Do you know your data breach responsibilities under the Privacy Act? Notifications are down by 16%!

The Office of the Australian Information Commissioner (OAIC) regularly publishes reports on data breaches that have been reported to the commission under the Notifiable Data Breaches scheme.

This scheme was established in 2018 to improve protection of identifiable consumer information and improve the security standards for protecting personal information.  Under the scheme, any organisation covered by the Privacy Act 1988 (Cth) must notify individuals affected by a data breach when harm to that person is the likely outcome of the breach and must also notify the OAIC of this type of data breach.

The OAIC reports analyse why data breaches occur and what industries they occur in. The Report for the first half of 2021 was based on 446 notifications of data breaches and highlighted that:

  • malicious or criminal attacks are currently the leading sources of data breaches, accounting for 64% of the total data breaches
  • data breaches caused by human errors made up 30% of the total data breaches, with 40% of those breaches resulting from personal information being sent to the wrong recipient
  • the health industry continues to report the highest breach notifications making up 19% of all breaches, followed by the finance industry which was responsible for 13% of breach notifications
  • most data breaches (91%) involved sharing of contact information, such as name, address, email address and phone number, and identity information, such as date of birth and passport details was involved in 55% of data breaches.

What causes data breach

Data breaches occur when personal information is obtained either by accident or maliciously. The Report found that data breaches occurring as a result of human error most commonly occurred where there was:

  • information sent to the wrong person
  • a failure to use BCC in an email
  • unintentional publication of information
  • loss of paperwork

Data breaches that occurred maliciously were the result of:

  • hacking
  • malware
  • ransomware
  • phishing
  • compromised credentials
  • theft of data

The Report also noted that data breach notifications where down 16% when compared to the last reporting period. We expect the OAIC will monitor any downward trend carefully to ensure it is the result of less breaches as opposed to organisations not complying with their reporting obligations.

As for the obligation to report data breaches, only eligible data breaches are required to be reported to the OAIC.  A breach is not an eligible data breach where:

  • an entity takes action in relation to the loss, unauthorised access to or unauthorised disclosure of personal information before it results in serious harm to an individual; and
  • a reasonable person who is properly informed based on the information immediately available would conclude that the action makes it unlikely that serious harm would be suffered by any of the affected individuals.

The OAIC can issue sanctions where there is a failure to comply with the mandatory reporting obligations including issuing significant fines and enforceable undertakings

Organisations should know their responsibilities in relation to data breaches under the Privacy Act. A plan should be in place to respond quickly to any data breach in order to comply with the Act and minimise any damage or loss to individuals and the reputation of the organisation.

If your organisation needs any assistance or advice with privacy matters, data breaches or preparing a data breach response plan, call Griffin Legal on 02 6198 3100.

Through to the keeper: Do you know your sporting organisation’s privacy obligations?

Despite being 30 years old, organisations can still be confused about their obligations under the Privacy Act 1988 (Cth) (Privacy Act). Whether the Privacy Act even applies can be a minefield for sporting organisations such as sporting clubs, gyms, and governing bodies. Unfortunately, ignorance of the law excuses no one, and fines for a breach of the …
Read more

12 Months of Enforcement – The Trials and Tribulations of the GDPR

The European General Data Protection Regulation (GDPR) came into force on 25 May 2018. We have now seen 12 months since the commencement of the GDRP. Though a revolutionary regional instrument, it imposes obligations on businesses across the globe. In its one year of application, the GDPR has drastically changed the data protection and privacy …
Read more

modern data breach

Unpacking modern Data Breaches: Is your data safe?

In November 2018, the Australian National University (ANU) suffered a massive data breach where up to 19 years of sensitive and personal data were obtained by an unknown hacker. The ANU has said that the hack not only affected students and professionals in Canberra but that it had the potential to affect a number of …
Read more