Top Tip: What To Do If There’s a Data Breach at School

We aim to deliver Just, Redemptive Outcomes®

National Data Breach – Responsibilities and Risks for Schools

Recent changes to the Privacy Act Privacy Amendment (Notifiable Data Breaches) Act 2017 established the Notifiable Data Breaches (NDB) scheme in Australia. This places obligations on certain entities, including schools, in responding to data breaches.  Effective from 22 February 2018, schools may be required to notify affected individuals and the Australian Information Commissioner of a data breach, when it is likely to result in serious harm to any individuals whose personal information is involved.

This raises a plethora of issues for schools in preventing data breaches, responding when data a breach occurs and meeting notification requirements.

What are your risks?

Legislation is not designed to be easy to read or understand, so here is summary or the risks your school faces under the NBD scheme.

Examples of data breaches include:

  • loss or theft of physical devices (such as laptops and storage devices) or paper records that contain personal information
  • unauthorised access to personal information by an employee
  • inadvertent disclosure of personal information due to ‘human error’, for example an email sent to the wrong person
  • disclosure of an individual’s personal information to a scammer, as a result of inadequate identity verification procedures.

Individuals whose personal information is involved in a data breach may be at risk of serious harm, whether that is harm to their physical or mental well-being, financial loss, or damage to their reputation.

Examples of harm include:

  • financial fraud including unauthorised credit card transactions or credit fraud
  • identity theft causing financial loss or emotional and psychological harm
  • family violence
  • physical harm or intimidation.

Schools in their daily operation collect and store a vast array of personal information about students, parents and staff.   Technological advances are enabling schools to electronically store increasing amounts of personal information such as photos, bank details, family information, contact details, videos of students, medical records and health information. This advancement creates a very real risk in relation to the protection of privacy in the school environment,

Data breaches are not limited to cyber attacks and hacking computer systems.  The most common data breach we see at Corney & Lind involve human error or a failure to have a policy in place that is adhered to and information being inadvertently lost or disclosed to the wrong person.  Examples include, leaving a school tablet in a taxi and emails being sent to the incorrect person.

The NDB scheme requires entities to notify individuals whose information has been disclosed and the Commissioner about ‘eligible data breaches’. An eligible data breach occurs when the following criteria are met:

  • There is unauthorised access to or disclosure of personal information held by an entity (or information is lost in circumstances where unauthorised access or disclosure is likely to occur).
  • This is likely to result in serious harm to any of the individuals to whom the information relates.
  • The entity has been unable to prevent the likely risk of serious harm with remedial action.

What are your responsibilities?

The first responsibility of any School is to amend their current Privacy Policy to ensure that a data breach response plan in is writing.   Staff need to understand what steps need to be taken and who needs to take them in the event of data breach.  An effective data breach response generally follows a four-step process — contain, assess, notify, and review.  This plan should be accessible at short notice because timing is critical in taking remedial action that may well prevent reporting requirements coming into effect.  When a school believes an eligible data breach has occurred, they are obligated to promptly notify individuals at likely risk of serious harm. The Commissioner must also be notified within 30 days of the breach occurring through a statement about the eligible data breach.

Do You Have a Data Breach Plan in Place?

An effective data breach response generally follows a four-step process — contain, assess, notify, and review. The first step is to define what constitutes a data breach and the reporting obligations it triggers under the Privacy Act. It then needs to set out the roles and responsibilities involved in managing a data breach and break down each step that needs to be taken in response to the breach. Next, the response plan needs to be tested and reviewed to ensure that it works effectively. The benefit of a Data Breach Plan is that it can prevent breaches from occurring, or help to quickly remedy one that has occurred.  A Plan will ensure that the notification requirements are complied with and reduce any risk of being fined.  The penalty for failing to comply with notification requirements is up to $420,000 for individuals for up to $2, 1000,000 companies.

How can we help?

We have recently undertaken a lot of work reviewing and amending Privacy Policies to ensure compliance with the amendments to the Act and are well positioned to help you promptly put in place a data breach response plan.

Also, when data breaches do occur we are here to help you take remedial action to contain the breach which may prevent notification obligations coming into effect.  Where an eligible breach has occurred we can ensure you correctly comply with your requirements to report any serious harm to the Commissioner and the individual(s) involved.

Some other practical steps we recommend all school to take include:

  • Consult a professional computer technician to ensure that College software and security systems are up to date and as resistant to Ransomware, or any other cyber attack, as possible. This will demonstrate compliance with Privacy Principle 11.1, which compels the College to take reasonable steps to ensure the security of any private information held by it.
  • Consult with your insurer regarding the circumstances in which loss arising from an unauthorised data access will be covered by your policy.