Notifiable Data Breaches – 6 months of lessons from the OAIC

Notifiable Data Breaches Report (July-December 2020)

The Office of the Australian Information Commissioner (OAIC) has released its twice-yearly report on notifiable data breaches reported in the second half of 2020

539 data breaches were notified to the OAIC under the Notifiable Data Breach Scheme (NDB Scheme) in the second half of last year, with 38% being due to human error. Data breaches most commonly occurred as a result of cyber crime or malicious attacks.

The OAIC have commented that it is still too early to make a call about whether working from home arrangements, which were widely introduced in response to COVID-19, have increased the risk of data breaches and ability of organisations to meet notification requirements. Organisations are being encouraged to undertake Privacy Impact Assessments (PIAs) on their working from home arrangements to minimise privacy risks as much as possible.

Time to make haste

Depending on the size of the data breach, organisations may need a few weeks to conduct an assessment and determine the extent of the breach and harm caused. However, section 26WH of the Privacy Act 1988 (Cth) requires organisations to carry out their assessment of a suspected eligible data breach within 30 days of being made aware of it.

Reporting entities in late 2020 were much slower, taking longer than 30 days to complete their assessments. The OAIC has warned against undue delays and their ability to undermine the NDB Scheme. The longer entities wait to notify the OAIC and importantly, notify the people affected, the further harm and damage done to the individuals who have had their privacy breached.

Time to fess up

Whether its human error, a system fault or someone falling for a phising scam, privacy breaches can attract a lot of shame and embarrassment. In spite of this, organisations should not be tempted to sugarcoat or downplay the nature of a breach or its consequences.

For example, in 2020 the OAIC received a notifcation from an entity whose staff member was deceived by a malicious actor into disclosing personal information. The entity told the affected individuals that their inforation was disclosed to an “unintended recipient”. This significantly downplayed the disclosure of personal information to a potential criminal actor and reduced the ability of the affected individuals to make an informed decision about how to mitigate the harm. Downplaying or condensing a data breach incident falls short of reporting obligations under the NDB Scheme. Organisations are encouraged to be open and transparent in the reporting process.

Time to plan your response

Best practice in responding to a potential eligible data breach is to act quickly and:

  • Lock down servers and programs to contain the breach and commence a preliminary assessment
  • Consult your IT professional and privacy officer and undertake an investigation into the breach
  • Identify what personal personal information has been jeoprodised and who it belongs to (extent of the breach)
  • Identify the cause of the breach
  • Notify your staff of the breach
  • Classify the personal information involved in the breach and evaluate the risk of harm
  • If notifiable, notify the OAIC and all affected individuals in a way that describes specially and comprehensively what happened and present an accurate evaluation of the risk of harm
  • Undertake remedial steps to enact a prevention plan, review privacy policies and consider the need to retrain staff

Talk to Griffin Legal today about implementing a tailored Data Breach Response Plan for your organisation. Don’t get caught falling short of your NDB obligations.

Through to the keeper: Do you know your sporting organisation’s privacy obligations?

Despite being 30 years old, organisations can still be confused about their obligations under the Privacy Act 1988 (Cth) (Privacy Act). Whether the Privacy Act even applies can be a minefield for sporting organisations such as sporting clubs, gyms, and governing bodies. Unfortunately, ignorance of the law excuses no one, and fines for a breach of the …
Read more

12 Months of Enforcement – The Trials and Tribulations of the GDPR

The European General Data Protection Regulation (GDPR) came into force on 25 May 2018. We have now seen 12 months since the commencement of the GDRP. Though a revolutionary regional instrument, it imposes obligations on businesses across the globe. In its one year of application, the GDPR has drastically changed the data protection and privacy …
Read more

laptop in the dark with code

Revised data encryption laws explained

A controversial shake up to Australia’s data laws came into force in December 2018. The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (the Amendment) amended several pieces of legislation to enable the Government to access the communications of individuals in the name of national security. The Amendment was passed to make it …
Read more