The Office of the Australian Information Commissioner (OAIC) has published the first quarterly report on data breach notifications received under the Notifiable Data Breaches (NDB) scheme, which came into force on 22 February 2018.  

The OAIC received 63 data breach notifications under the scheme during the first six weeks of the scheme’s operation. In the 2016–17 financial year, the OAIC received 114 data breach notifications on a voluntary basis.

The NDB scheme requires entities with obligations to secure personal information under the Privacy Act 1988 to notify individuals when their personal information is involved in a data breach that is likely to result in serious harm. These data breaches are referred to as ‘eligible data breaches’. Entities must also notify the OAIC about eligible data breaches.

The NDB scheme formalised the community’s expectation for transparency when a serious data breach occurs. According to the 2017 Australian Community Attitudes to Privacy Survey, 94 per cent of Australians believe they should be told when personal information is lost by a business.

The OAIC’s acting Australian Information Commissioner and acting Privacy Commissioner, Angelene Falk, said ‘a data breach notification provides individuals with the chance to take steps that reduce their risk of experiencing harm, such as changing relevant passwords for online accounts. This can reduce the overall impact of a breach. More broadly, the transparency provided by the NDB scheme reinforces Australian Government agencies’ and businesses’ accountability for personal information protection and encourages a higher standard of security.

‘Over time, the quarterly reports of the eligible data breach notifications received by the OAIC will support improved understanding of the trends in eligible data breaches and promote a proactive approach to addressing security risks.

‘Just over half of the eligible data breach notifications we received in the first quarter indicated that the cause of the breach was human error. In the 2016–2017 financial year 46 per cent of the data breach notifications received by the OAIC voluntarily were also reported to be the result of human error.

‘This highlights the importance of implementing robust privacy governance alongside a high-standard of security. The risk of a data breach can be greatly reduced by implementing practices such as Privacy Impact Assessments, information security risk assessments, and training for any staff responsible for handling personal information.’

Key statistics from the first quarterly report include:

• Top five sectors that notified the OAIC of eligible data breaches included health service providers (24 per cent of notifications), legal, accounting and management services (16 per cent), finance (13 per cent), private education (10 per cent), and charities (6 per cent).
• 78 per cent of eligible data breaches were reported to involve individual’s contact information. 33 per cent were reported to involve health information and 30 per cent to involve financial details.
• 51 per cent of the eligible data breach notifications received indicated that the cause of the breach was human error. 44 per cent of breaches were reported to be the result of malicious or criminal attack, and 3 per cent the result of system faults.
• 59 per cent of data breach notifications reported that the personal information of between one and nine individuals was affected. 90 per cent of data breach notifications related to breaches involving the personal information of less than 1,000 individuals.

Read the full report.