In February 2018 changes were made to the Privacy Act 1988 that now require entities (who meet certain reporting requirements) to inform the Office of the Australian Information Commissioner (OAIC) when a data breach has occurred. The scheme requires entities to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm.
The latest statistics from the OAIC have been released, for April to July:
- 242 Data Breach Notifications were made in the quarter
- 36% were result of human error and 59% malicious or criminal attack. Theft of paperwork or storage devices is the primary source of a malicious attack. Human error remains a concern, with malicious attacks highlighting vulnerabilities in data security systems such as clicking on a phishing email or disclosing passwords.
- Most breaches involved personal information of 100 people or less (61%)
- Breach of an individual’s health information occurred in 25% of breaches
Health Sector: highest number of breaches in the quarter
The health industry had the highest number of breaches this quarter with 49 in total. Of the breaches to have been reported across the health sector, 59% were due to human error – ranging from mistakes such as:
- lost paperwork / insecure disposal of personal information
- sending information to the wrong person
- not using blind carbon copy (BCC) email function; and
- the unauthorised disclosure of information.
Regarding malicious attack – the health sector was most impacted by theft or paperwork or storage devices.
Four lessons We Can Take From These Findings:
- Staff education remains paramount. Do not click on emails you do not recognise as being from a legitimate source, or you think might be suspect. Call rather than reply via email.
- Do not disclose passwords to ANYONE – including people inside the organisation that doesn’t need access. Update passwords on a frequent basis for highly sensitive information.
- Carrying personal information of portable storage devices such as a USB stick is always risky and is strongly advised against.
- Failure to use BCC when sending group emails accounted for high number of data breaches reported this quarter. The use of the BCC function should be well communicated to staff. It only takes a split second to send an email to the wrong person, and once it’s sent you can’t get it back. Always avoid sending group emails that contain sensitive information. Using an email platform is advised for sending of newsletters and similar communications (as they don’t disclose individual email addresses). Ensure all emails you send have a disclaimer attached.
Many data breach incidents could either be avoided completely or at least minimised. By learning lessons from where data breaches are occurring this can help fill the in your own practice.
You can access the full OAIC report here.
Or to read more on the Privacy Act changes you can read the governments official website.
What should I do now?
Privacy and data protection is a topic that cannot be ignored as the Government continues to ramp up its focus.
For a FREE strategy session to discuss your current privacy and data security procedures – you can schedule a consultation with me online by following this link.