing of information that doesn't include personal information, it is an information security incident, not a privacy incident.
For guidance on information security incidents, refer to Information Security.
When a privacy incident occurs
If a privacy incident has occurred, or may have occurred, schools must notify appropriate departmental teams so that they can assist. Schools can contact the Privacy team for advice at privacy@education.vic.gov.au
The school must also raise an eduSafe Plus report (staff login and ensure the school’s leadership team is informed.
If the incident involves a data breach, unauthorised access to systems or cyber-attack, schools can also report a cyber security issue (staff login .
The Privacy team will help schools evaluate and respond to the incident, and will ensure other key departmental areas are brought in for relevant support.
Reviewed 10 July 2025