Various law enforcement bodies have been hard at work since the Optus data breach became known at the end of September and, with the subsequent Woolworths and Medibank data breaches, it appears that almost every regulatory and advisory federal body is now involved. The federal privacy regulator, the Office of the Australian Information Commissioner (OAIC), launched its own investigation into the Optus data breach focusing on compliance with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs). Organisations with a turnover of $3 million or more or who are deemed to be a health service provider must comply with the Privacy Act.

The various investigations will provide a gold mine of insights and lessons but the OAIC has already commenced publishing information on how organisations should review and address their own policies, procedures and practices to reduce the risk of huge reputational and financial damage arising from a badly managed data breach.

Collecting Information

The most basic step in reducing the risk of a data breach and complying with the Privacy Act is to avoid collecting personal information that you don’t really need. An audit of the personal information that your school collects and maintains is a very good idea in order to obtain an understanding of the size of your privacy risk.

Keeping and Disposing of Information

One of the issues brought to light as a result of the Optus breach was the type of personal information that Optus retained and whether it was really necessary to do so. Electronic data storage has enabled vast amounts of records to be retained almost indefinitely. This capability makes it extremely tempting for very prudent risk managers to keep records indefinitely. In the past, storing paper files in archives at least forced some review of documentation as the need to find and pay for storage space would act as a deterrent to permanent retention. However, APP 11 requires an organisation to only keep information for as long as necessary to satisfy the reason for which it was collected (and any legislative requirements). It also requires the information that it holds to be current and correct (APP 10).

Developing a records management policy that provides guidance about when information is no longer required will go a long way towards satisfying both APPs 10 and 11. Of course, some discretion must be built into the policy to address personal information that should be kept for a longer period, for example, where there may be a reasonable risk of litigation in the future. Child abuse cases have shown us that some personal (and organisational) information should be kept almost indefinitely.

Data Breaches (Notifiable Data Breach Scheme)

The Privacy Act requires organisations that hold personal information to have a plan to manage data breaches. Where a breach is likely to result in a risk of serious harm to any of the individuals whose personal information is involved, it is mandatory for the organisation to notify affected (or potentially affected) individuals and the OAIC. In the context of data breaches, “harm” is quite broadly defined to include serious physical, psychological, emotional, financial or reputational harm.

Each organisation is required to have a data breach response plan which essentially consists of:

1. containing the breach to prevent any further information spillage
2. assessing whether the data breach has been contained and whether there is a risk of harm to affected individuals
3. where possible taking action to remediate any risk of harm
4. if there is a risk of serious harm (an “eligible data breach”), notifying the individuals and the OAIC
5. reviewing the incident and considering actions that can be taken to prevent future breaches.

Each breach is likely to be a little different but having a clear plan communicated to employees about who to contact and when, once they become aware of, or suspect that there has been, a data breach is key to improving the chances of containing the breach. It is particularly important to build a level of trust so that employees will report their concerns rather than hide a data breach because of a fear of repercussions.

Not all data breaches are going to have serious consequences and so not all data breaches will need to be reported. However, as with most dealings with regulators, the sooner you let them know that there is a problem the more likely they will be able to assist you (you are unlikely to be the first organisation coming to them with a particular problem). It is probably even more important for individuals affected by the breach to be advised as soon as possible together with measures that your school is taking, and possible measures that the individual can take, to mitigate the risk. Note that individuals and regulators may become very annoyed if they only become aware of a problem late in the piece.

Cybersecurity (APP 11)

We will leave it to the experts to provide insights on the technical aspects of preventing hacking learned from the various breaches, but it is important to remember that human error is one of the leading causes of data breaches. Schools can reduce this risk with regular cybersecurity training for employees to help them identify cybersecurity threats such as phishing. They should also have a strong emphasis on password protection: enforcing password resets at regular intervals, educating employees to not use simple, easily predictable passwords, not sharing passwords, and setting company laptops and desktops to require logging in if the keyboard has not been used for a period of time.

The Australian Cyber Security Centre (ACSC) has emerged as a particularly useful government agency to assist with helping organisations and individuals manage cybersecurity and incidents of cybercrime.

Educating Staff

This element has not been placed last as a matter of priority but because it encompasses all of the issues that have been raised above. Employees should be regularly provided with learning in various formats to reinforce the following:

• querying the need to collect or hold unnecessary information in their area of work
• remembering to use complex and different passwords and not use the same password for a number of different applications, for example, their social media account and work account
• good personal cybersecurity practices
• what to do if they become aware of or suspect that a data breach has occurred.

Key (Interim) Takeaways

• Only collect personal information that your school really needs – conduct an audit.
• Only keep personal information for as long as you need it.
• Have a Data Breach Response Plan that is communicated to all employees.
• Educate your employees to know their responsibilities in relation to protecting personal (and confidential) information.
• Regularly check the effectiveness of your school’s cybersecurity practices (updating software, firewalls, backups, testing).
• Nominate a privacy officer – this is not a legal requirement but they will be the person who will be able to coordinate, communicate, monitor and oversee your school’s compliance with the Privacy Act and be a central contact point should there be a data breach.

Useful Resources

• Australian Cyber Security Centre (ACSC) for getting alerts on new threats, reporting incidents of cybercrime and assistance in managing the incident
• Office of the Australian Information Commissioner (OAIC) for further information on your school’s obligations to protect personal information and to notify eligible data breaches.