Welcome back to TRANSPARENT – a quarterly newsletter providing information to help you meet your privacy obligations under the Student Identifiers Act 2014 (SI Act) and the Privacy Act 1988 (Privacy Act).
TRANSPARENT is published by the Unique Student Identifier (USI) Office and written in collaboration with the Office of the Australian Information Commissioner (OAIC), the regulator of the Privacy Act.
This newsletter focuses on why it is important for your organisation to have a plan for responding to data breaches and to notify the OAIC when required.
IMPORTANT NOTE: The Privacy Act, including the Australian Privacy Principles (APPs), applies to APP entities only. To determine whether your training organisation is an APP entity, refer to Chapter B of the APP Guidelines. The steps outlined in this newsletter may also be used by non-APP entities as a model for better personal information handling practice.
Inside this edition:
- What is a data breach?
- Why is it important to have a data breach response plan?
- Developing a data breach response plan
- Responding to data breaches – four key steps
- Regular review of data breach response plan
- Reporting data breaches to the OAIC under the Notifiable Data Breaches scheme
- OAIC resources
What is a data breach?
A data breach occurs when personal information held by your organisation is subject to unauthorised access or disclosure, or is lost.
Personal information includes information that identifies, or could reasonably identify, an individual. For example, this could include student enrolment records containing students’ names, dates of birth and contact details. For more information about personal information, see Bulletin 1.
Why is it important to have a data breach response plan?
The OAIC’s statistics on data breach notifications indicate that there are a range of causes and a range of entities affected by data breaches, including in the education sector. The education sector was one of the top five sectors to notify data breaches to the OAIC during the October to December 2018 quarter, see the OAIC’s Notifiable Data Breaches Quarterly Statistic Report for more information).
The three most common causes of the data breaches were:
- human error (such as sending personal information to the wrong recipient, loss of paperwork or data storage device, or insecure disposal of personal information)
- malicious or criminal attack (such as cyber incidents or deliberate actions by rogue employees)
- system fault (such as IT system errors)
A data breach may cause serious harm to your organisation and to the individuals involved. Affected individuals may be exposed to financial fraud, identity theft and physical harm or intimidation. A data breach can also negatively impact on your organisation’s reputation. It is therefore important that your organisation has robust systems and procedures in place to help staff quickly identify incidents when they occur, and to respond effectively. A data breach response plan can help you reduce the potential impact of an incident on the affected individuals and on your organisation.
Developing a data breach response plan
A data breach response plan outlines the staff members involved in managing a data breach (or suspected data breach), and their responsibilities. It also describes the steps your organisation will take when a data breach occurs (see ‘Responding to data breaches – four key steps’ below).
Your plan should include:
- a clear explanation of what constitutes a data breach
- procedures for containing, assessing and managing a data breach from start to finish
- the roles and responsibilities of staff in responding to a data breach
- procedures for documenting data breach incidents
- a review process to evaluate how a data breach occurred and the success of your response.
Identifying key response staff and their roles is crucial. Your data breach response plan should clearly outline staff who are:
- the first point of contact
- part of the ‘response team’
- responsible for deciding whether the breach should be escalated to the response team.
Responding to data breaches – four key steps
Each data breach response needs to be tailored to the circumstances of the incident. In general, a data breach response should follow four key steps: contain, assess, notify and review.
Step 1: Contain
When your organisation has discovered (or suspects) that a data breach has occurred, immediate action should be taken to contain the breach. The action your organisation should take will depend on the nature of the breach. Some common actions may include stopping the unauthorised practice, shutting down the system that was breached and/or recovering any disclosed information.
Step 2: Assess
An assessment of the data breach is required as quickly as possible. Gather and evaluate as much information about the incident as available. This can help your organisation understand the risks associated with the data breach and how best to address them. In your assessment you should consider:
- the type(s) of personal information involved in the data breach
- the circumstances of the data breach, including its cause and extent
- the nature of the harm to affected individuals, and if this harm can be reduced through remedial action.
Step 3: Notify
Notification can be an important mitigation strategy that may benefit both your organisation and the individuals affected by the data breach. Moreover, you may be required to notify both affected individuals and the OAIC.
Notification provides individuals with the opportunity to take steps to protect their personal information following a data breach, such as by changing account passwords or being alert to possible scams. Notification also helps build trust in your organisation, by demonstrating that privacy protection is taken seriously.
Each incident needs to be considered on a case-by-case basis. Consider:
- Is your organisation required to notify the affected individuals and the OAIC of the data breach? (see ‘Notifiable Data Breaches scheme’ below)
- Will notifying the affected individuals cause undue stress or harm (such as where a data breach poses very little or no risk of harm)?
- Alternatively, will not notifying the affected individuals adversely impact them (such as where the potential harm to these individuals could worsen)?
Step 4: Review
Once the first three steps are complete, the final step involves reviewing and learning from the data breach to improve your organisation’s personal information handling practices. This might involve:
- conducting a security review to identify the root cause of the data breach
- developing a prevention plan to prevent similar incidents in future
- conducting audits to ensure the prevention plan is implemented
- reviewing policies and procedures, and implementing changes to reflect the lessons learned from the review
- revising employee training
- reviewing service delivery partners that were involved in the breach.
Regular review of data breach response plan
You should regularly review and test your data breach response plan so that it remains up to date and your staff know what actions they are expected to take. How often reviews take place will depend on your circumstances, including the size of your organisation, the nature of your operations, the possible adverse consequences to an individual if a breach occurs, and the amount and sensitivity of the information you hold.
You should create and test your plan before a data breach occurs by, for example, responding to a hypothetical data breach, and regularly test it after implementation for effectiveness. It is good privacy practice to review the plan after the introduction of new services or system enhancements that impact on the handling of personal information.
Reporting data breaches to the OAIC under the Notifiable Data Breaches scheme (Privacy Act 1988)
If your organisation is an APP entity and a data breach (or suspected data breach) occurs, you may be required to notify affected individuals and the OAIC under the Notifiable Data Breaches (NDB) scheme.
The NDB scheme only applies to data breaches that are likely to result in serious harm to one or more individuals, and in circumstances where your organisation has been unable to prevent the likely risk of serious harm with remedial action.
‘Serious harm’ is not defined in the Privacy Act. In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.
Conducting an assessment of the data breach (see Step 2 of ‘Responding to data breaches – four key steps’ above) will help you determine whether serious harm is likely. Under the NDB scheme, entities must take reasonable steps to complete this assessment within 30 days.
There are also a number of resources available to assist entities that have obligations under the Notifiable Data Breaches scheme, including guidance on how to assess a suspected data breach and how to notify the OAIC.
The next edition of TRANSPARENT will focus on cross-border disclosure of overseas recipients, including:
- what is ‘cross-border disclosure’?
- taking reasonable steps to ensure overseas recipients do not breach the APPs
- exceptions to the requirement to take reasonable steps to ensure overseas recipients do not breach the APPs
- summary and recap of privacy topics covered in Transparent newsletters.