Privacy is becoming an increasing risk for organisations, including those in the education sector. 

This article by Moores’ privacy expert Cecelia Irvine-So first appeared in the Belonging Early Years Journal.

In 2018, Australia saw the introduction of the Notifiable Data Breach (NDB) Scheme and the prevalence of data breaches became clear. In the Office of the Australian Information Commissioner’s (OAIC) second quarterly report of the NDB Scheme, a total of 242 breaches were reported from 1 April to 30 June 2018.

The education sector was listed as the fourth most likely sector to suffer a data breach in the OAIC second quarterly report. Early learning providers are bound by the National Ouality Standards (the Standards), as well as the Australian Privacy Principles (APPs). Data security falls under Standard 7, relating to governance and leadership.

Early learning providers also have data security obligations under privacy laws in order to prevent data breaches. This article will set out the basics of privacy and outline an organisation’s data security obligations with a focus on the ECEC sector.

What is privacy?

Privacy is a set of principles protecting the collection, use, disclosure, storage and destruction of personal information. An early learning provider is likely to hold children’s health information such as allergies, medical conditions, disabilities, and medications – a type of information that is particularly sensitive.

Both personal information and sensitive information must be carefully secured by early learning providers to prevent data breaches and protect an individual’s privacy.

Most early learning providers are bound by the Privacy Act and APPs because they have a turnover of $3 million or more (or are part of a larger organisation with a turnover of $3 million or more).

Early learning providers need to be across all the privacy principles in order to appropriately and securely store privacy data. Most importantly, early learning providers will need:

• a privacy policy that not only complies with legislation, but that also realistically reflects operations
• a data breach response plan to follow in the event of a privacy or data breach
• practices, procedures and systems that will ensure compliance with the law.

Penalties of up to $1.8 million apply for companies that have a privacy breach.

Data breaches

Since February 2018, all companies who are required to comply with the Privacy Act must also prevent data breaches, and report any eligible data breaches that occur to the regulator.

The recent regulator’s report highlighted the main causes of data breaches. The majority of breaches were caused by malicious or criminal activity (59 per cent) or human error (36 per cent). The most common examples of malicious or criminal activity were:

• cyber incidents, including phishing, malware, ransomware, brute-force attack, compromised or stolen credentials, and hacking
• theft of paperwork or storage device
• rogue employee/insider threat.

Human error was a key source of data breaches.

The most common errors were:

• sending an email with personal information to the wrong person, or accidentally pressing ‘reply all’ or forgetting to Bcc
• lost laptops, removable storage devices and paper records
• employees accidentally accessing or disclosing personal information outside of the requirements of their employment.

How to respond to breaches

Only eligible data breaches need to be reported. Therefore, you need to be equipped to consider, in the event of a breach, whether the breach is ‘eligible’.

An eligible data breach arises when:

• there is unauthorised access to, or disclosure of, personal information, or a loss of personal information, that an entity holds
• this is likely to result in serious harm to one or more individuals
• the entity has not been able to prevent the likely risk of serious harm with remedial action.¹

Your data breach response plan should contain the following elements:

• containment and assessment
• evaluation
• notification – if required, the affected individuals and the OAIC should be notified. Even if the data breach is not notifiable, the organisation may still need to notify other stakeholders such as its insurance company, board members, and/or service provider
• review and prevention.

Record keeping

Record keeping is an important aspect of data security and privacy compliance. Privacy legislation requires the destruction of personal information that is no longer needed. Equally, you must retain information you are required to keep!

Conclusion

As privacy and data security become an increasing concern, it is important that organisations prioritise action in relation to both prevention and response.

Assess which scheme or legislation applies to your organisation.

Review your privacy policy to ensure that it is tailored to your needs and compliance requirements.

Create a data breach response plan to ensure swift action to mitigate risk, including:

• legislative requirements to contact individuals affected
• steps for potential remedial actions to prevent serious harm eventuating
• when data breaches need to be reported and the process for reporting
• creating templates for notifications and external communication.

Provide training to your staff on your privacy policy and data breach response plan as well as when data breaches need to be reported. Review your service provider agreements and other information ­sharing arrangements to help you understand the responsibilities and rights of each party.

Early learning providers are uniquely placed in holding the sensitive information of young children and families. While privacy can seem like a daunting topic, taking an active approach can allow early learning providers to set themselves apart as leaders in the sector and ensure protection of families’ data.

How we can help

As a privacy expert and practice leader in the Corporate Advisory Team at Moores, Cecelia Irvine-So has significant experience working with education and early childhood clients, helping them prevent data breaches and respond if they do occur. For more information, please do not hesitate to contact us.

The ATO’s benchmark rates for “market rent” have changed. Here’s why it matters.

The basic rule

Non-commercial supplies made by charities are GST-free.

For a housing agency, rent must be set below 75% of the market rent to be non-commercial and therefore GST-free. 

When a housing agency makes GST-free supplies, it can claim input tax credits for all the GST spent in making the supply. This allows a housing agency to claim back all the GST it spent on a new development, or purchase of new residential property. This is a significant economic advantage for NFP charitable housing agencies.

As an aside, that is also why a charitable housing agency should never purchase brand new residential property using the GST margin scheme.  The GST margin scheme prevents the purchaser from claiming any input tax credits.

Less than 75% of market rent

DHHS and the Victorian Housing Registrar have rent-setting policies. But the ATO threshold (less than 75% of market rent) matters too – if rents cross this threshold, GST input tax credits are put in jeopardy.

Obviously, market rent differs from property to property. This creates some difficult work in administering the many (sometimes thousands) of dwellings under management. You don’t have to obtain a sworn valuation in relation to each property, but you must have a sound basis for working out market rent in relation to each property.

The ATO requires ‘market value’ to be worked out by either:

• using ATO market value benchmarks; or
• applying the following successive tests:
  • The ‘same supply’ test – where there is another person in the market making the same supply, you can use that supply as a market value benchmark.  This would allow you to benchmark against identical dwellings.  However, identical dwellings are rare.
  • The ‘similar supply’ test – where there is no identical supply, you may benchmark against dwellings which are sufficiently similar.  For housing, this would look at similarities in size, quality, features, location and lease conditions.  Comparison should be against private rental, not other affordable rental property.
  • Other methodology – where no similar supply can be identified, charities can ask the ATO to approve an alternative methodology.  It would be surprising to find this approach in housing, since similar supplies are almost always available.

What is the catch with ATO benchmark rates?

ATO benchmark rates are convenient, but arbitrary. They are now divided into geographic areas, with different benchmark rates set for each area. Previously, benchmark rates were just set on a capital city basis.

Where a housing agency was relying on generous ‘Melbourne’ benchmark rates previously, some properties may now fall into other geographic categories with different (lower) benchmark rates. The benchmark rate may fall far enough to cause your current rental to exceed 75% of the benchmark rate for some properties.

What should I do?

If you rely on market values, you don’t need to do anything in response to the benchmark rates. However, you should be reviewing and re-setting your market values for properties on an annual basis.

If you rely on benchmark rates, you should:

1. Review the new benchmark rates and re-categorise your properties into the relevant geographic areas.  Look for instances where your current rents exceed 75% of the new benchmark rates.
2. Where you find anomalies, look to actual market rates (similar supply test) to verify whether you are charging in excess of 75% of the market rent.
3. Make sure you’re not charging more than 75% of the market rent.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

ACNC data tells us that total charity assets sit around $200 billion.^[1] Small charities (with annual turnover less than $250k) hold the majority of those assets – around $170 billion. However, those small charities represent only 1.4% of annual charity income.

It comes down to this – plenty of charities there who are asset rich and income poor. And insufficient reliable income is often a restraint on how much a charity can do in achieving its mission.

The community (and charity law) expects charities to use their assets to further their charitable purposes. The big questions for these asset-rich charities seem to be “are we doing enough?” And “how could we do more with what we have?” It is a high order governance question.

Plenty of charities are in the enviable position of having a large asset base in real estate. For those who are “land rich” in that sense, here are a few ideas to ponder as you ask yourself the question “how could we do more with what we have?”

1. Consider selling lazy land.
   
   If lazy land is doing nothing for your mission and you have no foreseeable need to grow onto it, turn it into something useful. But before you do, consider whether you can add value to the land (lift covenants, obtain permits, create separate access, etc). Make the most of what you have.
    
2. Consider leasing lazy land or underutilised spaces.
   
   Identify ways to permanently free up space and obtain an income stream. Car parks, office spaces, even vacant land can attract a rental. Hiring arrangements can also produce good outcomes – a ballet school can operate without owning buildings, and might even use the church hall more hours per week than the church itself! Think about whether there might be people or organisations who would be a great strategic fit in your spare space.
    
3. Develop for sale.
   
   Some charities hate the thought of selling dirt to a developer, so want to develop their property prior to sale. You were cash poor, remember? Are you borrowing to pay for this? This is sometimes appropriate but requires serious consideration of skill, capacity, financial risk and project management. Don’t jump into property development simply because you have a board member who has some experience in the field.
    
4. Develop for lease.
   
   A charity may want to improve its property and make it suitable for creating rental income. This may be appropriate, but beware the vortex of becoming a ‘property management charity’ over time. You should have a sound business case for this kind of venture and a clear exit plan if you ever need to regain that space for your own charitable use.
    
5. Develop for joint use.
   
   Property can often be developed for blended use. If you’ve got spaces that will have regular short-term use, then you’re starting a business – have a business plan. If you’re developing for a specific partner and it’s needs, then your partner might put money towards the development, but will want something in return (long tenure, an agreed buy out if they leave early, equity in the property, etc).  Whatever you do, don’t go into a venture like this without knowing what it might look like when it ends. All lease arrangements come to an end at some point.
    
6. Swap land for buildings.
   
   That’s right, it can be done.  It’s a variation on option 1 – exchange some spare land for new buildings which can better serve your purposes. These are bespoke arrangements and things can get really creative. This is not nirvana, but can save significant transaction costs and planning risks. Just don’t forget to measure the value of the land you’re giving up vs the value of the buildings you have been promised.
    
7. Use the air space above you.
   
   The basic concept here is to partner with a developer to completely rebuild your site, giving back to you a brand new building far better than you had before. The developer keeps building above you and sells the rest of the building into the market (as apartments, office, etc). A profit share arrangement should be on the table in this discussion. The sky’s the limit – subject to council approval.
    
8. Make your property for a different charitable use.
   
   Sometimes the cause should trump the financial returns. After all, charities are primarily about mission, not profit. Consider using the unoccupied manse for affordable housing. Give a 99 year ground lease to a charity and allow them to build on your site. Make some space available for crisis shelter during the winter. Stay open to the possibility of being a partner with another suitable charity.

If your Church or Charity would like to discuss a potential opportunity, please do not hesitate to contact us.

Masking racism as “banter” won’t cut it anymore says the Fair Work Commission | Moores

In this update, we look at whether racist comments in the workplace can constitute serious misconduct warranting dismissal.

Background

StarTrack Express Pty Limited (StarTrack), Australia’s largest parcel delivery service provider, successfully defended an unfair dismissal claim in the Fair Work Commission (FWC) because it was able to prove that the dismissal of an employee was not harsh, unjust or unreasonable.

StarTrack’s position

StarTrack submitted that it had found that, Mr Michael Taylor (employee of StarTrack for 17 years), had used the following racial slurs in the workplace:

• “towel head”;
• “coconuts”;
• “gooks”;
• “put the pallet over there you black c***”
• “go back where you came from you black c***”
• “fuck off to where you came from”; and
• “row your canoe back home you fucking c***”.

After making the above finding, StarTrack provided an opportunity for Mr Taylor to respond, and then proceeded to terminate his employment on the grounds of serious misconduct.

In light of the findings around Mr Taylor’s conduct, and the process it undertook during the investigation, StarTrack submitted that the dismissal was not harsh, unjust or unreasonable.

In the alternative, the Transport Workers’ Union of Australia (TWU), on behalf of Mr Taylor, argued that Mr Taylor engaged in “well-meaning workplace banter which was not intended to offend but rather to entertain” and argued that no individual had actually complained about his comments. Furthermore, the TWU argued that the termination was excessive because casual swearing and racial slurs were common place in this workplace, and that this language was enjoyed by others.

FWC says the actions did not constitute an unfair dismissal

Ultimately, the FWC held that the dismissal was not unfair, harsh and unreasonable because:

• “a line is crossed when race or ethnicity is included in any communication with co-workers”;
• the argument that the comments were well-intentioned “does not provide a defence or justification for conduct that is fundamentally unacceptable”; and
• the employee had “failed to comprehend or even remotely understand the fundamental malfeasance of his conduct”.

Furthermore, Commissioner Cambridge was very critical of the TWU’s arguments in favour of Mr Taylor. On this point, Commissioner Cambridge stated:

The attempt to defend or otherwise justify the applicant’s use of racially offensive language on the basis that the applicant didn’t believe that it was harmful, and that no one had complained, is an approach that has regrettable and disturbing parallels with the recent exposure of incidents of sexual harassment in the employment context, and which has created what is referred to as the “#MeToo movement.”

Such an attempted defence or justification of abhorrent behaviour is an approach that disregards the fundamental wrongdoing, and it fails to appreciate that the victims of the wrongdoing do not complain because they feel powerless to prevent the conduct.

Further to the above, Commissioner Cambridge referred to the email signature on TWU’s emails that contained a statement that “I swear never to commit, excuse or remain silent about violence against women”, and suggested that in the circumstances of this case “such a mantra should be expanded to include: “I swear never to excuse racism’”.

Accordingly Commissioner Cambridge found that the dismissal was not harsh, unjust or unreasonable, and dismissed the case.

Lessons for employers

Racism and bullying can have a significant and detrimental impact of people – personally and professionally. Left unaddressed, racism in the workplace can lead to absenteeism, staff turnover, a culture of bullying, and discrimination, bullying and worker’s compensation claims.

In light of the above, we recommend that employers:

• review their Code of Conduct and Equal Opportunity policies to ensure that inappropriate language (including racial slurs) are specifically listed as being inappropriate in the workplace (and the consequences of breaching this);
• train their employees on the above policies to ensure that they understand what is and isn’t appropriate workplace communication (and the consequences of breaching this); and
• consider whether your board, committee or management should make a public statement to all employees, volunteers and contractors, stating that the organisation has a zero tolerance to racism and violence, and where survivors can find support.

These steps can help to create safe and inclusive environment for all staff, but will also help to ensure that you can respond swiftly and effectively when employees behave in an inappropriate and unlawful manner

How we can help

If you’d like further information about what you can do to create a safe and inclusive work environment or for assistance responding to a complaint of inappropriate behaviour, please do not hesitate to contact us.

The recent Fair Work Commission (Commission) decision in Tawanda Gadzikwa v Australian Government Department of Human Services [2018] FWC 4878 has confirmed that employers may reject an employee’s medical certificate if it is too vague to enable them to discharge their legal obligations following a long period of absence.

Background

In June 2016, Mr Gadzikwa, commenced a period of unpaid personal leave with the Department of Human Services (DHS) due to a mental health condition. Mr Gadzikwa did not return to work, save for three days in September 2016.

In late 2017, DHS informed Mr Gadzikwa that his unpaid sick leave would come to an end in January 2018, and sought proof that he was fit for duty.

Mr Gadzikwa provided DHS with a medical certificate that stated he was fit to perform “light duties”. Given the extended period of absence, DHS sought further specifics about Mr Gadzikwa’s ability to return to work.

DHS’ request for further information prompted an argumentative response, but limited additional information was provided.

In light of the ambiguous language contained in the medical clearance, DHS dismissed Mr Gadzikwa on the basis that it was unsatisfactory. Mr Gadzikwa lodged an unfair dismissal claim alleging that the information that he had provided was sufficient.

Decision

Fitness for work: When employers can reject a medical certificate | Moores

Deputy President Colman rejected the unfair dismissal claim and found that Mr Gadzikwa had failed to provide a sufficient medical clearance at the end of his authorised leave because the medical certificate:

• did not identify the nature of the duties that Mr Gadzikwa was and was not fit to perform;
• did not specify how long modifications to Mr Gadzikwa’s working arrangements would be required for;
• did not outline when Mr Gadzikwa could return to his ordinary position; and
• was submitted two weeks late.

The Commission was also satisfied that dismissal was not effected by any procedural unfairness or disproportionate to the relevant conduct. 

Lessons for employers

• It may be lawful (and in fact appropriate) to reject a medical certificate if it provides insufficient information to enable the employer to provide a safe work environment for an employee, particularly after a long and largely unexplained absence from work.
• Employers should ensure that they provide employees with a reasonable opportunity to supply further and better particulars to support their medical certificate. See the Australian Medical Association Guidelines on Medical Certificates for further information on reviews of medical certificates that contain insufficient or incorrect information.

How we can help?

Employers should seek legal advice before rejecting a medical certificate, or dismissing an employee because it requires further information. While subjecting an employee to unreasonable requests for information about their disability could expose an employer to an adverse action or disability discrimination claim, allowing an employee to return to work without sufficient information on their fitness for duty or the modifications required may breach an employer’s OHS obligations. 

For more information, or to speak with a member of our workplace relations team, please do not hesitate to contact us.

Currently in Australia there are no specific laws which prevent an individual in public from taking a photo of a student. 

That being said, the Privacy Act 1988 (Cth) governs how personal information including images can be collected, stored and used. Your school’s child safe policy may also set out when adults, and which adults, are allowed to photograph students, and in what circumstances.

Many schools grapple with balancing the need to promote the school’s activities and achievements against parent wishes and concerns, which can range from very protective to “oversharing” when it comes to photos of students!

In addition to being subject by virtue of annual turnover of (more than $3,000,000), and because they are prescribed as health services, independent schools must comply with the Australian Privacy Principles (APPs) which are set out in the Privacy Act, and their state health records act legislation.

The APPs include the requirement to be transparent (in your privacy policy) and compliant as to:

• The kinds of personal information that the school can collect;
• The use of personal information, including for directed marketing;
• The integrity of personal information; and
• Accessing and correcting personal information.

Common privacy concerns for schools

Whilst grappling with getting the balance rights, schools often note these dilemmas:

1. Many school productions contain copyright material, and it is often a condition of the license that people may not take photos or recordings;
2. It is impracticable to expect parents to not take photos; and
3. Schools do seek consent but are confronted by parents who object to the school’s use of their child’s image nonetheless.

Some key tips for best practice

• As Independent and Catholic Schools are private property, school staff members are entitled to ask people not to take photographs. This means that during school productions, you can have signs posted around the area stating that no photos can be taken. This respects the privacy of attendees and allows parents to advise the school if they don’t want their photo taken. Violent interventions are not required!
• The Parents’ Code of Conduct should ensure that the School’s position on parents taking photos is clearly outlined. If zero tolerance is unattainable, consider including clear rules about sharing on social media and seeking consent of depicted students (or their parents if younger students) before sharing. It’s not best practice to “give up” on setting reasonable boundaries, just because some parents are uncooperative, or “know” their “rights”.
• When seeking information for specific purposes from parents (which typically is sought in the annual update), consider using check boxes for level of consent based on the types of photos and purposes (e.g. for funding, for advertising, for school community). However, be careful of seeking consent for one purpose and using for another!!
• Respect any requests from parents regarding the taking and use of photos, and ensure processes support these requests. Equally, respect that people can change their mind or have a change in circumstances which may alter their previous position on photos and consent. Maintain a database of children that are not to be photographed, and ensure that all staff members are aware of this requirement. If photographs or videos are accidentally taken, ensure they are destroyed appropriately.
• Even if broad consent can be relied upon, if a child’s photo is to be used as school advertising or in a way that it will reach further than the immediate school community (such as on the landing page of the school website,) request additional consent from the parents that they are happy for their child’s photo to be used in this way.
• Consider identifying students by first name only, as a practicable limit on identification.

How we can help

Moores assists clients in the education sector to create workable and compliant privacy frameworks, including privacy training for staff. We can advise on any privacy breaches or data breaches, in the event these do occur. 

If you would like further assistance, please do not hesitate to contact us.

*FOR PROFESSIONAL ADVISERS*

A BDBN is an important estate planning tool. If valid, the Trustee must pay the death benefit to the legal personal representative and/or nominated dependant(s).

Ordinarily, a BDBN is valid if:

• The member has utilised the prescribed BDBN form from the relevant super fund and has named the legal personal representative and/or dependant(s) as a beneficiary.
• The requirements in the Superannuation Industry Supervision Act 1993 (Cth) have been met.
• The superannuation fund acknowledges acceptance of the BDBN.  

However, we have recently observed additional requirements being imposed via the trust deed. A common example is what we like to call the ‘life events’ clause. Under the ‘life events’ clause, a BDBN may cease to have effect in a variety of circumstances. For example:

• The member marrying or entering into a de-facto relationship;
• The member divorcing or their de-facto relationship ending; and/or
• In any other circumstance, which the Trustee considers relevant (e.g. the birth of a child).

The latter option provides the Trustee with a wide discretion to render a BDBN invalid.

What does this mean?

It is important to be aware that a BDBN may not be as binding as you think.

If the BDBN was signed before the member married or divorced, or before they had children, the BDBN may no longer be binding. 

It is also important to be sure the BDBN has been validly made and lodged.  In practice, we have seen the following issues arise upon the death of a member:

• Although the BDBN is reviewed by the Trustee on receipt, it is not scrutinised until the death of the member.  Consequently, although the member statement may acknowledge a BDBN, this is not evidence of its validity. We have recently observed basic errors being missed by the Trustee.  
• Where there are multiple accounts or interests (e.g. superannuation and pension interests), the BDBN only capturing some of the accounts and/or interests. 
• The BDBN being inappropriately witnessed.  E.g. a witness is also a named beneficiary. 
• The BDBN attributing part or all of the death benefit to a non-dependant. 
• The BDBN not being dated.

What to do?

1. Check the trust deed for the relevant super fund.  Most are available online.  In the trust deed, check to see when a BDBN ceases to have effect for the relevant super fund. 
   • Note however, that some funds can make retrospective changes to the terms of their trust deed, so although there is no issue today, that might not be the case tomorrow. 
2. Update the BDBN when the member’s personal circumstances change.
3. Incorporate a review of the BDBN in your annual review process with the client and consider updating the BDBN regardless of whether there is a change in circumstances.   The more recent the BDBN, the greater the weight attributed to it by the Trustee in the event of invalidity.   
4. Don’t simply rely on the member statement to confirm the validity of the BDBN. Ask for a copy of the BDBN and scrutinise it for yourself.
5. In some instances, where certainty is paramount, you may need to consider alternative arrangements (e.g. a self-managed superannuation fund).

Contact us

If you have any general queries regarding a BDBN, please do not hesitate to contact us.

Strathmore Secondary College is under investigation following the accidental publication of over 300 student records. The breach was slammed by education minister James Merlino as “nothing short of appalling” as it revealed highly sensitive information such as disabilities, behavioural issues, and treatment plans of students. The breach sends a strong message to the education sector regarding the importance of training staff and having in place a strong data breach response plan.

The breach

On Tuesday 21 August 2018, Strathmore Secondary College became aware that student records relating to more than 300 students had been accidentally published on the school’s intranet from as early as Monday this week. The intranet is accessible by students and parents. The records published listed conditions such as ADHD, Asperger’s, acquired brain injuries, and Autism. It also contained information on whether students were receiving government support, were on medication, or had treatment plans.

While the information was restricted to the intranet, there are concerns that the information could fuel bullying or harassment. Additionally, the information could be further spread by word of mouth or copies being made. The education department will be launching an inquiry into the breach and visiting the school to educate staff on privacy and IT issues. The impact of the breach in terms of degree of access or number of downloads is currently unclear.

Lesson for organisations

The Strathmore data breach aligns with the OAIC’s recent finding that human error is a key contributor to data breaches. In its second quarterly report on the NDB Scheme, it found that human error accounted for 36% of data breaches. While malicious or criminal attacks accounted for 59% of notifications, many of these had a human factor such as clicking on phishing emails. This provides an important lesson to organisations to ensure that equal focus is given to training its staff as to its IT systems.

Furthermore, the Strathmore data breach demonstrates the significant impact a data breach can have on an organisation’s reputation. It is critical that organisations have in place a tailored data breach response plan (DBRP). This is especially so if the organisation is bound by the NDB Scheme or reporting requirements under state contracts. These generally require the reporting of data breaches which lead to or have the potential to lead to significant harm to affected individuals.

In the past, Moores has worked with education institutions who have suffered data breaches, including education bodies which have published sensitive student information in error on “public” websites. With the help of a clear and effective DBRP, significant harm can be mitigated and the data breach can be contained. This may mean that reporting is not required, allowing the organisation to minimise the risk of reputational harm or widespread panic.

Next Steps

The education sector is becoming increasingly susceptible to data breaches. Privacy breaches, malicious cyber threats, and IT systems failure were all part of the top 10 concerns for schools, as highlighted in the AON Independent Risk Report 2018. Education institutes are particularly vulnerable due to holding sensitive information such as the health data of children.

Organisations need to strengthen their actions regarding privacy. We highly recommend that organisations undertake a self-assessment of their current practices. Where your organisation falls short, such as failing to have a DBRP or training for staff, the current environment provides incentive to prioritise improving your practices.

How we can help

Moores has experience working with clients in the education sector to both prevent against and proactively respond to data breaches. We can provide advice to your organisation on its privacy framework.  

If you would like further assistance, please do not hesitate to contact us.

The Victorian Civil and Admission Tribunal (VCAT) have awarded $11,000 in damages to a teacher whose employer failed to protect person information from loss and disclosure.

The teacher had been diagnosed with medical conditions and as part of a different discrimination claim relating to the teacher, the acting principal took written notes of a phone call with the Department of Education’s legal advisors.

The note didn’t identify the teacher, but was sufficiently particular to the teacher to be identified as referring to her and her medical condition. The note was found in the staff bathroom by a colleague who had a discussion with another colleague and determined that it was regarding the teacher. They placed it in her pigeonhole.

On her return to the workplace the teacher found the note, left and did not return to work. The teacher claimed that she had suffered distress at the discovery of the note as her employer had not complied with the privacy principles in the Health Records Act 2001 (Vic) (HRA).

VCAT found that the Employer had breached the HRA and caused the teacher to suffer damages in the form of distress, an inability to return to work and deterioration in her mental health.

This case highlights that, despite the publicity around hacking and data breaches, many privacy breaches are still due to basic human error and misplacing paper records. This was reflected in second quarterly report published by the Office of the Australian Information Commissioner on 31 July 2018. The report found that 33 per cent of the notifications received indicated that the cause of the breach was human error. The most common human errors were:

• an email containing personal information sent to the wrong recipient;
• unintended release or publication of person information; and
• personal information sent by mail to the wrong mail recipient.

Damages Award to Teacher for Breach of Privacy | Moores

Human error was also believed to be behind the disclosure of hard-copy records of 31 patients from John Fawkner Private Hospital. You may remember, in 2017, when five pages of confidential hand-over notes were found in the gutter on Coburg Street. The notes contained personal, and highly sensitive, information including names, ages, diagnoses, treatment plans, medications and living conditions. Although at the time there was no obligation on the hospital to notify the patients that their privacy had been breached, this is no longer the case with the new notifiable data breach legislation.

The recent legislation changes and the common occurrence of human error highlight the importance of risk management when dealing with personal information.

To ensure that your organisation is in a strong position to effectively and swiftly respond to a data breach, we recommend that your organisation take the following 5 steps to ensure compliance and best practice:

1. Assess which scheme or legislation applies to your organisation.
2. Review your privacy policy to ensure it is tailored to your needs and compliance requirements.
3. Create a data breach response plan to ensure swift action to mitigate risk, including:
   • Legislative requirements to contract individuals affected
   • Steps for potential remedial actions to prevent serious harm eventuating
   • When data breaches need to be reported and process for reporting; and
   • Creating templates for notifications and external communication
4. Provide training to your staff on your privacy policy and data breach response plan as well as when data breaches need to be reported; and
5. Review your service provider agreements and other information sharing arrangements to help you understand the responsibilities and rights on each party.

How we can help

All this information can seem overwhelming and daunting, so don’t forget Moores is here to help. If you would like more information or assistance with your data breach response plan, please do not hesitate to contact us.

Harrison v Department of Education and Training (Human Rights) (Corrected) [2017] VCAT 1128

The Office of the Australian Information Commissioner (OAIC) has issued its second quarterly statistics report (the Report) for 1 April – 30 June 2018. As the number of data breaches reported increases, interesting trends have been identified. Significantly, while 59% of breaches were caused by malicious or criminal attacks, 36% of data breaches reported were due to human error. This provides a valuable lesson for organisations that preventing human error should be a key aspect of its data security strategy.

The Report

A total of 242 notifications were made under the Notifiable Data Breaches (NDB) scheme in the second quarter. The general trend of increasing reports continued with 90 reports being made in June, compared to only 55 made in March. Contact information and financial details were the most common kinds of personal information to be involved in data breaches.

The Report also identified the top five industry sectors that made the most notifications in the quarter. These were (in order) health service providers, finance, legal, accounting and management services, education, and business and professional associations. Significantly, health service providers accounted for 49 of the notifications received which equates to around 20% of notifications made. This also did not include My Health Record breaches as those are subject to a separate notification scheme.

Causes of data breaches

The causes of notifications were:

• malicious or criminal attacks accounting for 59% of notifications;
• human error accounting for 36% of notifications; and
• system malfunction accounting for 5% of notifications.

The majority of malicious or criminal attacks were due to cyber incidents such as phishing, malware, ransom ware or stolen credentials. Interestingly, these often occurred due to exploitation of vulnerabilities, including human factors such as clicking on phishing emails or disclosing passwords.

Notifications that were caused by human error primarily occurred due to personal information being sent to the wrong recipient, accidental unintended release or publication, or loss of paperwork/data storage device. However, information sent to the wrong person tended to affect smaller amounts of individuals while lost data storage devices impacted significantly more individuals.

Prevention is best

The Report and the recent publicised data breaches suffered by PageUp and Svitzer demonstrate that prevention is best. While both PageUp and Svitzer were able to manage the breaches to prevent serious harm from occurring, the organisations suffered significant reputation loss and business impact. It can be difficult to prevent malicious or criminal attacks but organisations can do more to prevent the human factor which creates vulnerability to these attacks and human errors.

Some practical tips for preventing data breaches are:

1. Train your staff – Ensuring your staff are trained on data security measures is of upmost importance for an organisation wide approach. This includes training on:
   • How to retrieve emails if they are accidentally sent to the wrong recipient or encrypting sensitive attachments in emails;
   • Identifying malicious emails which may contain cyber-attacks or malware;
   • Proper data request processes which will help employees identify when an email posing to be from another employee (often executive level) is fake; and
   • Understanding the main human errors leading to data breaches to heighten awareness and care.
2. Tighten system processes – Organisations should be working with experts to tighten their system processes such as requiring high strength passwords, regular checking for suspicious activity and malware, and encrypting data storage devices.  
3. Restrict data access – Often, more people than needed will have access to personal and sensitive information. Organisations should implement strict levels of access which will help minimise the chances of human error leading to data breaches.
4. Remove unnecessary data – As organisations collect increased volumes of data, there is a need for proper deletion processes. Regular audits should be conducted to remove any data that is no longer required.

How we can help

Moores has experience working with clients to both prevent against and proactively respond to data breaches. We can provide advice to your organisation in regards to undertaking the preventative steps above.

If you would like further assistance, please do not hesitate to contact us.