Mandatory notification of data breach terminology
Agencies1 other than local government2 are required to comply with the mandatory notification of data breach scheme (MNDB) in chapter 3A of the Information Privacy Act 2009 (Qld) (IP Act).
Under the MNDB, agencies affected by an eligible data breach must notify individuals and the Office of the Information Commissioner (OIC), subject to some limitations. For more information refer to Mandatory notification of data breach.
Notification of an eligible data breach must include a description of the data breach.
Data breach terminology
Eligible data breaches can have a number of different causes, eg human error, malicious actions, or system faults, which different agencies may describe in different ways.
The glossary in the below table, which largely replicates material published by the Office of Australian Information Commissioner and the NSW Information and Privacy Commission,3 will assist agencies to accurately and consistently:
- categorise the causes of data breaches
- accurately identify and describe data breach causes; and
- contain and mitigate potential harm.
The use of consistent language when categorising and reporting on eligible data breaches will also help the OIC to classify data breach types and identify potential breach trends and vulnerabilities across the Queensland public sector.
Commonly used terms | Definitions |
|---|---|
Human Error | An unintended action by an individual directly resulting in a data breach |
Failure to use Blind Carbon Copy (BCC) when sending email | Sending an email to a group of people and placing all recipient emails addresses in the ‘To’ field, thereby disclosing all recipient email addresses to all recipients |
Failure to redact personal information | Failure to de-identify and/or delete personal information from a document record before it is disclosed |
Incorrect personal information attached to a client file | Personal information is attached to a client file which is then subsequently accessed or disclosed |
Insecure disposal | Disposing of personal information documents in a manner that results in unauthorised loss or disclosure. For example, placing documents in a public bin to dispose of customer records instead of the secure disposal bin |
Loss of paperwork or data storage device | The physical loss of personal information. This may be where an employee accidently leaves a client folder on a train or leaves a work laptop in a taxi |
Personal information sent to the wrong recipient | Personal information sent to the wrong recipient via email, fax, post, courier service or other electronic method |
Unauthorised access | Where personal information is accessed without authority or a purpose that is not directly related to the persons duties or work functions |
Unauthorised verbal disclosure | Verbally sharing personal information without authorisation. This may include sharing or openly discussing sensitive medical information in a hospital waiting room |
Unauthorised disclosure by unintended release or publication | Unauthorised disclosure of personal information in writing, sending a letter to the wrong address, but with the correct name or publishing information online |
Malicious or Criminal attack | A malicious or criminal attack, deliberately crafted to exploit known vulnerabilities for financial or other gain |
Theft of paperwork or data storage device | Theft of a physical device or paperwork containing personal information |
Social engineering/impersonation | Directed attack that relies heavily on human interaction to manipulate people into breaking normal security procedures and best practices to gain access to systems, networks or physical locations |
Rogue employee/insider threat | Intentional attack by an employee or insider (e.g. contractor) conducting activities that are not in the interest of the employer or other entity |
Cyber incident | A cyber incident targets computer information systems, infrastructures, computer networks or personal computer devices |
Malware | Short for ‘malicious software’. Software used to gain unauthorised access to computers, steal information and disrupt or disable networks. Types of malware include trojans, viruses and worms |
Ransomware | Malicious software that makes data or systems unusable until the victim makes a payment |
Phishing (compromised credentials) | Untargeted, mass messages sent to many people asking for information, encouraging them to open a malicious attachment, or visit a fake website that will ask the user to provide information or download malicious content |
Brute force attack | A typically unsophisticated and exhaustive process to determine a cryptographic key or password that proceeds by systematically trying all alternatives until it discovers the correct one |
Compromised or stolen credentials (method unknown) | Credentials are compromised or stolen by methods unknown |
Hacking | Unauthorised access to a system or network (other than by way of phishing, brute-force attack, or malware), often to exploit a system’s data or manipulate its normal behaviour |
Business email compromise | A form of cybercrime that uses email fraud to attack an organisation to achieve a specific outcome that negatively impacts the target organisation |
System Fault | A business or technology process error not caused by direct human error |
Mail merge failure | A system failure which results in personal information being misdirected to the incorrect individual |
Unintended release or publication | A system failure which results in the release or publication of personal information |
- 1 Agency includes a Minister.
- 2 The MNDB scheme will apply to local government from 1 July 2026. Local governments should refer to Breach management and notification for local government.
- 3 Australian Government, Office of the Australian Information Commissioner, Notifiable Data Breaches Report: January to June 2024 and New South Wales Government, information and Privacy Commissioner, Glossary – Defining the causes of a data breach.
Current as at: July 1, 2025
