VIC.GOV.AU | Policy and Advisory Library

Privacy incidents

Defining privacy incidents

A privacy incident is any incident where there is a suspected or confirmed loss, inappropriate access, modification, use or disclosure of personal information.

Examples of privacy incidents include:

  • emailing someone’s personal information to the wrong recipient
  • misappropriation of staff login details to access a school administration system
  • applying incorrect access controls to personal documents
  • publishing sensitive documents online
  • uploading student photos on social media without parental consent
  • theft of a student file (electronic or hard copy)
  • sharing information about a staff member’s health without consent.

If there is a data breach, loss or inappropriate sharing of information that doesn't include personal information, it is an information security incident, not a privacy incident.

For guidance on information security incidents, refer to Information Security.

When a privacy incident occurs

If a privacy incident has occurred, or may have occurred, schools must notify appropriate departmental teams so that they can assist. Schools can contact the Privacy team for advice at privacy@education.vic.gov.au

The school must also raise an eduSafe Plus report (staff login required)External Link and ensure the school’s leadership team is informed.

If the incident involves a data breach, unauthorised access to systems or cyber-attack, schools can also report a cyber security issue (staff login required)External Link .

The Privacy team will help schools evaluate and respond to the incident, and will ensure other key departmental areas are brought in for relevant support.

Includes a definition of privacy incidents and information on what to do when a privacy incident occurs.

Reviewed 10 July 2025

Was this page helpful?