Data Breaches & the Privacy Act
How HWH identifies and manages data breaches
Purpose
HWH is using guidance from the Office of the Australian Information Commissioner (OAIC) to assist us to prepare for and respond to data breaches in line with our obligations under the Privacy Act 1988 (Cth) (Privacy Act).
Key points
- A data breach is an unauthorised access or disclosure of personal information or loss of personal information.
- Data breaches can have serious consequences, so we must have robust systems and procedures to identify and respond effectively.
- Entities regulated by the Privacy Act (i.e. HWH in the Health Services sector) should be familiar with the requirements of the Notifiable Data Breaches (NDB) scheme, which are an extension of our information governance and security obligations.
- A data breach incident may also trigger reporting obligations outside the Privacy Act.
What is a Data Breach?
A data breach occurs when our personal information is subject to unauthorised access or disclosure or is lost.
Personal information is information about an identified individual or a reasonably identifiable individual.
Information that is not about an individual can become personal information when combined with other information if this combination results in an individual becoming ‘reasonably identifiable’.
A data breach may be caused by malicious action (by an external or insider party), human error, or information handling or security systems failure.
Examples of data breaches include:
- loss or theft of physical devices (such as laptops or phones) or paper records that contain personal information
- unauthorised access to personal information by an employee
- inadvertent disclosure of personal information due to ‘human error’, for example, an email sent to the wrong person
- Disclosure of an individual’s personal information to a scammer as a result of inadequate identity verification procedures.
Consequences of a data breach
Data breaches can cause significant harm in multiple ways.
Individuals whose personal information is involved in a data breach may be at risk of serious harm, including harm to their physical or mental well-being, financial loss, or damage to their reputation.
Examples of harm include:
- financial fraud, including unauthorised credit card transactions or credit fraud
- identity theft causing financial loss or emotional and psychological harm
- family violence
- physical damage or intimidation.
A data breach can also negatively impact our reputation for privacy protection and, as a result, undercut our chances of success. Privacy protection contributes to an individual’s trust in us.
Clients and prospects may seek alternate providers if we get a reputation for handling personal information contrary to community expectations.
Clients and prospects may seek alternate providers if we get a reputation for handling personal information contrary to community expectations.
HWH can reduce the reputational impact of a data breach by effectively minimising the risk of harm to affected individuals and demonstrating accountability in our data breach response. This involves transparency when a data breach is likely to cause serious damage to affected individuals.
Transparency enables people to take steps to reduce their risk of harm. It also demonstrates that we take our responsibility to protect personal information seriously, which is integral to building and maintaining trust in our information-handling capability.
The Australian Privacy Principles
The Privacy Act contains 13 Australian Privacy Principles (APPs) that set out entities’ obligations for managing personal information. The APPs are principles-based and technologically neutral; they outline principles for handling personal information. These principles may be applied across different technologies and uses of personal information over time.
Compliance with the APPs will reduce the risk of a data breach occurring in HWH. This is because the APPs ensure that privacy risks are reduced or removed at each stage of personal information handling, including collection, storage, use, disclosure, and destruction of personal information.
Example
APP 3.0 restricts the collection of personal information. APPs 4.3 and 11.2 outline requirements to destroy or de-identify information if it is unsolicited or no longer needed by the entity. Compliance with these requirements reduces data exposure due to a breach.
Compliance with the requirement to secure personal information in APP 11 is key to minimising the risk of a data breach. APP 11 requires us to take reasonable steps to protect their personal information from misuse, interference and loss, and unauthorised access, modification or disclosure.
The type of steps that are reasonable to protect information will
depend on the circumstances and the risks associated with personal information handled by the entity.
In addition, APP 1 requires us to take reasonable steps to establish and maintain practices, procedures, and systems to ensure compliance with the APPs.
The Notifiable Data Breaches (NDB) scheme
The NDB scheme in Part IIIC of the Privacy Act requires us to notify affected individuals and the Commissioner of certain data breaches.
The NDB scheme requires us to notify individuals and the Commissioner about ‘eligible data breaches’. An eligible data breach occurs when the following criteria are met:
- There is unauthorised access to or disclosure of personal information held by HWH (or information is lost in circumstances where unauthorised access or disclosure is likely to occur).
- The breach will likely result in serious harm to any individuals to whom the information relates.
- HWH has been unable to prevent the likely risk of serious harm with remedial action.
We must also conduct an assessment if it is not clear if a suspected data breach meets these criteria. The evaluation will determine whether the breach is an ‘eligible data breach’ that triggers notification obligations.
The primary purpose of the NDB scheme is to ensure that individuals are notified if their personal information is involved in a data breach that is likely to result in serious harm. This has a practical function: individuals can take steps to reduce their risk of harm once notified about a data breach. For example, an individual can change passwords to compromised online accounts and be alert to identity fraud or scams.
The NDB scheme also serves the broader purpose of enhancing our accountability for privacy protection. By demonstrating that entities are accountable for privacy and that privacy breaches are taken seriously, the NDB scheme builds trust in personal information handling across industries.
Other obligations
HWH may have other obligations outside the Privacy Act relating to protecting personal information and responding to a data breach. These may include other data protection obligations under state-based or international data protection laws.
Other mandatory or voluntary reporting schemes may exist for data breaches affecting specific categories of information. For example, we might consider reporting certain breaches to:
Other mandatory or voluntary reporting schemes may exist for data breaches affecting specific categories of information. For example, we might consider reporting certain breaches to:
- our bank
- police or law enforcement bodies
- the Australian Securities & Investments Commission (ASIC)
- the Australian Prudential Regulation Authority (APRA)
- the Australian Taxation Office (ATO)
- the Australian Transaction Reports and Analysis Centre (AUSTRAC)
- the Australian Cyber Security Centre (ACSC)
- the Australian Digital Health Agency (ADHA)
- the Department of Health
- State or Territory Privacy and Information Commissioners
- professional associations and regulatory bodies like the CPA or APHRA
- our insurer