Organisations, including not-for-profit organisations and schools, are on notice that the Office of the Australian Information Commissioner (OAIC) is going to take a “stronger regulatory approach” to enforcement of the Notifiable Data Breach (NDB) Scheme from 2024. The national privacy regulator announced the stronger regulatory approach is due to information security being a regulatory priority in its bi-annual report publishing statistics of reporting trends under the Scheme.

We recommend organisations prepare for this new, stronger regulatory approach from the OAIC by:

• Understanding the types of notifications made under the NDB Scheme in 2023 – we have done this for you below
• Considering the risks of cybercrime in Australia
• Reviewing the determinations by the OAIC which set these higher expectations
• Reflecting on your security vulnerabilities – consider doing a data security audit or penetration testing
• Implementing a data breach response plan tailored to your organisation
• Training staff to identify data breaches, report internally and implement the data breach response plan

NDB Scheme statistics from 2023

In 2023, 892 notifications were made to the OAIC under the NDB Scheme.

Health service providers made the most notifications under the NDB Scheme, making 18% of all notifications. In addition, 37% of notification involved health information being subject to the breach. This is significant, because the regulatory response and imposition of civil penalties against organisations takes into account the emotional harm caused by privacy breaches, and the breach of health data can generally have a heightened negative impact on individuals; not to mention the possibly discriminatory consequences.

Understanding types of data breaches

In July to December 2023, compromised or stolen credentials were a leading cause of all data breaches. The OAIC identifies that the large-scale data breaches in recent years have put organisations at heightened risk of cyber incidents from compromised passwords because those passwords have previously been compromised. In addition to implementing multi-factor authentication and strong password requirements (including regular changing of passwords), organisations can:

• uplift access security with monitoring controls and access logs;
• take a wholistic view of ICT security, remembering hardware and software need protections;
• review the Essential 8 promoted by the Australian Cyber Security Centre;
• review our recommendations for charities regarding data security; and
• talk to the team at Moores about how we can help.  

How we can help

The privacy and data security team at Moores can help you prepare for data breaches through privacy training, privacy audits and designing custom privacy and data protection procedures and internal tools for staff. We can help you respond to a data breach by assessing the breach under the Notifiable Data Breach Scheme, and helping you implement a Data Breach Response Plan.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisation.

If you are a charity or for-purpose organisation, you may have been following news reports in the last month (August 2023) about a privacy breach affecting “thousands of donors to Australian charities”. This article looks into an emerging trend of third-party data breaches – data breaches by contractors or service providers – where the charity or victim organisation obtaining the services has the public-facing brand name which makes it into news reports. Then we give some recommendations for what you can do about it.

Third-party data breaches

A third-party data breach occurs when a malicious or criminal actor compromises a supplier, service provider or contractor to gain access to sensitive information or systems at the victim organisation’s customers, clients or business partners. For example: 

• A school gives health information to a camp provider;
• The camp provider is subject to the data breach;
• It is the school whose students are affected, and so it the school which is reported in the media as having a data breach and must respond to the fall out with stakeholders.

Third-party data breaches are increasing because of the increased uptake of contracted automation and efficiencies, the imperative for not-for-profits to optimise their support and contact databases and increased criminal activity via hacking. Many not-for-profit organisations may not know, or take responsibility, for where their data goes when working with other organisations. Often, they simply trust that the third party has adequate systems in place. Further, charities, schools and other for-purpose organisations may have many different service providers and contractors with whom different information is being shared. This means it is difficult to know where your data is.

How to mitigate the risks of a third-party data breach

Knowing where your data is was the principal recommendation of Victorian Privacy and Data Protection Commissioner, Rachel Dixon, during Privacy Awareness Week in May 2023.

“Know what data you hold, and where it is.”

In more technical terms, this is referred to as data mapping, or visualising your organisation’s data assets. Data mapping sets you up to take action to protect that data. It will also prepare your organisation to respond to pending amendments to the Privacy Act 1988 (Cth).

Another recommendation to mitigate the risks of third-party data breaches is to include privacy requirements in your contracts with these service providers. Your contracts should:

• ensure the organisation is required to comply with the Privacy Act 1988 (Cth), because there are some exemptions in the law;
• require both organisations to tell each other about potential data breaches;
• set out minimum data security requirements expected of the service provider; and
• provide clear rules around data retention and destruction once is it no longer needed.

The importance of privacy-by-design

Incorporating privacy-by-design into your information systems can help reduce the risk of data breaches, by implementing systemic protections to avoid the circumstances that lead to a breach even arising. Privacy-by-design is the idea of building privacy protections into processes to make good privacy practices a part of normal, everyday practice – making them the “default setting”.

In this context, this would be systemic protocols or restrictions of the sharing of information with third parties, such as a restriction on the downloading and exporting of client, donor or student data so only certain staff can do this, or the data must be shared in a specific way that has been considered and approved by the Privacy Officer.

How we can help

We can help you with data mapping, contracting with service providers and redesigning your information systems with privacy-by-design in mind. If you have unfortunately been affected by the data breach currently in the media, we can support you in your response and risk mitigation.  Contact us to hear more about these services and our perennially popular privacy and data breach training.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisation.