The Notifiable Data Breaches (NDB) scheme was established to improve consumer protection and promote better security standards to safeguard personal information in Australia. The NDB scheme applies to all agencies and organisations who are protected by the Privacy Act 1988 (Cth) (Act) and required to take personal steps to secure personal information.
The Australian Information Commissioner (OAIC) publishes reports on notifications received under the NDB scheme to track the leading causes and sources of data breaches, and to draw attention to potential issues and areas that entities regulated under the Act need to have ongoing awareness of. This article summarises the findings of the NDB Report for the period from 1 January to 30 June 2020.
Key findings of the report
- The OAIC was notified of 518 breaches by eligible entities. This figure is down 3% from 532 in the previous six months, but up 16% on the 447 notifications received between January and June 2019;
- Although malicious or criminal attacks remain the leading cause of data breaches, there was a 7% reduction in attacks over the past 6 months. Malicious or criminal attacks now constitute 61% of all notifications;
- Data breaches resulting from human error have increased by 7% compared to the previous 6 months. These now account for 34% of all breaches;
- The health sector is the highest reporting sector, notifying 22% of all breaches;
- Finance is the second highest reporting sector, notifying 14% of all breaches; and
- 64% of data breaches affected less than 100 individuals, 46% of notifications involved breaches affecting between 1 and 10 individuals.
Types of personal information involved in data breaches
Contact information was involved in 84% of the data breaches notified under the NDB scheme, making it the most common type of personal information involved in a data breaches during this period. Contact information includes home address, phone number or email address. Importantly, this must be distinguished from ‘identity information’, which refers to information which may be used to establish a person’s identity, such as passport number, driver license number or other government identifiers. Identity information was involved in over a third of data breaches during this period.
Other types of personal information included:
- tax file numbers (17%);
- financial details such as bank account or credit card numbers (37%); and
- health information (26%).
Industry sectors involved in data breaches
From January to June 2020, health service providers reported 115 data breaches, which equated to 22% of the total reported breaches for that period. The second largest source of NDBs was the financial sector at 15%, followed by education (8%), insurance (7%) and legal, accounting and management services (5%).
Does the OAIC publish the details of reported data breaches?
The OAIC does not publish the details of individual reported data breaches. Instead, it regularly publishes NBD statistics reports to give an overview of how the scheme operates.
The OAIC’s role in the NDB scheme is to:
- receive notifications of eligible data breaches;
- encourage compliance with the NDB scheme, including by handling complaints, conducting investigations and taking other regulatory action;
- offer advice and guidance to regulated organisations; and
- provide information to the community about the operation of the NDB scheme.
Takeaways
The NDB Report provides insight into the trends associated with data breaches, and encourages regulated entities to take a proactive approach to reduce harm arising from these breaches by actively engaging with the OAIC.
Links and further references
Legislation
Other links
The Notifiable Data Breaches Report: January – June 2020
Further information about data breach obligations
If you need a lawyer to advise on compliance with the data breach obligations under the Privacy Act, please contact us for an obligation free and confidential discussion.
Malcolm Burrows B.Bus.,MBA.,LL.B.,LL.M.,MQLS.
Legal Practice Director
T: +61 7 3221 0013 (preferred)
M: +61 419 726 535
E: mburrows@dundaslawyers.com.au
Disclaimer
This article contains general commentary only. You should not rely on the commentary as legal advice. Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.
Related insights about data breach obligations
-
Federal parliament enacts cyber security legislation
On 25 November 2024, the Australian Parliament passed a suite of legislation, collectively referred to by the Australian Government as the Cyber Security Legislative Package 2024. The purported impetus for this legislation was a series of high-profile data breaches in 2022 and 2023.
-
Uber found in breach of Australian privacy laws
This article provides an overview of interesting decisions of Australian Courts in Corporate Law, Technology Law and Intellectual Property. With cases on Trade Marks, Copyright, Defamation, Negligence, Joint Ventures and Confidential Information, it is an invaluable resource for anyone interested in these areas.
-
Overview of the Ransomware Payments Bill 2021 (Cth)
Australian government proposed the Ransomware Payments Bill 2021 (Cth) (Bill) to enforce mandatory reporting of ransomware payments. Penalties of up to $110,000 for non-compliance.
-
Data breach compliance and response plans
Dundas Lawyers create tailored data breach response plans to ensure compliance with the Privacy Act 1988 (Cth). Plans include actions, registers, records, tests and tasks. Get an obligation-free and confidential discussion to learn more.
-
OAIC Notifiable Data Breaches report – July 2020
The OAIC’s Notifiable Data Breaches Report reveals 518 data breaches reported by eligible entities in the first half of 2020. Learn more about the types of personal information involved, the highest reporting sector, and the key takeaways from the report to protect your data.
-
Data breaches: what is serious harm?
This article looks at the notifiable data breaches scheme, and the factors to consider when determining if an eligible data breach would likely result in serious harm. It also provides an in-depth look at the Office of the Australian Information Commissioner observations in its ‘Notifiable Data Breaches Statistics Report’.
-
De-encryption laws: compelling tech giants to cooperate with law enforcement
The Australian Government is introducing encryption-related legislation that could have significant implications. Get the full scoop on what this Bill could mean for companies and citizens before it is officially announced.
-
Artificial intelligence – introductory thoughts on the legal issues
Technology lawyers are grappling with the complex legal issues associated with Artificial Intelligence (AI), such as liability, competition, consumer issues, intellectual property, data ownership, security, and privacy. This article explores these topics and examines the approach taken in the European Union.
-
What is a data breach response plan and how do you obtain one?
Organizations must now comply with the Notifiable Data Breaches Scheme. Learn how to create a Data Breach Response Plan and why it is so important for compliance.
