Privacy breaches

A privacy breach is any unauthorized access, collection, use, or disclosure of personal information. These activities are unauthorized when they are done in violation of applicable privacy legislation. Privacy breaches can be both intentional and unintentional. Having a privacy policy can help prevent and mitigate privacy breaches.

Unfortunately, due to the complexity of digital information, it isn't always easy to know when or where there has been a breach. It's important to have clear procedures for protecting your business' privacy, both to prevent breaches and to help identify them if they occur. Clearly establishing who can access information, and how they can access it, can help you figure out when your business' privacy may have been breached. In cases where procedures have been broken, there may have been a breach.

A breach can also occur unintentionally. For example, personal information can be accidentally shared over email or lost through the theft of a device. 

What to do in the event of a breach

If you believe your privacy policy has been breached, there are four steps you can take:

  1. Contain and assess. When possible, you should restrict the unauthorized access. This could mean stopping inappropriate behaviour, shutting down a system, or fixing a weakness. You should also begin an investigation into the breach.
  2. Evaluate the risks. What information may have been accessed? How sensitive is it? How did the breach occur and could it happen again?
  3. Notification.  Notifying those affected by the breach can help reduce any harm. You have a responsibility to notify those affected. You should determine who, how, and when to notify those affected. You may also need to inform other organizations, such as the police, credit card companies, and regulatory bodies such as the Office of the Privacy Commissioner.
  4. Prevent future breaches. Once the cause is known, steps should be taken to prevent it from reoccurring. Consider reviewing your privacy policy.


Privacy breaches are serious. Report them to the Office of the Privacy Commissioner.   

Date modified: