The Australian government provides us with this very complete manual for dealing with leaks of privacy-sensitive data. Two key points from the summary:
In general, if there is a real risk of serious harm as a result of a personal information security breach, the affected individuals should be notified.
Notification can operate as an important mitigation strategy for individuals and it promotes transparency and trust about the organisation or agency.
It is a very good read, with a short but complete summary. After getting through all 40 pages, you get a very simple graphic that describes how your process for dealing with these events should look. I’d suggest printing this and putting this up in every office in your IT department, and in the offices of all management staff. Click for larger version!