Notifiable Data Breaches – 6 months of lessons from the OAIC

Notifiable Data Breaches Report (July-December 2020)

The Office of the Australian Information Commissioner (OAIC) has released its twice-yearly report on notifiable data breaches reported in the second half of 2020

539 data breaches were notified to the OAIC under the Notifiable Data Breach Scheme (NDB Scheme) in the second half of last year, with 38% being due to human error. Data breaches most commonly occurred as a result of cyber crime or malicious attacks.

The OAIC have commented that it is still too early to make a call about whether working from home arrangements, which were widely introduced in response to COVID-19, have increased the risk of data breaches and ability of organisations to meet notification requirements. Organisations are being encouraged to undertake Privacy Impact Assessments (PIAs) on their working from home arrangements to minimise privacy risks as much as possible.

Time to make haste

Depending on the size of the data breach, organisations may need a few weeks to conduct an assessment and determine the extent of the breach and harm caused. However, section 26WH of the Privacy Act 1988 (Cth) requires organisations to carry out their assessment of a suspected eligible data breach within 30 days of being made aware of it.

Reporting entities in late 2020 were much slower, taking longer than 30 days to complete their assessments. The OAIC has warned against undue delays and their ability to undermine the NDB Scheme. The longer entities wait to notify the OAIC and importantly, notify the people affected, the further harm and damage done to the individuals who have had their privacy breached.

Time to fess up

Whether its human error, a system fault or someone falling for a phising scam, privacy breaches can attract a lot of shame and embarrassment. In spite of this, organisations should not be tempted to sugarcoat or downplay the nature of a breach or its consequences.

For example, in 2020 the OAIC received a notifcation from an entity whose staff member was deceived by a malicious actor into disclosing personal information. The entity told the affected individuals that their inforation was disclosed to an “unintended recipient”. This significantly downplayed the disclosure of personal information to a potential criminal actor and reduced the ability of the affected individuals to make an informed decision about how to mitigate the harm. Downplaying or condensing a data breach incident falls short of reporting obligations under the NDB Scheme. Organisations are encouraged to be open and transparent in the reporting process.

Time to plan your response

Best practice in responding to a potential eligible data breach is to act quickly and:

  • Lock down servers and programs to contain the breach and commence a preliminary assessment
  • Consult your IT professional and privacy officer and undertake an investigation into the breach
  • Identify what personal personal information has been jeoprodised and who it belongs to (extent of the breach)
  • Identify the cause of the breach
  • Notify your staff of the breach
  • Classify the personal information involved in the breach and evaluate the risk of harm
  • If notifiable, notify the OAIC and all affected individuals in a way that describes specially and comprehensively what happened and present an accurate evaluation of the risk of harm
  • Undertake remedial steps to enact a prevention plan, review privacy policies and consider the need to retrain staff

Talk to Griffin Legal today about implementing a tailored Data Breach Response Plan for your organisation. Don’t get caught falling short of your NDB obligations.

Share this post with your friends

Share on facebook
Share on twitter
Share on linkedin

Related Posts