Giving data to subcontractors – lessons from recent Notifiable Data Breaches
We are all too familiar with the growing number of data breaches in both Australia and abroad. The Office of the Australian Information Commissioner (OAIC) recently issued its Notifiable Data Breaches Report (Report) for June 2023 to December 2023, revealing some concerning findings. The Report is released twice per year and provides insights and findings from eligible data breach notifications received under the Commonwealth Notifiable Data Breach Scheme (Scheme).
Under the Scheme, any agency or organisation subject to the Privacy Act 1988 (Cth) that experience an eligible data breach must notify affected individuals and the OAIC.
Report Findings
Some key findings from the Report:
Number of breaches - 483 data breaches were reported by the OAIC, marking a 19% surge from the initial half of 2023. In addition, the OAIC received 121 secondary notifications, which means notifications of the same data breach by multiple parties. This is a significant increase from 29 secondary notifications from January 2023 to June 2023.
Impacted sectors – The top five impacted sectors include health service providers, finance, insurance, retail, and the Australian Government. Interestingly, health service providers emerged as the foremost reporters of data breaches, accounting for 22% of all breaches—a figure nearly twice that of the financial sector.
Sources of data breaches – Three primary sources of reported data breaches were malicious or criminal attacks (67), human error (30%) and system faults (3%).
Leading cause - Compromised or stolen account credentials caused a 25% of all data breaches in the reporting period. To avoid this situation, the OIAC has encouraged businesses to increase awareness surrounding access security, ICT security and identification management and authentication.
The OIAC Commissioner has called on businesses to proactively address privacy risks in contractual agreements with third party providers, have clear processes and policies in place for handling personal information, and to implement a data breach response plan that assigns roles and responsibilities for managing an incident and meeting regulatory obligations.
The OIAC has also urged businesses to establish robust processes to ensure an efficient response to data breaches and compliance with the Scheme's requirements.
Key Takeaways
In light of the Report, the OAIC has flagged some of the risks associated with outsourcing personal information handing. This includes the sharing of customer or client personal information with third party providers, such as cloud or other software providers.
If you outsource the storage, management or handling of personal information to third party providers, we recommend reviewing your arrangements to ensure there are appropriate contractual protections relating to privacy, management of personal information, data security, and baseline security and operational controls to mitigate a compromised system. If you need any guidance with regulatory compliance or advice regarding arrangements with third party providers, please get in touch with:
Paul Gray
Principal
T 03 5225 5231 | M 0414 195 886
E pgray@ha.legal
Hugo Le Clerc
Associate
T: 03 5225 5213
E: hleclerc@ha.legal
Ben Smith
Lawyer
T: 03 5225 5262
E: bsmith@ha.legal