A data breach is a breach of the legislation regarding the security and confidentiality of personal or business information. Any failure by an agency or organisation in this regard has the potential to cause a high level of public concern. Data breaches can also erode public trust in government use of data that has wider ramifications than the particular project where the breach has occurred.
The Privacy Act 1988 and the associated Australian Privacy Principles reflect the concept that security is a basic component of information privacy. In addition to the Privacy Act 1988 individual agencies may be subject to specific legislative requirements. Government agencies are also subject to other general requirements, for example, the Australian Government’s Protective Security Framework and the Information Security Manual. There may also be common law duties relating to confidentiality of particular information.
Therefore, a data breach may be a breach of one, or several, pieces of legislation. These additional legislative obligations need to be considered by agencies when acting to prevent or respond to data breaches.
How can data breaches occur?
Data breaches can occur in many ways including:
- lost or stolen laptops, tablet computers, mobile phones;
- removable storage devices or paper records containing personal information;
- digital storage media being disposed of or returned to equipment suppliers without proper erasure of contents;
- hacking of databases containing personal information or other forms of illegal access by outside individuals;
- employees accessing and disclosing personal information outside the conditions of their employment;
- records removed from insecure paper recycling bins;
- organisations providing personal information to the wrong person;
- individuals deceiving an agency into the improper release of personal information.
OAIC advice
The OAIC has produced “Data breach notification: A guide to handling personal information security breaches” as a way of providing general guidance for agencies and organisations that handle personal information and are covered by the Privacy Act 1988 (Cth).
Whilst the Privacy Act 1988 (Cth) and The Office of the Australian Information Commissioner (OAIC) guidelines focus on personal information it is important to recognise that security of business information is as important as personal information security.
The OAIC recommends that four key steps be followed by organisations in responding to data breaches, which should be applied in the event of a data breach involving Commonwealth data integration projects:
- contain the breach and do a preliminary assessment. This includes recovering lost records, shutting down the breached system or revoking access privileges. The organisation should then appoint someone to assess the situation.
- evaluate the risks associated with the breach. Organisations should look at the type of information contained in the data breach, and the nature of the breach, to determine what harm it may cause.
- notify those affected by a data breach. The OAIC recommend that this be direct notification by phone, letter, email or in person (unless the costs of direct notification are prohibitive).
- prevent future breaches. Agencies and organisation need to investigate the cause of the data breach and consider if a review of the existing prevention plan is required.
N.B. Administrative processes and possible organisational sanctions which may be applied in the case of data breaches involving Commonwealth data integration projects will be linked to this page following approval by the Secretaries Board.
Other topics in this section relating to the Commonwealth arrangements for statistical data integration are:
- Scope of the Commonwealth arrangements
- Risk framework
- Legal and policy considerations
- Accreditation
- The separation principle
- Data security
- Data management
- Data breaches