The Notifiable Data Breach scheme which requires organisations, including schools, to mandatorily report eligible data breaches to the Office of the Australian Information Commissioner begins on 22 February 2018.
An eligible data breach will occur if:
If a school has reasonable grounds to believe that a data breach has occurred in these circumstances, it must notify the Commissioner and the affected individuals of the breach.
A data breach may occur, for instance:
Each of these scenarios may give rise to an obligation on the school to comply with the requirements of the Notifiable Data Breach scheme.
In deciding whether a reasonable person would conclude that a data breach would be likely to result in serious harm to an individual, the following factors may be relevant:
Identifying the kind of information that may be the subject of a breach will be particularly critical in determining what steps a school should take in response.
In the event that a school is involved in a data breach, and the school takes action in relation to the breach before it results in serious harm to any of the individuals to whom the information relates (and a reasonable person would conclude that the breach would not be likely to result in serious harm to any of the individuals), then there will be no obligation to inform the Commissioner. This might be the case, for example, where data is emailed by mistake to a trusted business partner (like your lawyer!) and the school contacts them and obtains the prompt deletion of the data.
If a school has reasonable grounds to suspect that a data breach may have occurred, it is required to carry out a reasonable and expeditious assessment to ascertain whether a breach did in fact occur.
The school must take reasonable steps to ensure that this assessment is completed within 30 days of becoming aware of the suspected breach.
If a school is aware that there are reasonable grounds to believe that there has been an eligible data breach, it is required as soon as practicable to provide a statement to the Commissioner that sets out the following:
Schools have an obligation under the Privacy Act to take reasonable steps to protect the personal information held by them from misuse, interference and loss, and from unauthorised access, modification or disclosure. Such information may relate to the school’s students, potential students on its waiting list, student siblings, parents and guardians, and staff.
The Commissioner suggests that one of the reasonable steps that organisations may take includes the preparation and implementation of a data breach response plan.
We strongly suggest that schools consider updating their Privacy Compliance Manual or create a separate Data Breach Response Plan or procedure because:
Your school will be in a much better position to respond well, if you have a Data Breach Response Plan in place rather than just responding “ad hoc”.
We are experienced in preparing Data Breach Response Plans for our clients.
The Commissioner has a number of powers under the Act to ensure that all organisations comply with their obligations under the Notifiable Data Breach scheme, including making a determination against an organisation and bringing proceedings to enforce the determination, and applying to a court for a civil penalty in respect of a breach. These powers could be exercised in respect of an organisation’s failure to undertake the following in accordance with the Notifiable Data Breach scheme:
The Commissioner has published draft resources to help organisations to understand their obligations under the scheme.
Gadens is able to advise schools on their obligations under the Notifiable Data Breach scheme and to assist them to document a response plan.