Managing a Data Breach at your School
No doubt you will be aware that the Notifiable Data Breach requires schools to mandatorily report eligible data breaches to the Office of the Australian Information Commissioner.
Unfortunately, education institutions have become common targets of late for hackers, leading to more instances of data breaches requiring notification.
Accordingly, you should be aware of what you need to do when a data breach occurs or is suspected to have occurred at your school.
What is a data breach?
An eligible data breach will occur if:
- there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by the school; and
- a reasonable person would conclude that the access, disclosure or loss would be likely to result in serious harm to any of the individuals to whom the information relates.
A data breach may occur when:
- the school’s systems are hacked or attacked by malware;
- personal information is sent to the wrong person;
- a device containing personal information is lost or stolen;
- a former staff member takes data with them when they leave.
If a school has reasonable grounds to believe that a data breach has occurred in these circumstances, it must notify the Commissioner and the affected individuals of the breach.
What is personal information?
Personal information includes a broad range of information that could identify an individual. There is no set definition of personal information as it will depend on whether the information is sufficient to identify a person.
Personal information may include:
- an individual’s name, signature, address, phone number or date of birth
- sensitive information
- credit information
- employee record information
- location information from a mobile device (because it can reveal user activity patterns and habits)
What is serious harm?
If the disclosure or unauthorised access to personal information would likely result in serious harm, the data breach needs to be reported. When considering what is serious harm, you should look at:
- the kind of information
- the sensitivity of the information
- the extent to which the information is protected by security measures, e.g. encryption
- the kind of persons who have obtained, or could obtain, the information
- the nature of the harm an individual could suffer (consider whether an individual might suffer physical, psychological, emotional or financial harm, or harm to reputation).
What steps should you take if a Data Breach occurs?
If a school is aware that there are reasonable grounds to believe that there has been an eligible data breach, it is required as soon as practicable to provide a statement to the Commissioner that sets out the following:
- the school’s contact details
- a description of the data breach reasonably believed to have happened
- the kind of information concerned
- recommendations about the steps that individuals should take in response to the breach (for example, if a file containing parents’ credit card details is hacked into, the school might recommend that the parents cancel their credit cards).
If a data breach occurs but you action the breach promptly enough to prevent serious harm occurring to any of the individuals to whom the information relates, then there will be no obligation to inform the OAIC. For example, if a member of your staff accidentally sends data to a trusted business partner and then immediately contacts them requesting that the data be immediately deleted, it is unlikely that any serious harm will have been suffered.
Even if you only suspect a breach has occurred, you must promptly carry out a reasonable assessment to determine whether a breach did in fact occur. This must be done within 30 days of the suspected breach occurring.
Schools have an obligation under the Privacy Act to take reasonable steps to protect the personal information they hold from unauthorised access, misuse, interference or loss.
Accordingly, when a breach occurs or is suspected, there is an obligation on the school to:
a. conduct a reasonable and expeditious assessment of a suspected eligible data breach;
b. notify the affected individuals as soon as possible, including providing details of the information that was lost/misused/accessed and the potential harm that may result;
c. prepare and provide to the Commissioner a statement about a data breach;
d. comply with any directions given by the OAIC in responding to the breach.
The preparation, implementation and maintenance of a data breach response plan will better place your school to respond appropriately to a data breach.
Where a school fails to respond appropriately to an eligible data breach, the school may be liable for civil penalties up to $2.1m for breaching its obligations. Failures of schools to limit the potential harm suffered by an effected person may also give rise to a claim against the school for compensation.
Aside from the clear financial consequences, your school may also suffer irreparable reputational damage if a data breach occurs and is not dealt with appropriately, causing a loss of trust within your community.
How can Brennan Law Partners assist
If you suspect that a data breach has occurred and require assistance to respond, contact us immediately.
We can also help you prepare a Data Breach Response Plan ensure that you are positioned to respond appropriately should an unfortunate breach occur.