If you are a charity or for-purpose organisation, you may have been following news reports in the last month (August 2023) about a privacy breach affecting “thousands of donors to Australian charities”. This article looks into an emerging trend of third-party data breaches – data breaches by contractors or service providers – where the charity or victim organisation obtaining the services has the public-facing brand name which makes it into news reports. Then we give some recommendations for what you can do about it.
Third-party data breaches
A third-party data breach occurs when a malicious or criminal actor compromises a supplier, service provider or contractor to gain access to sensitive information or systems at the victim organisation’s customers, clients or business partners. For example:
- A school gives health information to a camp provider;
- The camp provider is subject to the data breach;
- It is the school whose students are affected, and so it the school which is reported in the media as having a data breach and must respond to the fall out with stakeholders.
Third-party data breaches are increasing because of the increased uptake of contracted automation and efficiencies, the imperative for not-for-profits to optimise their support and contact databases and increased criminal activity via hacking. Many not-for-profit organisations may not know, or take responsibility, for where their data goes when working with other organisations. Often, they simply trust that the third party has adequate systems in place. Further, charities, schools and other for-purpose organisations may have many different service providers and contractors with whom different information is being shared. This means it is difficult to know where your data is.
How to mitigate the risks of a third-party data breach
Knowing where your data is was the principal recommendation of Victorian Privacy and Data Protection Commissioner, Rachel Dixon, during Privacy Awareness Week in May 2023.
“Know what data you hold, and where it is.”
In more technical terms, this is referred to as data mapping, or visualising your organisation’s data assets. Data mapping sets you up to take action to protect that data. It will also prepare your organisation to respond to pending amendments to the Privacy Act 1988 (Cth).
Another recommendation to mitigate the risks of third-party data breaches is to include privacy requirements in your contracts with these service providers. Your contracts should:
- ensure the organisation is required to comply with the Privacy Act 1988 (Cth), because there are some exemptions in the law;
- require both organisations to tell each other about potential data breaches;
- set out minimum data security requirements expected of the service provider; and
- provide clear rules around data retention and destruction once is it no longer needed.
The importance of privacy-by-design
Incorporating privacy-by-design into your information systems can help reduce the risk of data breaches, by implementing systemic protections to avoid the circumstances that lead to a breach even arising. Privacy-by-design is the idea of building privacy protections into processes to make good privacy practices a part of normal, everyday practice – making them the “default setting”.
In this context, this would be systemic protocols or restrictions of the sharing of information with third parties, such as a restriction on the downloading and exporting of client, donor or student data so only certain staff can do this, or the data must be shared in a specific way that has been considered and approved by the Privacy Officer.
How we can help
We can help you with data mapping, contracting with service providers and redesigning your information systems with privacy-by-design in mind. If you have unfortunately been affected by the data breach currently in the media, we can support you in your response and risk mitigation. Contact us to hear more about these services and our perennially popular privacy and data breach training.
Please contact us for more detailed and tailored help.
Subscribe to our email updates and receive our articles directly in your inbox.
Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisation.