There is no legal requirement under the Privacy and Data Protection Act 2014 (Vic) to notify affected individuals of a privacy incident.
The University may decide, on a case by case basis, it is appropriate to notify an affected individual.
A decision to notify will usually be made where there is a risk of serious harm to the affected individual that notification could assist the individual to mitigate.
This requires an assessment of the risks to the affected individual.
This guideline outlines the approach of the university in making a decision to notify.