On 22 February 2018, changes to the Privacy Act 1988 (Cth) (the Act) will take effect and a new Notifiable Data Breach (NDB) Scheme will be in force. This reform will affect the Privacy Programs of almost all non-government schools, and it is one of the most important reforms since the introduction of the 13 Australian Privacy Principles (APPs) in 2014.
Privacy is in the news
The timing of Privacy Awareness Week (PAW) is fitting given the global cyber attack which occurred over the weekend, causing chaos around the world. According to media reports, the attack involved cyber extortionists tricking victims into opening malicious malware attachments to spam emails that appeared to contain invoices, job offers, security warnings and other legitimate files. The motivation behind the attack appeared to be money, with computer users being asked by the hackers to make payments of $US300 ($AU406) to $US600 ($AU812) to restore access. Although the hackers did not appear to be motivated by accessing peoples' personal information, the security of personal information on an affected computer would be threatened by the hackers taking control of their computers.
The recently released Australian Community Attitudes to Privacy Survey 2017 revealed some interesting and concerning statistics including:
- 69% of Australians say they are more concerned about their online privacy than they were five years ago;
- 83% think there are greater privacy risks dealing with an organisation online, compared to in traditional settings;
- the majority of Australians do not regularly read the privacy policies of websites they use; and
- 43% of Australians do not regularly adjust the privacy settings on their social media accounts.
Schools collect and store a vast array of personal information about students and staff, through the operation of day-to-day functions. Also, advances in technology are enabling schools to electronically store increasing amounts of personal information such as photos, bank details, family information, contact details, videos of students, medical records and health information. This development poses many challenges to the protection of privacy in the school environment, in relation to both online and offline information. For this reason, it is important that school communities practice a privacy-aware culture to ensure that the collection, storage, use and disclosure of personal information about students and staff comply with the Australian Privacy Principles (APPs).
Under APP 11 (security of information), schools are required to take reasonable measures to protect information from misuse, interference and loss, as well as unauthorised access, modification or disclosure. The NDB Scheme will require schools to notify the Office of the Australian Information Commissioner (OAIC) and the affected individual(s), in the event of a notifiable data breach.
What is an ‘eligible data breach’
A data breach occurs when personal information is lost or subject to unauthorised access, modification, disclosure, or other misuse or interference. For schools, data breaches are not limited to hackings or cyber-attacks on school systems. More commonly, data breaches occur due to internal human errors or a failure to follow information handling policies that result in personal information being inadvertently lost or disclosed to the wrong person. For example, leaving a school laptop on public transport.
Not all data breaches will be NDBs. Pursuant to section 26WE of the Act, an eligible data breach, which would require notification, occurs in circumstances where:
- there is an unauthorised access or unauthorised disclosure of information and a reasonable person would conclude that access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates; or
- Information is lost in circumstances where such unauthorised access or disclosure is likely to occur and a reasonable person would conclude that, assuming such access or disclosure did occur, it would be likely to result in serious harm to any individuals to whom that information relates.
In short, for there to be an eligible data breach, the breach would have the likelihood of resulting in serious harm to any of the affected individuals. Serious harm could include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the school’s position would identify as a possible outcome of the data breach.
Examples of data breaches which may meet the definition of an eligible data breach, include when:
- a device containing a member of the school community’s personal information is lost or stolen (e.g a school laptop);
- a database containing personal information is hacked;
- personal information about students or staff is mistakenly provided to the wrong person;
- records containing student information is stolen from unsecured recycling bins; or
- disclosing personal information about students/staff for purposes other than what it was collected for and without the consent of the affected students/staff.
Once a school forms the view, based on reasonable grounds, that there has been an eligible data breach, it must:
- prepare a statement in accordance with the Act; and
- give a copy of the statement to the OAIC as soon as practicable after the school becomes aware of the eligible data breach.
The statement must set out:
- the identity and contact details of the school;
- a description of the eligible data breach that the school has reasonable grounds to believe has happened;
- the kind/s of information concerned; and
- the recommendations about the steps that individuals should take in response to the eligible data breach that the entity has reasonable grounds to believe has happened.
The school must notify the contents of that statement to the affected individuals (students, parents, staff etc.) as soon as practicable. What constitutes reasonable steps for notification will depend on the circumstances of every case. For schools, practicable means of communication are more likely to be by phone, letter, email or in person, as they are the normal means of communication between the school and its students or staff.
If it is not practicable to notify the individuals directly, the organisation may publish its statement on its website and take reasonable steps to make the statement public.
For schools, public notification (for example on a website or social media) may be required if an eligible data breach involves highly sensitive and personal information affecting both past and present students, such that it would be impracticable to contact each of the individuals directly and the information disclosed would likely result in serious harm to all the individuals affected. Some exceptions to notifying the OAIC and individuals exist, including where taking 'remedial action' to avoid harm being suffered is possible. For schools, this exception may apply where, in the event of an eligible data breach, the school takes action by requesting an unauthorised recipient of personal information to delete or destroy the information, such that there would unlikely be serious harm due to the breach.
What should schools be doing?
To enable schools to take remedial action, an effective data breach response plan should be in place to ensure that the school's relevant personnel, such as the privacy officer, is made aware of potential breaches as soon as practicable. Early identification of eligible data breaches would be critical to enabling schools to take measures that would give effect to this exception.
CompliSpace has produced a briefing paper which explains the NDB Scheme, how it will affect schools and what they should be doing now to prepare for the laws taking effect in 2018. The paper is available here: Privacy Update: Mandatory Notification of Data Breaches.