Privacy incidents 104-04070000

Notify your Team Leader about the potential incident. Work with your Team Leader to identify if the potential privacy incident is serious. This includes where disclosure or unauthorised access of personal information has occurred, that could impact an individual or individuals:

• life
• health
• safety, or
• welfare

This includes children and those at risk of harm due to family and domestic violence. See Risk identification and management of threats to the safety or welfare of a child

The Resources page has a link to the Privacy and Secrecy intranet page, which contains further information about managing privacy incidents.

Is the potential privacy incident serious?

• Yes, send an email to Privacy as well as Reporting a Privacy Incident using the Privacy Incident Portal. See Resources page for a link to the form. If your Branch:
• has established escalation protocols, follow those
• does not have established escalation protocols, Privacy will work to escalate the matter once the email has been received

Note: if the customer or another party may be at imminent risk of harm due to the incident, Service Officers should consult with their Team Leader/Leadership to identify the delegate that should refer the matter to the Social Work Services Branch. For referrals to that Branch, see Social Work Services

• No, go to Step 2

Complete any corrective action immediately, do not wait for contact from Privacy.

Corrective action may include:

• alerting a customer who may be at risk of harm as a result of the disclosure; and/or
• arranging for the return of any documents concerning a customer or staff member which may have been incorrectly issued to a third party

If Service Officers are unsure or concerned about what corrective action to take, steps should be taken to consult with line managers.

What steps have been taken to correct the privacy incident?

Taking corrective action can help minimise the impact of the privacy incident.

For example:

• immediately correcting an address so that a potentially violent former partner will not have access to it
• correcting a recipient/patient/parent's member of a couple status so that their benefits can be reinstated
• requesting the return of documents sent to a third party in error
• sending the third party a reply paid envelope for them to use to return to the agency the document received in error
• notifying the affected individual of the privacy incident, if appropriate

Corrective action should not be delayed pending the privacy review.

Note: document any corrective action in the Privacy Incident Notification Form. See Resources page for a link to the form.

Once corrective action is taken, go to Step 3.

• The Resources page has a link to the Privacy Incident Portal form
• Complete and submit the form
• An email will generate to the:
• Privacy mailbox and
• staff nominated on the form

For more information, see the Resources page for a link to Privacy and Secrecy

Privacy will triage and assess the incident by assigning a level of priority.

The incident will be:

• allocated immediately, or
• placed in a queue to await allocation

Once the incident has been finalised, Privacy will send the responsible business a report of their assessment and recommendations where appropriate.