22 February 2022

As Australia’s Notifiable Data Breaches scheme marks its fourth year of operation, the Office of the Australian Information Commissioner (OAIC) is urging organisations to put accountability at the centre of their information handling practices.

Australian Information Commissioner and Privacy Commissioner Angelene Falk said doing so would give individuals greater confidence that their personal information will be handled fairly and securely when they engage with an organisation.

“Australians expect that their personal information will be handled with care when they choose to engage with a product or service and are more likely to entrust their data to organisations that have demonstrated effective privacy management,” Commissioner Falk said.

The latest Notifiable Data Breaches Report shows the OAIC received 464 data breach notifications from July to December 2021, an increase of 6% compared with the previous period.

Malicious or criminal attacks remain the leading source of breaches, accounting for 256 notifications (55% of the total), down 9% in number from 281.

There was a significant rise in breaches due to human error, increasing by 43% to 190, after a dip in the previous period.

The health sector remains the highest reporting industry sector notifying 18% of all breaches, followed by finance (12%).

Commissioner Falk said the Notifiable Data Breaches scheme is well established after four years of operation and the OAIC expects organisations to have strong accountability measures in place to prevent and manage data breaches in line with legal requirements and community expectations.

“The scheme is now mature and we expect organisations to have accountability measures in place to ensure full compliance with its requirements,” she said.

“If organisations wish to build trust with customers, then it is essential they use best practice to minimise data breaches and, when they do occur, they put individuals at the centre of their response.”

The OAIC is still finding that some organisations are falling short of the scheme’s assessment and notification requirements.

“A key objective of the scheme is to protect individuals by enabling them to respond quickly to a data breach to minimise the risk of harm,” Commissioner Falk said.

“Delays in assessment and notification reduce the opportunities for an individual to take steps to protect themselves from harm.”

Commissioner Falk said swift assessment and notification is required, supported by systems to detect that a breach has occurred. For example, a notable proportion of organisations that experienced system faults (11%) did not become aware of the incident for over a year.

As the risk of serious harm to individuals often increases with time, the OAIC expects organisations to treat 30 days as a maximum time limit for an assessment of a data breach and to aim to complete the assessment in a much shorter timeframe.

In the reporting period, 75% of organisations notified the OAIC within 30 days of becoming aware of an incident, compared with 72% in the previous period. Twenty-eight organisations took longer than 120 days from when they became aware of an incident to notify the OAIC.

The report highlights a scenario in which an organisation experienced a phishing attack and an employee’s email account was compromised. A preliminary review of the incident suggested a significant amount of personal information was at risk, but that it would take 5 months to identify and tailor notifications to everyone at risk of serious harm.

In this case, best practice was to promptly notify individuals, providing general recommendations that applied to all individuals whose personal information was contained in the email account, rather than attempting to tailor notifications and delay the process.

Read the Notifiable Data Breaches Report July to December 2021.