Notifiable Data Breaches Scheme and its Implications for Schools

We aim to deliver Just, Redemptive Outcomes®

The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (“the Amendment Act”) will introduce significant amendments to the Privacy Act 1988 (Cth) (“the Privacy Act”) on 22 February 2018.

The Amendments will have significant implications for Schools and Colleges if the provisions of the Privacy Act apply to them (and this would be most Schools and Colleges).

What is the Notifiable Data Breaches Scheme?

The Bill for the Notifiable Data Breaches (“NDB”) Scheme was introduced in 2016, with the Act passed to take effect on 22 February 2018.

The Amendment Act introduces mandatory data breach notifications, that is, a requirement by the organisation (or School, for the purpose of this paper) to notify individuals and the Australian Information Commissioner in relation to certain data breaches.

This requirement for mandatory data breach notifications likely comes in response to the recent malicious and serious breaches of privacy and electronic information stored (though the Amendment Act potential extends to data breaches involving physical private or sensitive information).

What is an Eligible Data Breach?

Section 26WE(2) of the Amendment Act states that (our emphasis added):

Eligible data breach

  1. For the purposes of this Act, if:
    1. both of the following conditions are satisfied:
      1. there is unauthorised access to, or unauthorised disclosure of, the information;
      2. a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates; or
    2. the information is lost in circumstances where:
      1. unauthorised access to, or unauthorised disclosure of, the information is likely to occur; and
      2. assuming that unauthorised access to, or unauthorised disclosure of, the information were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates;

    then;

    1. the access or disclosure covered by paragraph (a), or the loss covered by paragraph (b), is an eligible data breach of the APP entity, credit reporting body, credit provider or file number recipient, as the case may be; and
    2. an individual covered by subparagraph (a)(ii) or (b)(ii) is at risk from the eligible data breach.

Simply, the key-points for an Eligible Data Breach are:

  1. Has there been unauthorised access or disclosure of personal information, or a loss of personal information, held by the School?
  2. Is the unauthorised access or disclosure of personal information, or a loss of personal information, likely to result in serious harm to the individual whom the information concerns?

The Amendment Act and the website of the Office of the Australian Information Commissioner gives guidance on what types of data breaches could result in serious harm. In considering whether serious harm may arise, it is important to consider:

  1. The types of personal information involved in the data breach;
  2. What are the circumstances of the data breach; and
  3. What is the nature of the harm that could arise from the data breach.

In the context of a School, types of information a School holds that could cause serious harm if subject to a data breach includes:

  1. Medical information about students;
  2. Copies of Documents that could lead to identity fraud, such as Medicare Cards and other forms of identities; and
  3. Financial Information, include tax file numbers of employees.

In considering the circumstances of a data breach, some examples include:

  1. the person whose information is at risk. For example, a student is generally more vulnerable and at risk.
  2. How many individuals were involved in the data breach?
  3. Does the combination of the information released create added risk of harm? For example, if the data breach releases a name of a person in connection with a mental disability.

Some examples of when the nature of harm could be serious and the likely outcome that results in serious risk of harm are:

  1. Identity theft;
  2. Financial loss;
  3. Threat to physical safety; and
  4. Exposure to humiliation, bullying or loss of employment opportunities

When a School becomes aware on reasonable grounds that an eligible data breach has occurred, they are required to promptly notify the individuals at likely risk of harm about the eligible data breach. The Office of the Australian Information Commissioner also has to be notified as soon as practicable. The notification has to include prescribed information such as:

  1. The identity and contact details of the School;
  2. A description of the eligible data breach;
  3. The kinds of information that has been compromised; and
  4. Recommendations about the steps that the affected individuals should take in response to the data breach.

Are there any exceptions to Eligible Data Breaches?

The Amendment Act provides for a few exceptions, but the critical one for Schools (in our view) is that if a School takes remedial action such that the data breach would not be likely to result in serious harm, then the breach is not an eligible data breach for the School.

Two examples provided for by the Office of the Australian Information Commissioner of suitable remedial action that satisfies the exception to Eligible Data Breaches are:

  1. Contacting a person who has been inadvertently sent personal information, and that person (who is identified as reliable and trustworthy) deletes the personal information without viewing it; and
  2. An employee leaves a smart-phone on public transport, but is able to engage the employer’s IT staff to remotely delete the information on the smart-phone, and the IT team are confident in the security measures on the smart-phone that the data has not otherwise been accessed.

As a School, here are some important questions that will guide your next step to prepare for these Amendments.

  1. Has your School’s Privacy Policy and Procedures been recently updated?
    • This is particularly important if your Privacy Policy has not been amended since National Privacy Principles were updated to the Australian Privacy Principles under the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth). If this is the case, your Privacy Policy and Procedures may be significantly out of date.
  1. Has your School developed a Data Breach Response Plan?
  2. Have you done an audit of your information technology (I.T.) service and security providers and contractors? Do your contracts with them sufficiently satisfy you that the data and services you provide will preserve the confidentiality of your staff and students?
  3. Have you considered whether your information storage practices protect your staff and students from potential data breaches? For example, how are your paper counselling notes or medical records of your student’s kept?
  4. Have you trained your staff on what to do in the event of a Notifiable Data Breach, and how to bring that Data Breach to the attention of the Office of the Australian Information Commissioner?

If your response to any of these questions are ‘no’, please consider contacting us for further information, and helping you review your privacy policies or drafting a Data Breach Response Plan.