A Guide to Notifiable Data Breaches in Australia
A data breach occurs when unauthorised parties access protected or confidential data. Data refers to important information that may cover personal or sensitive information, trade secrets or intellectual property. Examples of data breach commonly arise in respect of unauthorised access to:
- personal information
- credit card details
- health care history
- corporate information
A breach may occur intentionally, for example, when data is hacked but an unauthorised employee viewing personal or sensitive information is also a breach. Human error, however, not hackers are behind most data breaches in Australia according to the Office of the Australian Information Commissioner (OAIC) since the mandatory Notifiable Data Breaches (NDB) scheme came into force on 22 February 2018.
OAIC’s First NDB Report
Notifiable Data Breaches – Quarterly Statistics Report: January 2018 – March 2018
The total number of breaches reported under the Notifiable Data Breaches scheme for the quarter was 63. There were nil reports in January 2018, 8 reports in February 2018 and 55 reports in March 2018.
The top five industry sectors that reported breaches in the quarter were Health Service Providers (15), Legal, Accounting and Management Services (10), Finance (including superannuation) (8), Education (6) and Charities (4).
Therefore, the largest proportion of eligible data breaches reported to the OAIC was from Health Services Providers at 24 percent followed by Legal, Accounting and Management Services at 16 per cent, the Finance sector at 13 percent and charities at 6 percent.
In this quarter, the kinds of breaches reported were contact information (78%), financial details (30%), health information (33%), identity information (24%), other sensitive information (2%) and TFN (14%). The majority of data breaches reported to the OAIC involved ‘contact information’ such as a person’s name, email address, home address or phone number. Data breaches also involved individual’s tax file numbers, financial details (e.g. bank account or credit card numbers) and health or sensitive information.
According to the Report, human error was the cause of the largest number of eligible data breaches followed by malicious or criminal attacks such as the theft of personal information or cyber security incidents.
The OAIC’s acting Australian Information Commissioner and acting Privacy Commissioner, Angelene Falk, said:
A data breach notification provides individuals with the chance to take steps that reduce their risk of experiencing harm, such as changing relevant passwords for online accounts. This can reduce the overall impact of a breach. More broadly, the transparency provided by the NDB scheme reinforces Australian Government agencies’ and businesses’ accountability for personal information protection and encourages a higher standard of security.
Just over half of the eligible data breach notifications we received in the first quarter indicated that the cause of the breach was human error. In the 2016–2017 financial year 46 per cent of the data breach notifications received by the OAIC voluntarily were also reported to be the result of human error.
This highlights the importance of implementing robust privacy governance alongside a high-standard of security. The risk of a data breach can be greatly reduced by implementing practices such as Privacy Impact Assessments, information security risk assessments and training for any staff responsible for handling personal information.
What is a Notifiable Data Breach?
The Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth) amends the Privacy Act and triggers established requirements for entities in responding to data breaches. Entities have data breach notification obligations when a data breach is likely to result in serious harm to any individuals to whom the information relates.
“Serious harm” is not defined in the Privacy Act. The OAIC states “in the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.”
Who does the Scheme apply to?
This scheme is applicable to organisations that the Privacy Act requires to take steps to secure personal information. This include organisations that were already subject to the Privacy Act, Federal Government agencies, businesses, not-for-profit organisations, credit reporting bodies, TFN recipients among others.
What are the reporting obligations?
Data breaches involving personal information that may cause harm to others are called ‘eligible data breaches’ and must be reported within 30 days to both the Australian Information Commissioner and the individuals involved in the breach.
Risks and Fines
A business faces not only damage to reputation and loss of trust as a data custodian but also the risk of substantial fines.
- A serious or repeated interference with privacy (s 13G) – 2000 penalty units (current total is $420,000)
- The maximum penalty that the court can order for a body corporate is five times the amount listed in the civil penalty provision (current maximum $2.1 million).
Take away points
- Data breaches occur through unauthorised access to protected data
- Data breach obligations are triggered when a breach is likely to result in serious harm to an individual
- Data breaches must be reported within 30 days
- The consequences of an Australian data breach mean damage to business reputation and financial penalties
Lara Alexandra, Legal Assistant and Trade Mark Administrator
We are a team of trade mark attorney and IP specialists based on Gold Coast and Sydney. If you have any questions about data breaches, please contact us on 1300 77 66 14
Disclaimer. The material in this post represents general information only and should not be taken to be legal advice.