Mandatory Notifiable Data Breaches take effect 22 Feb: Are you prepared?
On 22 February 2018, changes to the Privacy Act 1988 (Cth) (the Act) will take effect and a new Notifiable Data Breach (NDB) Scheme will be in force. This reform will affect the privacy obligations of all non-government schools who are governed by the Privacy Act and the Australian Privacy Principles (APPs).
Personal Information and Data Breaches
Schools collect and store a vast array of personal information about students and staff, through the operation of day-to-day functions. Also, advances in technology are enabling schools to electronically store increasing amounts of personal information such as photos, bank details, family information, contact details, videos of students, medical records and health information. For this reason, it is important that school communities practice a privacy-aware culture to ensure that the collection, storage, use and disclosure of personal information about students and staff comply with the APPs.
A data breach occurs when personal information is lost or subject to unauthorised access, modification, disclosure, or other misuse or interference. For schools, data breaches are not limited to hacking or cyber attacks on school systems. More commonly, data breaches occur due to internal human errors or a failure to follow information handling policies that result in personal information being inadvertently lost or disclosed to the wrong person.
Notifiable Data Breaches
As stated in our previous article, the NDB Scheme prevents schools from concealing breaches if the breach is considered to result in serious harm to the affected person(s) ie. what the Office of the Australian Information Commissioner (OAIC) considers to be an eligible data breach (also known as a NDB). Pursuant to section 26WE of the Act, an eligible data breach (NDB), which would require notification, occurs in circumstances where:
- there is an unauthorised access or unauthorised disclosure of information and a reasonable person would conclude that access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates, or
- information is lost in circumstances where such unauthorised access or disclosure is likely to occur and a reasonable person would conclude that, assuming such access or disclosure did occur, it would be likely to result in serious harm to any individuals to whom that information relates.
Examples of circumstances which may meet the criteria of a NDB, include when:
- a device containing a member of the school community’s personal information is lost or stolen (e.g a school laptop)
- a database containing personal information is hacked
- personal information about students or staff is mistakenly provided to the wrong person
- records containing student information is stolen from unsecured recycling bins, or
- disclosing personal information about students/staff for purposes other than what it was collected for and without the consent of the affected students/staff.
The OAIC has produced new guidelines to assist organisations in Identifying Eligible Data Breaches and Entities covered by the NDB Scheme, which schools should read to understand more about their obligations in regards to a NDB.
Notification to the OAIC
Once a school forms the view, based on reasonable grounds, that there has been a NDB, it must:
- prepare a statement in accordance with the Act, and
- give a copy of the statement to the OAIC as soon as practicable after the school becomes aware of the NDB.
The statement must set out:
- the identity and contact details of the school
- a description of the NDB that the school has reasonable grounds to believe has happened
- the kind/s of information concerned, and
- the recommendations about the steps that individuals should take in response to the NDB that the entity has reasonable grounds to believe has happened.
The school must notify the contents of that statement to the affected individuals (students, parents, staff etc.) as soon as practicable.
What should schools be doing now?
The introduction of the NDB Scheme is something that schools need to take seriously. After 22 February 2018, monetary penalties for failing to comply with the new legislation of up to $360,000 for individuals and $1.8 million for organisations will apply. Schools should also look closely at their cyber security policies to prevent any data breaches from occurring in the future and make sure their personal information handling guidelines are clear and all staff are trained in their use.
For more information, in May 2017, CompliSpace published the briefing paper Privacy Update: Mandatory Notification of Data Breaches. This Briefing Paper summarised the new mandatory NDB Scheme requirements under the Act. CompliSpace also produced a follow up Briefing Paper in October 2017: Privacy update: Mandatory Notification of Data Breaches & Complaints Handling Update. The second Briefing Paper explains why your school must comply with the NDB amendments, including a practical checklist to prepare for the changes.
Lauren Osbich is a Legal Research Consultant and School Governance reporter. She can be contacted here.