Privacy incident register
Identifying, categorising and reporting privacy incidents (near misses) and breaches allows an agency to identify trends in privacy incidents and enhance its processes and systems.
- It’s important to encourage the reporting of privacy breaches and incidents (near misses), and put in place processes to minimise the likelihood of a breach occurring.
- Setting a target of zero breaches is not recommended as it discourages the reporting of breaches and incidents (near misses), and the important learnings that an agency can gain from them.
- An incident register should be designed to allow for querying and data analytics, including trend analysis and anomaly detection. A good way to achieve this is to use dropdown menus instead of free text fields wherever possible. This also reduces the amount of personal information included within the register.
Common types of information to capture
While the information captured within an incident register will vary from agency to agency, the following fields should be included:
- type of breach
- unauthorised access
- accidental access
- agency prevented from accessing the information temporarily
- agency prevented from accessing the information permanently.
- cause of the breach
- scale of the breach (for example, how many records were affected)
- sensitivity of the personal information that was subject to the breach
- intention behind the breach, if known (for example, accidental, intentional or malicious)
- who accessed the personal information
- nature of the harm that may eventuate for the individual(s)
- nature of the harm that may eventuate for your agency
- business unit where the breach originated
- response to the breach.