The Australian Privacy regulator, the Office of the Australian Information Commissioner (OAIC), has published its bi-annual report on privacy breaches, naming the education sector as the third-most likely source of reports of privacy breaches, after health and financial services.
While this may be more a function of which sectors are more likely to make a report rather than which had the most privacy breaches, it is a given that huge amounts of personal information, including very sensitive information, ‘floats around’ an average school. It is almost inevitable that there will be lost laptops with personal information, missent emails, appropriate consents not being obtained, not to mention hacking by enterprising students or malware.
The Notifiable Data Breach (NDB) scheme is one way of holding organisations accountable for ensuring that they have effectively implemented the privacy protections required by the 13 Australian Privacy Principles (APP).
As non-government schools will know, amendments to the Commonwealth Privacy Act in February 2018 introduced the NDB scheme. The scheme introduced responsibilities for organisations that handle personal information to have a procedure and structure in place to address data breaches promptly (Data Breach Response Plan) in order to reduce the risk of serious harm to individuals whose information was, or may be, disclosed. Where an organisation is unable to prevent the data breach from giving rise to a risk of serious harm to individuals (and the definition of “harm” includes financial, psychological, reputational and physical harm), the organisation must notify the affected individuals and the OAIC.
The notification to individuals must include recommendations about any steps that the individual should take in response to the data breach such as changing their password. The OAIC will then monitor the situation to ensure that the organisation takes the appropriate steps.
As previously reported, the NDB scheme introduced in February 2018 was intended to embed the privacy obligations mandated in the Privacy Act and the Australian Privacy Principles. The key requirements under the NDB scheme are that schools must:
Under section 26WE of the Privacy Act, a NDB occurs when:
Organisations are required to notify the individuals and the OAIC within 30 days of becoming aware of the breach.
Schools should ensure that they are familiar with the OAIC guidelines for identifying eligible data breaches and entities covered by the NDB scheme. Schools should also familiarise themselves with how to make a notification to the OAIC, using the guidelines on How to Notify the OAIC and the OAIC’s Data Breach Response Summary.
A school, once aware of a NDB, must prepare a statement in accordance with the Privacy Act and provide it to the OAIC, containing:
In early 2021, the OAIC published their bi-annual Notifiable Data Breaches Report, compiling and analysing all the breach notifications received from July to December 2020. Overall notifications to the OAIC rose by 5 per cent compared to the preceding six-month period. Malicious and criminal attacks constituted the main cause of all reported NDBs (58 per cent) and human error was the second largest cause, increasing from 34 per cent of all notifications in early 2020, to 38 per cent.
However, in the education sector (which includes non-government schools), the main cause of NDBs was human error, making up 25 of the 40 NDBs in this sector. Only 13 NDBs related to malicious or criminal attacks and two NDBs related to system failures. The types of human errors leading to NDBs detailed in the Report include:
While the overall number of NDBs in the education sector decreased in the second half of 2020 from the first half (40 compared to 44), the number of ‘human error NDBs’ increased compared to the previous six months: 62 per cent of all education sector NDBs in the second half were related to human error compared to 52 per cent in the first half. The Report speculated that the increase could be attributed to the greater risks of data breaches from COVID-related flexible and working-from-home arrangements, although they could not find any definitive evidence.
As a first step, schools should identify the personal information that they collect and hold, then review the measures in place to protect it.
APP 11 requires organisations to take reasonable steps to protect the personal information they hold from misuse, interference and loss, as well as unauthorised access, modification or disclosure. Protecting personal information includes considering physical security, cyber security, and awareness and training of staff. It also involves looking at the risk points where information can be accidentally disclosed, such as those highlighted by the OAIC Report – for example, missent emails, not using ‘bcc’ on group emails, and protecting personal data on lost or stolen equipment.
Another critical measure is having a Data Breach Response Plan so that all staff know who to notify as soon as they become aware of an actual or suspected data breach. Usually this will be the school’s IT department and Privacy Officer who will then notify the school executive. If this notification is immediate, this increases the chance that the data breach may be minimised (by changing passwords or notifying banks) or even eliminated (if the IT department remotely deactivates the data on a lost phone). With increased flexible working arrangements, schools should heighten and continue to ensure that staff and systems are suitable to prevent NDBs – whether this comes through training or system maintenance.
Schools should ensure that staff are aware of these risks and are encouraged to be careful to avoid these common pitfalls where possible.