The Australian privacy regulator, the Office of the Australian Information Commissioner (OAIC), conducts and publishes a periodic survey of the notifications it has received under the Notifiable Data Breach scheme. For those of you who may have forgotten, a data breach (an “eligible data breach”) must be reported to the OAIC (and to affected individuals) if a school becomes aware of, or suspects, a data breach has occurred and:

• personal information has been lost, or accessed or disclosed without authorisation
• it is likely to result in serious harm to one or more individuals
• the school has not been able to prevent the likely risk of serious harm with remedial action.

Serious harm may include serious physical, psychological, emotional, financial, or reputational harm.

Causes of Data Breaches

In the latest survey conducted by the OAIC covering the period July to December 2023, reporting of notifiable data breaches increased by 19 per cent, with 483 notifications. The top five industry sectors to report data breaches, in order, were health service providers (with almost a quarter of the notifications), finance, insurance, retail and the Australian Government.

The sources of the data breaches were:

• Human error – 30%
• Malicious or criminal attack – 67%
• System fault – 3%

Almost half of the human error breaches were as a result of personal information being sent to the wrong recipient, either by email (the majority) or by mail. Unintended release or publication of personal information accounted for 20 per cent. Other breaches resulted from loss of paperwork or data storage device, unauthorised verbal disclosure, or failure to use BCC when sending emails.

The greatest increase in data breach categories was in data breaches attributed to human error; these increased by 36 per cent from the previous survey. Malicious or criminal attacks increased by 12 per cent.

Cyber security incidents accounted for 44 per cent of data breaches, with phishing, compromised or stolen credentials, and ransomware, accounting for over 80 per cent of these incidents. The remainder of cyber security incidents were a result of hacking (10 per cent), malware (five per cent) and brute force attack (three per cent).

Preparing for the Inevitable - Data Breach Response Plan

A school should have a data breach response plan and procedures in place to respond quickly and effectively should a data breach occur. If employees know who to contact if a data breach occurs, and the responders are familiar with potential strategies for containing or remediating a common data breach, this could help stop or minimise the harm or damage from the breach.

The plan should also include:

• any specialist resources that could be called on to assist with containing the data breach
• who should conduct an investigation and assessment of the extent and likelihood of harm
• any additional resources which may be required to investigate or assess the impact of the data breach to determine whether it is likely, or not likely, that serious harm may result
• which external parties should be notified (e.g., police, insurers, cybersecurity agencies, and lawyers) and when they should be notified
• who will make the decision to notify those external parties
• who will be responsible for communicating with affected individuals, and what will trigger the communication
• how affected individuals will be contacted
• who will make the decision that it is likely to be an eligible data breach and that the OAIC and affected individuals should be notified
• review procedures after the incident has been finalised, to identify any changes required to policies and procedures.

Once a Data Breach Occurs

Once someone in the school becomes aware of a data breach, this should trigger the school’s data breach response plan. Containing the breach becomes the first priority. Remember that if a data breach that could cause serious damage is remediated so that there is no longer a risk of serious harm, then this is no longer an “eligible data breach”, and so does not need to be notified to the OAIC.

If the school is aware that a data breach has occurred and there are reasonable grounds to suspect (rather than actually believe) that the data breach may cause serious harm, it is required to carry out a “reasonable and expeditious assessment” to determine whether there are reasonable grounds to believe that an eligible data breach has actually occurred. This situation could arise, for example, if there is evidence that there has been unauthorised access to personal information, but the school is not yet aware of whether this is likely to cause serious harm.

The school must take all reasonable steps to conclude the investigation within 30 days. At that point, the school should be able to conclude whether the breach must be notified or not. The OAIC is very strict in requiring an organisation to investigate and carry out the assessment as soon as possible and not wait until the end of the 30 days to make its decision of whether to notify.

Notifying the OAIC and Affected Individuals

The school must notify those individuals who are at risk of serious harm as a result of the data breach. It may also choose to notify all affected or potentially affected individuals. It is highly recommended that individuals are notified early instead of waiting until a full investigation and assessment has concluded, as this may also assist in mitigating damage or harm by enabling the individuals to take defensive action. The school is required to provide any advice on what those individuals could themselves do to reduce the risk of harm, for example, by changing passwords.

The content of the notification to the OAIC and to affected individuals is very specific and set out in legislation.

If it is not practicable for the school to notify each affected individual then the school is required to publish a statement on its website and take reasonable steps to publicise its contents. The information on the website must contain at least the same details as those provided to the OAIC.

Serious penalties apply for failing to comply with any of the requirements relating to the investigation, assessment, timelines, and notification.

Additional Cyber Security Support

The Australian Cyber Security Centre is the Australian Government’s technical authority on cyber security. It is designed to provide a single point of advice and assistance on cyber security. The Centre’s support includes a 24-hour Australian Cyber Security Hotline (1300 292 371), technical advice and assistance in case of cyber security incidents, and publishing alerts, technical advice, advisories and notification on significant cyber security threats.

Next Steps for Schools

A school must:

• ensure that employees are conscious of their obligations to take care with personal information, and in particular, to check the recipient carefully before sending personal information by email
• ensure that employees are aware of who to notify if a data breach occurs
• have an up-to-date data breach response plan
• obtain advice, if required, to ensure that its cyber security is the best it can afford.