5. Complaints about privacy

An individual can complain to the relevant agency (ACECQA or a regulatory authority) about the mishandling of their personal information. ACECQA or the regulatory authority should attempt in the first instance to resolve an individual’s privacy complaint. If ACECQA or the regulatory authority is not able to resolve the complaint, then the National Law provides individuals with a right to complain to the National Education and Care Services Privacy Commissioner (NECS Privacy Commissioner)

More information
Contact details for the NECS Privacy Commissioner are available at www.necsopic.edu.au.

5.1 Addressing privacy breaches

In some circumstances, ACECQA or a regulatory authority may become aware of an interference with an individual’s privacy without a complaint. In those circumstances, the best practice response is to address the breach in a manner consistent with the OAIC’s data breach response process available on the OAIC website. A brief summary of the process is outlined below.

Addressing privacy breaches

Step 1

Contain the breach and make a preliminary assessment

  • Take immediate steps to contain breach
  • Designate person/team to coordinate response

Step 2

Evaluate the risks for individuals associated with the breach

  • Consider what personal information is involved
  • Determine whether the context of the information is important
  • Establish the cause and extent of the breach
  • Identify what is the risk of harm

Step 3

Consider breach notification

  • Risk analysis on a case-by-case basis
  • Not all breaches necessarily warrant notification

Step 4

Review the incident and take action to prevent future breaches

  • Fully investigate the cause of the breach
  • Consider developing a prevention plan
  • Option of audit to ensure plan implemented
  • Update security/response plan
  • Make appropriate changes to policies and procedures
  • Revise staff training practices