Privacy Breach vs Breach of the Privacy Act

When something goes wrong with personal information two phrases get tossed around a lot: privacy breach and breach of the Privacy Act. They sound similar, and they often get blurred together in day-to-day conversations. But they mean very different things and confusing them can lead to the wrong response by an organisation.

A privacy breach as defined in section 112 is the event itself when personal information is accessed, disclosed, altered, lost, or destroyed without proper authority or is inaccessible. This could be a small thing like email sent to the wrong person or a larger thing such as a cyberattack that exposes thousands of customer records. The key point is that something happened to the information that shouldn’t have. Under the Privacy Act, if that privacy breach has or is likely to cause serious harm to the people affected, the organisation is required to notify both the Privacy Commissioner and those impacted individuals.

In contrast a breach of the Privacy Act is usually not about a single event in relation to personal information, it’s about the organisation failing to meet its obligations under the Privacy Act. For example, not appointing a Privacy Officer, failing to provide a clear privacy statement, or refusing to let someone see their own information without a lawful reason. These are breaches of the Privacy Act whether or not any “incident” occurs. They’re often about compliance, governance, and accountability.

This is where the confusion often comes in. This existence of a privacy breach can often expose a breach of the Act. For example, in the event of a privacy breach caused by a hacker it can also show the organisation never had adequate security controls in place. Therefore, the resulting incident is both a privacy breach and points to the lack of existence of effective controls and therefore a breach of the Privacy Act.

However, the reverse isn’t always true. An organisation can be in breach of the Act for years for example, by consistently not providing a privacy notice without it ever being a “privacy breach”.

Understanding if you have a privacy breach or a breach of the Privacy Act matters because the responses are different. A privacy breach requires immediate actions such as fixing the problem, assessing risk, and notifying where necessary. A breach of the Act often calls for longer-term fixes such as reviewing governance arrangements, retraining staff and rewriting policies. Both can hurt an organisation’s reputation and invite regulatory action but in different ways.