Giving data to subcontractors – lessons from recent Notifiable Data Breaches

We are all too familiar with the growing number of data breaches in both Australia and abroad. The Office of the Australian Information Commissioner (OAIC) recently issued its Notifiable Data Breaches Report (Report) for June 2023 to December 2023, revealing some concerning findings. The Report is released twice per year and provides insights and findings from eligible data breach notifications received under the Commonwealth Notifiable Data Breach Scheme (Scheme).

Under the Scheme, any agency or organisation subject to the Privacy Act 1988 (Cth) that experience an eligible data breach must notify affected individuals and the OAIC.

Report Findings

Some key findings from the Report:

  1. Number of breaches - 483 data breaches were reported by the OAIC, marking a 19% surge from the initial half of 2023. In addition, the OAIC received 121 secondary notifications, which means notifications of the same data breach by multiple parties. This is a significant increase from 29 secondary notifications from January 2023 to June 2023.

  2. Impacted sectors – The top five impacted sectors include health service providers, finance, insurance, retail, and the Australian Government. Interestingly, health service providers emerged as the foremost reporters of data breaches, accounting for 22% of all breaches—a figure nearly twice that of the financial sector.

  3. Sources of data breaches ­– Three primary sources of reported data breaches were malicious or criminal attacks (67), human error (30%) and system faults (3%).

  4. Leading cause - Compromised or stolen account credentials caused a 25% of all data breaches in the reporting period. To avoid this situation, the OIAC has encouraged businesses to increase awareness surrounding access security, ICT security and identification management and authentication.

The OIAC Commissioner has called on businesses to proactively address privacy risks in contractual agreements with third party providers, have clear processes and policies in place for handling personal information, and to implement a data breach response plan that assigns roles and responsibilities for managing an incident and meeting regulatory obligations.

The OIAC has also urged businesses to establish robust processes to ensure an efficient response to data breaches and compliance with the Scheme's requirements.

Key Takeaways

In light of the Report, the OAIC has flagged some of the risks associated with outsourcing personal information handing. This includes the sharing of customer or client personal information with third party providers, such as cloud or other software providers.

If you outsource the storage, management or handling of personal information to third party providers, we recommend reviewing your arrangements to ensure there are appropriate contractual protections relating to privacy, management of personal information, data security, and baseline security and operational controls to mitigate a compromised system. If you need any guidance with regulatory compliance or advice regarding arrangements with third party providers, please get in touch with:

Paul Gray
Principal

T 03 5225 5231 | M 0414 195 886
E pgray@ha.legal

Hugo Le Clerc
Associate
T: 03 5225 5213
E: hleclerc@ha.legal

Ben Smith
Lawyer
T: 03 5225 5262
E: bsmith@ha.legal

Previous
Previous

Stamp Duty Out, Commercial and Industrial Property Tax In Starting 1 July 2024

Next
Next

Function Venues, Wineries and Venue Operators: Are you at risk of being penalised under the new unfair contract terms regime?