A breach of a person's privacy occurs when their personal and/or health information is compromised. 

A breach can occur: 

  • when there is unauthorised access to, or disclosure of, personal information held by IPART, or 
  • where personal information held by IPART is lost in circumstances where unauthorised access or disclosure of the information is likely to occur. 

When responding to a privacy breach IPART will investigate using the following steps: 

Report and Contain – Immediately report the breach and take steps to minimise the impact of the breach to prevent any further compromise of personal information.  

Assess and Mitigate - Gather facts about the incident to determine the extent of the breach, identify the individual's affected, and what type of information was involved.   

Notify - Determine who needs to be notified of the incident.  

Review – Conduct a review of the privacy breach and compile a report with recommendations about preventing a recurrence of a similar event and reduce future risk. 

IPART has a Data Breach Response Procedure that outlines the steps for responding to a privacy breach, including how we manage a breach and the process for notifying people affected by the breach. 
If you think your personal information has been handled incorrectly, contact the division area you have been dealing with or email 


This policy outlines IPART’s approach to complying with the Mandatory Notification of Data Breach (MNDB) Scheme, the roles and responsibilities for reporting data breaches and strategies for containing, assessing and managing eligible data breaches.

Further information and resources on the MNDB Scheme are available via the IPC’s website

More information about how IPART handles data breaches involving personal information can be found in the IPART Data Breach Policy.


The PPIP Act requires IPART to keep a register of all public notifications of eligible data breaches and to make that register available on its website.

A public notifications is provided when it is not reasonably practicable to notify any or all of the individuals affected by the breach directly.

A register of all public notifications made by IPART in the previous 12 months is below:

Date the breach occurred

Description of breach

Type of breach

(unauthorised access, unauthorised disclosure or loss of information)

How the breached occurred

Type of personal information impacted by the breach

Actions taken or planned to secure personal information or mitigate harm

Recommended steps affected individuals should take

Date of public notification

Link to full public notification

N/A - There have been no current notifications made.