What is a personal information breach and why do they occur?

A breach occurs when personal information which is held by a government agency or a contracted service provider and is not publicly available, is lost or subjected to unauthorised access or disclosure.

A breach can be the result of:

  • accidental loss
  • internal errors
  • deliberate actions
  • theft of physical assets, or
  • the theft or misuse of electronic information.

What to do when a personal information breach occurs

When a breach occurs, the agency should take prompt action to:

  1. contain the breach, if possible
  2. identify the risks
  3. report the breach to the relevant authorities
  4. notify affected parties, and
  5. implement remedial action.

See the Personal Information Breach Guideline (external site) (PDF) for more information.

Planning for a personal information breach

The steps mentioned above can inform the implementation of an agency’s Personal Information Breach Response Plan (Plan).

A Plan provides guidance and procedures for reporting, recording and investigating information security incidents, which includes breaches.  Referring to an existing plan will improve the breach response time and therefore mitigate risks quicker.

The plan should be developed in accordance with PC030 Protective Security in the Government of South Australia (external site) (external site) (external site). PC030 outlines the whole-of-government approach to adopting the South Australian Protective Security Framework (external site) (external site) (external site) as the protective security policy requirements for the South Australian government. PC030 describes the arrangements and expectations for personnel, physical and information security in South Australian government agencies.

PC030 applies to all South Australian public sector agencies (as defined in section 3(1) of the Public Sector Act 2009) and to any other person or organisation that is generally subject to the direction of a Minister of the Crown; all of which are referred to in the circular as “Agencies”.

Reporting personal information breaches

The Privacy Committee of South Australia should be notified of breaches relating to personal information as soon as possible after a breach has occurred.

See the Privacy Committee of South Australia webpage for notification details.

Breaches and you

If you are notified of a breach, there are some steps you can take to reduce your chances of experiencing harm.

  • Identify what information has been affected. If you don’t know, ask the organisation who has notified you.
  • For breaches that relate to contact and identity information
    o    Change passwords
    o    Contact IDCare (external site) (external site) (external site) for support
  • For breaches that involve financial information
    o    Advise your financial institution
    o    Monitor your financial transactions and check your statements for unusual activity
    o    Contact the Australian Tax Office if your Tax File Number has been affected
Page last updated: 12 June 2025