Just under four months ago, the Australian Notifiable Data Breach (NDB) Scheme commenced. The NDB Scheme requires organisations covered by the Privacy Act 1998 (Cth) (Privacy Act), including most non-government schools, to notify individuals when their personal information is involved in a data breach that is likely to result in serious harm (which are referred to as ‘eligible data breaches’). Entities must also notify the Office of the Australian Information Commissioner (OAIC) about eligible data breaches.
The OAIC’s acting Australian Information Commissioner and acting Privacy Commissioner, Angelene Falk, emphasised the importance of data breach notifications, saying that they give individuals “the chance to take steps that reduce their risk of experiencing harm, such as changing relevant passwords for online accounts”, thereby reducing the overall impact caused by a data breach.
Multiple previous School Governance articles have focused on the steps that schools needed to take to prepare themselves for the commencement of the NDB Scheme, including updating privacy training and reviewing cyber security policies. We have also commented on the data breaches which continue to dominate media headlines, most recently through the ongoing Facebook and Cambridge Analytica scandal.
But with the release of the first OAIC quarterly report on data breach notifications, and another high-profile security incident being disclosed by HR software company PageUp, schools should be reviewing their privacy and cyber security framework to assess the effectiveness of their privacy, security and information-handling arrangements.
The First Quarterly Data Breach Report
On 11 April, the OAIC published the first quarterly report on data breach notifications received under the new NDB Scheme, as mentioned in our previous School Governance article. During the first six weeks of the scheme’s operation, the OAIC received 63 data breach notifications. By comparison, over the 2016-17 financial year, 114 voluntary notifications were received.
Health service providers performed the largest proportion of notifications over the quarter, making up 24% of the total number. Six notifications came from the private education sector, which constituted 10% of the overall number. It is not clear whether any, or how many, non-government schools were included in that number.
The statistic regarding health service providers is an interesting one, given that schools also hold a large amount of health information of students and staff. Health information is a subset of sensitive information under the Privacy Act, meaning that it attracts greater legislative protections than other personal information. It has been reported that many healthcare providers are still unclear on the scope of their obligations under the NDB Scheme or the risks associated with the information they hold.
Fortunately, 20 of the overall data breach notifications affected only one person, with 90% of the notifications involving personal information of under 1000 individuals. But while only a small proportion of the breaches involved thousands or tens of thousands of people, at maximum, this could translate to the information of over 300,000 people being affected. There were three cases in which the information of 10,000-99,999 people was compromised, but the quarterly report did not elaborate on the origins or the outcomes of the three cases.
The PageUp Security Incident
PageUp is an internal human resources firm, providing talent management software to large companies around the world, with prominent customers such as the Commonwealth Bank, Telstra, Coles, a number of leading universities including Melbourne and Macquarie, and even the Reserve Bank of Australia.
On 5 June, PageUp provided an information update that revealed that it had detected ‘unusual activity’ on its IT infrastructure during May, revealed to have been caused by a malware infection. They suggested that this may have compromised some client data, but have stated that there are no active system threats and that their job boards are safe to use.
This information was expanded upon in a full statement on 12 June 2018, revealing that PageUp were communicating with various international authorities including the OAIC and the UK Information Commissioner’s Office. Applicants and employees with specific concerns have been advised to contact the company they lodged their application with.
As a result of the alleged data breach, many large businesses have suspended or temporarily removed their jobs boards, and urged job applicants to monitor their personal affairs for any unusual activity, despite PageUp’s assertion that there is no active threat.
Based on the limited information available, it has been assessed that it is likely that this security incident amounts to an eligible data breach, exposing the data of many large organisations to privacy and confidentiality risks. This is largely due to the personal and sensitive nature of employment and recruitment information, meaning that unauthorised access to, or disclosure of this information could result in serious harm to one or more persons.
The NDB Scheme requires the organisation with the most direct relationship with affected individuals to comply with the NDB Scheme’s notification requirements, such as by filing a data breach statement with the OAIC and notifying affected individuals.
However, in a joint statement, the Australian Cyber Security Centre, the Office of the Australian Information Commissioner and IDCARE have supported PageUp's response to the incident, commending their transparency and engagement with affected organisations. It was also stated that even though personal data may have been accessed, this data would have been of limited value, which may suggest that the incident was not an eligible data breach - requiring mandatory notification if it could not be remedied.
What Do the Quarterly Report and the PageUp Incident Mean for Schools?
It is not clear whether any non-government schools are PageUp customers, but if they are, they will need to give the required data breach notices if they assess the PageUp security incident to be an eligible data breach. Regardless of this, all schools should be considering whether their cyber security infrastructure is sufficient to deflect against cyber attacks and is being monitored for any suspicious activity and potential data breaches.
The alleged PageUp incident seems to have been caused by a malicious criminal attack. However, according to the OAIC’s quarterly report, malicious or criminal attacks were the source of less than half of the overall breaches reported in the quarter. The largest source of data breach was in fact human error. Human error covers inadvertent disclosures such as sending a document that contains personal information to the wrong recipient. According to Angelene Falk, this fact indicates how important it is to implement “robust privacy governance alongside a high-standard of security”.
The risk of a data breach occurring at a school can be greatly reduced by implementing risk mitigation practices such as performing Privacy Impact Assessments and information security risk assessments. It is also key to train any school staff that are responsible for handling personal information and managing records of that information.
By taking these steps, schools will be responding to both major forms of data breach, reinforcing their privacy and cyber security frameworks to promote the security of students’ and staff members’ personal information.