Notifiable data breach obligations: the importance of being adequately equipped in a COVID-19 world

The Notifiable Data Breaches Scheme turned two on 22 February 2018. Whilst any anniversary is an appropriate time to pause and reflect, the consideration of privacy and data breach issues, in the COVID-19-induced brave new world in which many of us now operate, supercharges such considerations and underlines why business and organisations need to know and fulfil their obligations.

What is the Notifiable Data Breaches Scheme and why is it important?

As a refresher, please read our article previously published at the introduction of the Scheme: https://www.codea.com.au/sub-publication/introduction-notifiable-data-breaches-scheme/. In short, the Scheme applies in all Australian States and Territories and is administered by the Office of the Australian Information Commission ('OAIC'). It applies to all agencies and organisations ('relevant entities') with existing personal information security obligations under the Privacy Act 1988 (Cth). These entities include but are not limited to business and not-for-profit organisations with a yearly turnover of $3 million or more, health care providers, government bodies, and credit reporting bodies.

Under the Scheme, an 'eligible data breach' must be reported to the OAIC once the entity has grounds to believe that a breach has occurred. An assessment by the relevant entity of a data breach must take place within 30 days. A data breach must satisfy three criteria but the key element is whether the breach will likely result in 'serious harm' to any affected individual.

And yes, organisations can be penalised for engaging in repeated and serious breaches, or for otherwise falling foul of with the Scheme.

How things are tracking and what the statistics tell us

It is with increasing regularity that we read examples in the news of data breaches across a range of public and private organisations. For example, on 31 March 2020, it was reported by the ABC that the Federal Court mistakenly published on its website the names of hundreds of people seeking protection visas on its website which could lead to grave consequences for those named1.

On 28 February 2020, the OAIC published the data breach statistics for the period July to December 20202. The report showed a 19% increase in the number of data breaches reported to OAIC during this six month period, being 537, compared to the first half of the year, being 460.

Of concern, and demonstrative of a challenge that business and individuals alike face, it is reported that malicious or criminal attacks (including cyber incidents for financial gain) remain the leading cause of data breaches, accounting for 64% of all notifications.

Data breaches resulting from human error account for 32% of all breaches, down from 34% in the previous reporting period. Human error can include attaching the wrong attachment to an email, including pages from another client's matter in attachments or in letters, sending emails and letters to the wrong email address, and losing hard copy documents.

An individual's contact information (eg – home address, phone number) remains the most common type of personal information involved in a data breach. The health sector is the highest reporting industry, with 22% of all breaches, with the finance sector in second place, reporting 14% of all breaches.

Importantly, the OAIC has the power to impose civil penalties for non-compliance with the Scheme, and relevant entities may be subject to claims for damages. Unfortunately, the OAIC's update did not provide detail of these sanctions. As stated by the OAIC Commissioner, Angelene Falk, in a October 2019 speech to the International Association of Privacy Professionals Australia and New Zealand,3 "since the NDB scheme commenced in February last year we have been active in assisting organisations to comply with their notification obligations and to understand the causes of data breaches. Now that we have moved into the second year, however, the onus is well and truly on organisations to further commit to best practice in combating data breaches and improving response strategies. If not, the OAIC will exercise its enforcement powers, and we have several matters in the pipeline".

What should relevant entities do?

With an ever increasing amount of employees now working from home or otherwise remotely, it is essential that relevant entities review current systems in place which govern the exchange of information and which can identify and respond to data breaches: this may require assessment by IT advisers.

It is also essential that organisations amend or create new policies/procedures if gaps are identified, prepare or update a Data Breach Response Plan relevant to your entity, continuously review the Plan in practise and update where necessary, and ensure the most important people with your organisation (your staff) are aware – in a practical way – of their obligations.

In terms of an organisation's compliance with its privacy law and confidentiality obligations, if you ever become aware of a data breach or suspected data breach, please ensure that you immediately report to the risk manager/s.

Conclusion

In summary, at a time when organisations, businesses, and individuals are transforming the way they operate due to the effects of COVID-19, it is more important than ever for relevant entities to keep a close eye on potential data breaches. It is important for businesses to review their approach to data retention and transmission, as well as privacy considerations across the board, to determine what aspects of its internal processes are working and those that are not. A robust and honest internal assessment is required as these obligations go beyond the financial or regulatory penalties that a business may face but rather they can affect a key commodity – confidence – of customers or users of your brand.

Carroll & O'Dea Lawyers can assist you with risk analysis, creating a Data Breach Response Plan, updating privacy policies and document retention policies, creating notice protocols or generally reviewing your existing contracts, practices, documentation and relevant insurance cover.

Footnote

1 https://www.abc.net.au/news/2020-03-31/federal-court-in-protection-visa-data-breach-published-names/12102536

2 https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-report-july-december-2019/

3 https://www.oaic.gov.au/updates/speeches/2020-vision-challenges-and-opportunities-for-privacy-regulation/

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.