On 22 February 2018, changes to the Privacy Act 1988 (Cth) (the Act) will take effect and a new Notifiable Data Breach (NDB) Scheme will be in force. This reform will affect the privacy obligations of all non-government schools who are governed by the Privacy Act and the Australian Privacy Principles (APPs).
Schools collect and store a vast array of personal information about students and staff, through the operation of day-to-day functions. Also, advances in technology are enabling schools to electronically store increasing amounts of personal information such as photos, bank details, family information, contact details, videos of students, medical records and health information. For this reason, it is important that school communities practice a privacy-aware culture to ensure that the collection, storage, use and disclosure of personal information about students and staff comply with the APPs.
A data breach occurs when personal information is lost or subject to unauthorised access, modification, disclosure, or other misuse or interference. For schools, data breaches are not limited to hacking or cyber attacks on school systems. More commonly, data breaches occur due to internal human errors or a failure to follow information handling policies that result in personal information being inadvertently lost or disclosed to the wrong person.
As stated in our previous article, the NDB Scheme prevents schools from concealing breaches if the breach is considered to result in serious harm to the affected person(s) ie. what the Office of the Australian Information Commissioner (OAIC) considers to be an eligible data breach (also known as a NDB). Pursuant to section 26WE of the Act, an eligible data breach (NDB), which would require notification, occurs in circumstances where:
Examples of circumstances which may meet the criteria of a NDB, include when:
The OAIC has produced new guidelines to assist organisations in Identifying Eligible Data Breaches and Entities covered by the NDB Scheme, which schools should read to understand more about their obligations in regards to a NDB.
Once a school forms the view, based on reasonable grounds, that there has been a NDB, it must:
The statement must set out:
The school must notify the contents of that statement to the affected individuals (students, parents, staff etc.) as soon as practicable.
The OAIC has produced guidance on How to Notify the OAIC and a new Data Breach Response Summary which schools should use to inform their response to a NDB.
The introduction of the NDB Scheme is something that schools need to take seriously. After 22 February 2018, monetary penalties for failing to comply with the new legislation of up to $360,000 for individuals and $1.8 million for organisations will apply. Schools should also look closely at their cyber security policies to prevent any data breaches from occurring in the future and make sure their personal information handling guidelines are clear and all staff are trained in their use.
For more information, in May 2017, CompliSpace published the briefing paper Privacy Update: Mandatory Notification of Data Breaches. This Briefing Paper summarised the new mandatory NDB Scheme requirements under the Act. CompliSpace also produced a follow up Briefing Paper in October 2017: Privacy update: Mandatory Notification of Data Breaches & Complaints Handling Update. The second Briefing Paper explains why your school must comply with the NDB amendments, including a practical checklist to prepare for the changes.