The Australian Privacy regulator, the Office of the Australian Information Commissioner (OAIC), has published its bi-annual report on privacy breaches, naming the education sector as the third-most likely source of reports of privacy breaches, after health and financial services.

While this may be more a function of which sectors are more likely to make a report rather than which had the most privacy breaches, it is a given that huge amounts of personal information, including very sensitive information, ‘floats around’ an average school. It is almost inevitable that there will be lost laptops with personal information, missent emails, appropriate consents not being obtained, not to mention hacking by enterprising students or malware.

Background

The Notifiable Data Breach (NDB) scheme is one way of holding organisations accountable for ensuring that they have effectively implemented the privacy protections required by the 13 Australian Privacy Principles (APP).

As non-government schools will know, amendments to the Commonwealth Privacy Act in February 2018 introduced the NDB scheme. The scheme introduced responsibilities for organisations that handle personal information to have a procedure and structure in place to address data breaches promptly (Data Breach Response Plan) in order to reduce the risk of serious harm to individuals whose information was, or may be, disclosed. Where an organisation is unable to prevent the data breach from giving rise to a risk of serious harm to individuals (and the definition of “harm” includes financial, psychological, reputational and physical harm), the organisation must notify the affected individuals and the OAIC.

The notification to individuals must include recommendations about any steps that the individual should take in response to the data breach such as changing their password. The OAIC will then monitor the situation to ensure that the organisation takes the appropriate steps.

What Obligations Do Schools Have?

As previously reported, the NDB scheme introduced in February 2018 was intended to embed the privacy obligations mandated in the Privacy Act and the Australian Privacy Principles. The key requirements under the NDB scheme are that schools must:

• have a Data Breach Response Plan in place
• report any breach to affected individuals and the OAIC.

Under section 26WE of the Privacy Act, a NDB occurs when:

• there is an unauthorised access or unauthorised disclosure of information and a reasonable person would conclude that access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates; or
• information is lost in circumstances where such unauthorised access or disclosure is likely to occur and a reasonable person would conclude that, assuming such access or disclosure did occur, it would be likely to result in serious harm to any individuals to whom that information relates.

Organisations are required to notify the individuals and the OAIC within 30 days of becoming aware of the breach.

Schools should ensure that they are familiar with the OAIC guidelines for identifying eligible data breaches and entities covered by the NDB scheme. Schools should also familiarise themselves with how to make a notification to the OAIC, using the guidelines on How to Notify the OAIC and the OAIC’s Data Breach Response Summary.

A school, once aware of a NDB, must prepare a statement in accordance with the Privacy Act and provide it to the OAIC, containing:

• the identity and contact details of the school
• a description of the NDB
• the kind of information concerned
• recommendations about the steps that individuals should take in response to the NDB.

The December 2020 Report

In early 2021, the OAIC published their bi-annual Notifiable Data Breaches Report, compiling and analysing all the breach notifications received from July to December 2020. Overall notifications to the OAIC rose by 5 per cent compared to the preceding six-month period. Malicious and criminal attacks constituted the main cause of all reported NDBs (58 per cent) and human error was the second largest cause, increasing from 34 per cent of all notifications in early 2020, to 38 per cent.

However, in the education sector (which includes non-government schools), the main cause of NDBs was human error, making up 25 of the 40 NDBs in this sector. Only 13 NDBs related to malicious or criminal attacks and two NDBs related to system failures. The types of human errors leading to NDBs detailed in the Report include:

• sending emails to the wrong person containing personal information
• unintentionally releasing or publishing personal information
• failing to use bcc in group emails.

While the overall number of NDBs in the education sector decreased in the second half of 2020 from the first half (40 compared to 44), the number of ‘human error NDBs’ increased compared to the previous six months: 62 per cent of all education sector NDBs in the second half were related to human error compared to 52 per cent in the first half. The Report speculated that the increase could be attributed to the greater risks of data breaches from COVID-related flexible and working-from-home arrangements, although they could not find any definitive evidence.

What Should Schools Be Doing to Prevent NDBs?

As a first step, schools should identify the personal information that they collect and hold, then review the measures in place to protect it.

APP 11 requires organisations to take reasonable steps to protect the personal information they hold from misuse, interference and loss, as well as unauthorised access, modification or disclosure. Protecting personal information includes considering physical security, cyber security, and awareness and training of staff. It also involves looking at the risk points where information can be accidentally disclosed, such as those highlighted by the OAIC Report – for example, missent emails, not using ‘bcc’ on group emails, and protecting personal data on lost or stolen equipment.

Another critical measure is having a Data Breach Response Plan so that all staff know who to notify as soon as they become aware of an actual or suspected data breach. Usually this will be the school’s IT department and Privacy Officer who will then notify the school executive. If this notification is immediate, this increases the chance that the data breach may be minimised (by changing passwords or notifying banks) or even eliminated (if the IT department remotely deactivates the data on a lost phone). With increased flexible working arrangements, schools should heighten and continue to ensure that staff and systems are suitable to prevent NDBs – whether this comes through training or system maintenance.

Schools should ensure that staff are aware of these risks and are encouraged to be careful to avoid these common pitfalls where possible.