From February 2018 the Privacy Act 1988 (Cth) (Act) introduced the Notifiable Data Breach scheme (NDB) which introduced new obligations for both government agencies and private sector organisations.
Under the NDB, affected agencies and organisations must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when it is suspected that there may have been loss of, unauthorised access to, or unauthorised disclosure of personal information which is held.
We look at the NBD statistics and the proposal by the Australian government to increase penalties for breaches under the scheme.
The OAIC has released its 12 month Notifiable Data Breach Report which revealed that since the scheme’s inception, there was a 712% increase in notifications received since the scheme was made mandatory in February 2018. Let’s look at the key pieces of data and how they may affect you.
KINDS OF INFORMATION BREACHED:
Contact and financial information lead the way with identity, health, tax file number and other sensitive information rounding out the kinds of personal information involved in breaches. With the advancements in modern technology and the sophistication of hackers, the release of even a small piece of any of these types of information could significantly harm affected individuals.
SOURCES OF DATA BREACHES:
How data is being breached should be of significant importance to your company with the majority of breaches arising from malicious attacks and human error with only 5% being attributed to system faults.
The OAIC has defined malicious or criminal attacks as attacks deliberately crafted to exploit known vulnerabilities for financial or other gain.
Depending on how you look at it, health service providers are leading the charge with the majority of all reported breaches with finance, legal, accounting and management services, education and personal services rounding out the top five.
The OAIC is yet to impose a fine for a breach of the scheme, despite the number of notifications they have received. Currently, under the Act, there is a maximum $2.1 million fine for the misuse of personal information by entities covered by the Act. However, the Federal Government (Government) has announced plans to increase this penalty to the greater of:
- $10 million;
- three times the value of any benefit obtained through the misuse of information; and
- 10% of a company’s annual domestic turnover.
This increase aims to build on ‘community expectations, particularly as a result of the explosion in major social media and online platforms that trade in personal information over the past decade’.
The proposed updated penalties will also bring Australia more in line with the General Data Protection Regulation penalty regime in the United Kingdom where the maximum penalty for a company’s breach of privacy is €20 million or 2% of that company’s annual global turnover.
We note that new legislation is set to be drafted by the Government for consultation by the end of 2019.
HOW CAN WE HELP?
McInnes Wilson Lawyers can help:
- assess your current data management plan and advise of ways to limit your exposure;
- develop or build on your data management plan that sets out the roles and responsibilities for managing data breaches;
- develop processed for data containment in the event of a potential breach;
- advise on strategies to mitigate future breaches;
- liaise with the right informational technology and security experts to assist with the protection of private information; and
- advise on your exposure to penalties under the Privacy Act.