If your organisation or business breaches an individual’s privacy, there can be serious consequences.

A privacy breach can be of three types:

  • An unauthorised disclosure of personal information (for example, sending someone’s personal information to the wrong recipient);
  • An unauthorised alteration or loss of personal information; or
  • Unauthorised access (e.g. hacking or ransomware attack) of personal information.

Privacy breaches can vary in terms of size, the nature of the personal information, the recipient(s) of the information, the harm caused, and the source of the information.

Privacy breaches, no matter how minor they appear, should never be ignored.

If a notifiable breach has occurred, which is a breach likely to cause serious harm, it must be reported to the Privacy Commissioner. To assess the likelihood of serious harm, the organisation should consider:

  • The action taken to reduce the risk of harm after the breach;
  • The level of sensitivity of the personal information;
  • The potential harm to the affected person(s);
  • Where the information has ended up; and
  • Security safeguards in place (e.g. encryption).

It’s also important to think about how the affected individual will feel in the circumstances.

A failure to notify the Privacy Commissioner if there has been a notifiable breach can result in a fine for the organisation of up to $10,000.

There are also fines for up to $10,000 if the Privacy Commissioner issues a compliance notice and the organisation does not comply with it, or the organisation destroys information when a privacy request has been made.

More time, money, and resources can be lost in dealing with a privacy investigation by the Office of the Privacy Commissioner, and if the case is serious enough to be heard in the Human Rights Review Tribunal the organisation can face severe penalties.

There may be additional costs the organisation may have to incur in providing a settlement to the affected person(s).

Significant privacy breaches can also result in major reputational harm for the organisation.

To avoid the above consequences, agencies should have robust privacy practices and processes in place so that privacy breaches are avoided in the first instance.  

All organisations must have a Privacy Officer, but good practice will also include training staff, implementing an easily accessible policy document and a customer/client-facing privacy policy, and investing in physical and IT security.

It pays for organisations to seek advice from a legal professional if they are unsure of their privacy obligations, to help minimise the risk of privacy breaches and potentially serious consequences. 

Leading law firms committed to helping clients cost-effectively will have a range of fixed-price Initial Consultations to suit most people’s needs in quickly learning what their options are.  At Rainey Collins we have an experienced team who can answer your questions and put you on the right track.

Guy Goodwin and Hanifa Kodirova