As many schools would be aware, the Notifiable Data Breach (NDB) Scheme commenced in Australia over a month ago on 22 February 2018. Since then, we have seen an ongoing issue with Facebook and Cambridge Analytica misusing personal information, as well as 31 data breach notices filed with the Office of the Australian Information Commissioner (OAIC).

Background to the NDB Scheme

A data breach occurs when personal information is lost or subject to unauthorised access, modification, disclosure, or other misuse or interference. For schools, data breaches are not limited to hacking or cyber attacks on school systems. More commonly, data breaches occur due to internal human errors or a failure to follow information handling policies that result in personal information being inadvertently lost or disclosed to the wrong person.

As stated in previous School Governance articles, the NDB Scheme is designed to prevent schools from concealing eligible data breaches if the breach is considered to result in serious harm to the affected person(s).However, it is important to note that not all data breaches come under the Notifiable Data Breach Scheme. Keep in mind the following:

1. If remedial action is taken to contain a suspected data breach and thereby preventing the likely risk of serious harm occurring, and the action is successful, the data breach does not need to be reported.
2. If the data breach cannot be successfully remedied but it is believed that no serious harm could result, the data breach does not need to be reported
3. If you are unsure if the data breach has been successfully remedied or whether serious harm will result, but it is reasonable to suspect that it might, you have 30 days to determine this, before you need to report.

None of those factors preclude a voluntary notification by the school to the OAIC.

For more information on Notifiable Data Breaches and how to deal with them, please see here.

Facebook and Personal Information

A data breach will not only affect schools. In a stark example of personal information misuse and potential data breach, Cambridge Analytica, a data analytics firm, used personal information harvested from more than 50 million Facebook profiles without permission to build a system that could target US voters with personalised political advertisements based on their psychological profile, according to whistleblower Christopher Wylie, a former Cambridge Analytica contractor who helped build the algorithm.

The company collaborated with the developer of a Facebook app, thisisyourdigitallife. About 270,000 people downloaded the personality quiz app, which collected their profile information, as well as information from their friends' profiles, potentially affecting data harvested from over 50 million Facebook profiles. Cambridge Analytica has denied any wrongdoing and said that the business tactics it used are widespread among other firms, while Facebook ran ads in several major UK and US newspapers apologising for the data breach, and said it was investigating other applications that had access to large amounts of user data.

According to The Guardian, Facebook had been warned about its data security policies for a number of years, and had known about this particular data breach since 2015. Investigators from Britain’s data watchdog raided Cambridge Analytica’s London offices, and the main consumer protection body in the US is reported to have opened an investigation into whether Facebook has violated privacy agreements.

According to a statement from the OAIC released on 20 March 2018, they are aware of “the reports that users’ Facebook profile information was acquired and used without authorisation.” They announced on 5 April 2018 that they have launched an investigation into the incident, focusing on whether Facebook has breached the NDB provisions in the Privacy Act 1988 (Cth).

Mark Zuckerberg, the Facebook CEO, has also stated in a congressional hearing on 10 April 2018, that they "didn't take a broad enough view of our responsibility, and that was a big mistake. It was my mistake, and I'm sorry." He also stated that they "didn't do enough to prevent these tools from being used for harm...That goes for fake news, foreign interference in elections, and hate speech, as well as developers and data privacy." Zuckerberg was also scheduled to appear before the House Energy and Commerce Committee on 11 April 2018. Zuckerberg has also stated that the company is dealing with issues around privacy, safety and democracy in their investigation.

For schools, this is a direct example of how important policies and procedures regarding personal information handling guidelines are, and that all staff are trained in their use.

Current reporting under the NDB Scheme

Since the NDB Scheme came in operation, a recent legal update has confirmed that there have been 31 breaches reported. This number may seem alarming, and perhaps it is, but some of those notices concerned breaches which occurred before the new regime came into force, and it does suggest that Australian organisations are taking their new obligations seriously.

Shipping company, Svitzer Australia, who were alerted in March 2018 of a sustained breach in their internal email communications between May 2017 and March 2018, have also featured in the list of current breaches. The breach led to 50,000 - 60,000 internal emails being secretly forwarded to someone outside of the organisation. These internal emails may or may not have contained employee information such as tax file numbers, superannuation numbers and employees next of kin.

In addition to this update, in a recent CSO article, the personal details of approximately 150 million users of Under Armour’s MyFitnessPal app were compromised after criminal hackers acquired usernames, email addresses and hashed passwords. Although payment card data was not involved, it is likely to be one of the biggest hacks in history so far.

As stated in our previous article, once a school forms the view, based on reasonable grounds, that there has been a NDB, it must:

• prepare a statement in accordance with the Act, and
• give a copy of the statement to the OAIC as soon as practicable after the school becomes aware of the NDB.

The school must notify the contents of that statement to the affected individuals (students, parents, staff etc.) as soon as practicable.

The OAIC has produced guidance on How to Notify the OAIC and a Data Breach Response Summary which schools should use to inform their response to a NDB.

Impact of IT Security Policies

According to Australia's recent IT Security Study, nearly half of the Australian organisations who are impacted by the mandatory legislation lack suitable IT security policies, and 57% haven't completed any sort of IT risk assessment in the past year. Protecting personal information, as mandated by the NDB scheme, requires all schools to be paying attention to any mobile or Internet solutions that they are running, implementing and planning for, and conduct a risk assessment in regards to IT security.

Some of the main risk protection measures for schools could include:

• Prevention of communication interception e.g. man in the middle attacks, via public unsecured WiFi, Bluetooth, even fake cell phone towers (aka stingrays) which spoof 2G/3G/4G connections.
• Preventing physical device access through tactics such as strong password policies, enforced encryption, geo tracking and geo fencing.
• Ensuring device compliance with policies that are suited for your organisation, industry, and types of device usage. This may include enforced separation of work and personal data and apps, to reduce the risk and liability of the business.

According to an IT Brief article, 87% of the adult population in Australia uses a smartphone with 15 million Australians accessing social media on their smartphone. Schools need to be aware of the data collection inherent in the use of social media by both staff and students and ensure that their collection of personal data and its security is up to the task of compliance with the NDB Scheme.

What schools should be doing now

Privacy Awareness Week 2018 (PAW) is celebrated in Australia from 13-18 May 2018. An initiative started by Asia Pacific Privacy Authorities back in 2006, PAW has been held every year to promote and raise awareness for numerous privacy issues and the importance of protecting personal information. And combined with the introduction of the NDB Scheme, it reinforces the message that this something that schools need to take seriously. Monetary penalties for failing to comply with the new legislation are up to $360,000 for individuals and $1.8 million for organisations. And, as the issues with personal information access via Facebook show, schools should also look closely at their cyber security policies to prevent any data breaches from occurring in the future and make sure their personal information handling guidelines are clear and all staff are trained in their use.