software development disputes

OAIC Notifiable Data Breaches report – July 2020

by

reviewed by

Malcolm Burrows

The Notifiable Data Breaches (NDB) scheme was established to improve consumer protection and promote better security standards to safeguard personal information in Australia.  The NDB scheme applies to all agencies and organisations who are protected by the Privacy Act 1988 (Cth) (Act) and required to take personal steps to secure personal information.

The Australian Information Commissioner (OAIC) publishes reports on notifications received under the NDB scheme to track the leading causes and sources of data breaches, and to draw attention to potential issues and areas that entities regulated under the Act need to have ongoing awareness of.  This article summarises the findings of the NDB Report for the period from 1 January to 30 June 2020.

Key findings of the report

  • The OAIC was notified of 518 breaches by eligible entities. This figure is down 3% from 532 in the previous six months, but up 16% on the 447 notifications received between January and June 2019;
  • Although malicious or criminal attacks remain the leading cause of data breaches, there was a 7% reduction in attacks over the past 6 months. Malicious or criminal attacks now constitute 61% of all notifications;
  • Data breaches resulting from human error have increased by 7% compared to the previous 6 months. These now account for 34% of all breaches;
  • The health sector is the highest reporting sector, notifying 22% of all breaches;
  • Finance is the second highest reporting sector, notifying 14% of all breaches; and
  • 64% of data breaches affected less than 100 individuals, 46% of notifications involved breaches affecting between 1 and 10 individuals.

Types of personal information involved in data breaches

Contact information was involved in 84% of the data breaches notified under the NDB scheme, making it the most common type of personal information involved in a data breaches during this period.  Contact information includes home address, phone number or email address.  Importantly, this must be distinguished from ‘identity information’, which refers to information which may be used to establish a person’s identity, such as passport number, driver license number or other government identifiers.  Identity information was involved in over a third of data breaches during this period.

Other types of personal information included:

  • tax file numbers (17%);
  • financial details such as bank account or credit card numbers (37%); and
  • health information (26%).

Industry sectors involved in data breaches

From January to June 2020, health service providers reported 115 data breaches, which equated to 22% of the total reported breaches for that period.  The second largest source of NDBs was the financial sector at 15%, followed by education (8%), insurance (7%) and legal, accounting and management services (5%).

Does the OAIC publish the details of reported data breaches?

The OAIC does not publish the details of individual reported data breaches.  Instead, it regularly publishes NBD statistics reports to give an overview of how the scheme operates.

The OAIC’s role in the NDB scheme is to:

  • receive notifications of eligible data breaches;
  • encourage compliance with the NDB scheme, including by handling complaints, conducting investigations and taking other regulatory action;
  • offer advice and guidance to regulated organisations; and
  • provide information to the community about the operation of the NDB scheme.

Takeaways

The NDB Report provides insight into the trends associated with data breaches, and encourages regulated entities to take a proactive approach to reduce harm arising from these breaches by actively engaging with the OAIC.

Links and further references

Legislation

Privacy Act 1988 (Cth)

Other links

The Notifiable Data Breaches Report: January – June 2020

Further information about data breach obligations

If you need a lawyer to advise on compliance with the data breach obligations under the Privacy Act, please contact us for an obligation free and confidential discussion.


Related insights about data breach obligations


Send this to a friend