Education services found breaching the Privacy Act
The Office of the Australian Information Commissioner (OAIC) has received 245 data breach notifications, in which personal information has been compromised, between July and September 2018, with private education services being in the top five worst offenders, information released this week has revealed.
Just over half of the reported incidents – 57.1 per cent – were as a result of malicious or criminal attack, such as the interception of private information whilst open wifi networks were being used, or “hacking” of accounts.
37 per cent of breaches were as a result of human error.
The importance of all staff who deal with private information receiving adequate training was emphasised by Australian Information Commissioner and Privacy Commissioner Angelene Falk, who said that everyone who handles personal information in their work role needs to understand how data breaches occur so that they can be prevented.
In the lead up to the change in notifiable data breach legislation, which came into play 22 February 2018 specific guidance for those working in early childhood education and care (ECEC) services was made available from various sources.
As part of the legislative changes, organisations, including ECEC services, are required to comply with the Privacy Act, and follow the Australian Privacy Principles in relation to how they handle, use and manage the personal information of those using their service. Each individual service needs to consider how the principles apply to their individual situation, in terms of operations, data management, information technology platforms etc.
The principles cover how personal information can be used and disclosed, provide guidance about keeping personal information secure, and cover the open and transparent management of personal information.
The February amendment to the Privacy Act introduced a Notifiable Data Breaches (NDB) scheme, which requires all businesses regulated under the Privacy Act (including ECEC services) to provide notice to OAIC and affected individuals of any data breaches that are likely to result in serious harm, such as identity theft.
Business who suspect that an eligible data breach may have occurred must assess the breach, and determine if serious harm is likely to result. A failure to notify OAIC about a breach which is found to constitute a serious interference with privacy under the terms of the Act may result in a fine of up to $360,000 for individuals or $1.8 million for organisations.
Ms Falk said that organisations and agencies need the right cyber security in place, but that policies, procedures and processes to support staff to protect personal information were of equal importance.
“Our latest report shows 20 percent of data breaches over the quarter occurred when personal information was sent to the wrong recipient, by email, mail, fax or other means.” Ms Falk said.
20 percent of all of the reported data breaches in the quarter were as a result of phishing – an individual being contacted by email or text by someone posing as a legitimate institution, with the intent of luring the recipient to provide passwords or other personal information.
“This can result in their credentials – their username and password – being compromised and used to gain access to their system or network, if additional protections are not in place.” Ms Falk said.
Key statistics from the report
The Notifiable Data Breaches July–September 2018 report shows:
- Reported breaches were up from the previous quarter
- The top five industry sectors to report breaches were:
Private health service providers: 45
Legal, accounting and management services: 34
Private education providers: 16
Personal services: 13
The OAIC has produced a Data breach preparation and response guide for agencies and private sector organisations with obligations under the Privacy Act. Guidance for individuals on what to do after a data breach notification and additional information is available via the OAIC website.