Mandatory notification of data breach terminology

Queensland government agencies1 must handle personal information2 in accordance with the Information Privacy Act 2009 (Qld) (IP Act). Chapter 3A of the IP Act creates a mandatory notification of data breach (MNDB) scheme, which requires agencies (other than local government3) to notify individuals and the Information Commissioner about eligible data breaches involving personal information held by the agency.

In addition to the MNDB guidelines,4 agencies may find these templates and quick guides helpful:

Data breach terminology

Eligible data breaches can have a number of different causes, eg human error, malicious actions, or system faults, which different agencies may describe in different ways.

The glossary in the below table, which largely replicates material published by the Office of Australian Information Commissioner and the NSW Information and Privacy Commission,5 will assist agencies to accurately and consistently:

  • categorise the causes of data breaches
  • accurately identify and describe data breach causes; and
  • contain and mitigate potential harm.

The use of consistent language when categorising and reporting on eligible data breaches will also help the Office of the Information Commissioner to classify data breach types and identify potential breach trends and vulnerabilities across the Queensland public sector.


Commonly used terms

Definitions

Human Error

An unintended action by an individual directly resulting in a data breach

Failure to use Blind Carbon Copy (BCC) when sending email

Sending an email to a group of people and placing all recipient emails addresses in the ‘To’ field, thereby disclosing all recipient email addresses to all recipients

Failure to redact personal information

Failure to de-identify and/or delete personal information from a document record before it is disclosed

Incorrect personal information attached to a client file

Personal information is attached to a client file which is then subsequently accessed or disclosed

Insecure disposal

Disposing of personal information documents in a manner that results in unauthorised loss or disclosure. For example, placing documents in a public bin to dispose of customer records instead of the secure disposal bin

Loss of paperwork or data storage device

The physical loss of personal information. This may be where an employee accidently leaves a client folder on a train or leaves a work laptop in a taxi

Personal information sent to the wrong recipient

Personal information sent to the wrong recipient via email, fax, post, courier service or other electronic method

Unauthorised access

Where personal information is accessed without authority or a purpose that is not directly related to the persons duties or work functions

Unauthorised verbal disclosure

Verbally sharing personal information without authorisation. This may include sharing or openly discussing sensitive medical information in a hospital waiting room

Unauthorised disclosure by unintended release or publication

Unauthorised disclosure of personal information in writing, sending a letter to the wrong address, but with the correct name or publishing information online

Malicious or Criminal attack

A malicious or criminal attack, deliberately crafted to exploit known vulnerabilities for financial or other gain

Theft of paperwork or data storage device

Theft of a physical device or paperwork containing personal information

Social engineering/impersonation

Directed attack that relies heavily on human interaction to manipulate people into breaking normal security procedures and best practices to gain access to systems, networks or physical locations

Rogue employee/insider threat

Intentional attack by an employee or insider (e.g. contractor) conducting activities that are not in the interest of the employer or other entity

Cyber incident

A cyber incident targets computer information systems, infrastructures, computer networks or personal computer devices

Malware

Short for ‘malicious software’. Software used to gain unauthorised access to computers, steal information and disrupt or disable networks. Types of malware include trojans, viruses and worms

Ransomware

Malicious software that makes data or systems unusable until the victim makes a payment

Phishing (compromised credentials)

Untargeted, mass messages sent to many people asking for information, encouraging them to open a malicious attachment, or visit a fake website that will ask the user to provide information or download malicious content

Brute force attack

A typically unsophisticated and exhaustive process to determine a cryptographic key or password that proceeds by systematically trying all alternatives until it discovers the correct one

Compromised or stolen credentials (method unknown)

Credentials are compromised or stolen by methods unknown

Hacking

Unauthorised access to a system or network (other than by way of phishing, brute-force attack, or malware), often to exploit a system’s data or manipulate its normal behaviour

Business email compromise

A form of cybercrime that uses email fraud to attack an organisation to achieve a specific outcome that negatively impacts the target organisation

System Fault

A business or technology process error not caused by direct human error

Mail merge failure

A system failure which results in personal information being misdirected to the incorrect individual

Unintended release or publication

A system failure which results in the release or publication of personal information

  • 1 Agency includes a Minister.
  • 2 Information about an identified or identifiable individual. Refer to section 12 of the IP Act and Key privacy concepts – personal and sensitive information for more information.
  • 3 The application of the MNDB scheme to local governments is delayed until 1 July 2026. Until that time, local government agencies should refer to Privacy breach management and notification for local government.
  • 4 Which are based on and include material from guidelines developed by the NSW Information and Privacy Commission.
  • 5 Australian Government, Office of the Australian Information Commissioner, Notifiable Data Breaches Report: January to June 2024 and New South Wales Government, information and Privacy Commissioner, Glossary – Defining the causes of a data breach.

Current as at: July 31, 2025