Data breaches by schools – complying with the Mandatory Data Breach scheme

31 October 2017
David Smith, Partner, Melbourne Steven Troeth, Partner, Melbourne

The Notifiable Data Breach scheme which requires organisations, including schools, to mandatorily report eligible data breaches to the Office of the Australian Information Commissioner begins on 22 February 2018.

An eligible data breach will occur if:

  • there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by the school; and
  • a reasonable person would conclude that the access, disclosure or loss would be likely to result in serious harm to any of the individuals to whom the information relates.

If a school has reasonable grounds to believe that a data breach has occurred in these circumstances, it must notify the Commissioner and the affected individuals of the breach.

A data breach may occur, for instance:

  • through hacking of the school’s system or through malicious software
  • through a disgruntled staff member taking data with them when they leave the school
  • by innocent error, such as sending personal information by email to the wrong email address
  • a portable device containing personal information may be lost or stolen.

Each of these scenarios may give rise to an obligation on the school to comply with the requirements of the Notifiable Data Breach scheme.

In deciding whether a reasonable person would conclude that a data breach would be likely to result in serious harm to an individual, the following factors may be relevant:

  • the kind of information
  • the sensitivity of the information
  • the extent to which the information is protected by security measures, e.g. encryption
  • the kind of persons who have obtained, or could obtain, the information
  • the nature of the harm an individual could suffer (consider whether an individual might suffer physical, psychological, emotional or financial harm, or harm to reputation).

Identifying the kind of information that may be the subject of a breach will be particularly critical in determining what steps a school should take in response.

Remedial action

In the event that a school is involved in a data breach, and the school takes action in relation to the breach before it results in serious harm to any of the individuals to whom the information relates (and a reasonable person would conclude that the breach would not be likely to result in serious harm to any of the individuals), then there will be no obligation to inform the Commissioner. This might be the case, for example, where data is emailed by mistake to a trusted business partner (like your lawyer!) and the school contacts them and obtains the prompt deletion of the data.

Assessing a suspected breach

If a school has reasonable grounds to suspect that a data breach may have occurred, it is required to carry out a reasonable and expeditious assessment to ascertain whether a breach did in fact occur.
The school must take reasonable steps to ensure that this assessment is completed within 30 days of becoming aware of the suspected breach.

Notifying the Commissioner

If a school is aware that there are reasonable grounds to believe that there has been an eligible data breach, it is required as soon as practicable to provide a statement to the Commissioner that sets out the following:

  • the school’s contact details
  • a description of the data breach reasonably believed to have happened
  • the kind of information concerned
  • recommendations about the steps that individuals should take in response to the breach (for example, if a file containing parents’ credit card details is hacked into, the school might recommend that the parents cancel their credit cards).

Data breach response plan

Schools have an obligation under the Privacy Act to take reasonable steps to protect the personal information held by them from misuse, interference and loss, and from unauthorised access, modification or disclosure. Such information may relate to the school’s students, potential students on its waiting list, student siblings, parents and guardians, and staff.
The Commissioner suggests that one of the reasonable steps that organisations may take includes the preparation and implementation of a data breach response plan.

We strongly suggest that schools consider updating their Privacy Compliance Manual or create a separate Data Breach Response Plan or procedure because:

  • the failure to respond appropriately to an eligible data breach may expose the school to civil penalties of up to $2.1M for breaching the Act
  • the failure to act quickly and to limit potential harm to affected individuals may expose the school to a claim for compensation from those individuals
  • a school’s reputation may be seriously harmed if a breach is not dealt with expeditiously and in accordance with the school’s lawful obligations under the Act
  • a breach of the scheme is less likely to occur if the school community, and particularly those responsible for information privacy at the school, follow a clearly documented process.

Your school will be in a much better position to respond well, if you have a Data Breach Response Plan in place rather than just responding “ad hoc”.

We are experienced in preparing Data Breach Response Plans for our clients.

The Commissioner has a number of powers under the Act to ensure that all organisations comply with their obligations under the Notifiable Data Breach scheme, including making a determination against an organisation and bringing proceedings to enforce the determination, and applying to a court for a civil penalty in respect of a breach. These powers could be exercised in respect of an organisation’s failure to undertake the following in accordance with the Notifiable Data Breach scheme:

  • to conduct a reasonable and expeditious assessment of a suspected eligible data breach
  • to prepare and provide to the Commissioner a statement about a data breach
  • as soon as practicable to notify the contents of the statement to individuals at risk of serious harm
  • to comply with a direction from the Commissioner.

The Commissioner has published draft resources to help organisations to understand their obligations under the scheme.

Gadens is able to advise schools on their obligations under the Notifiable Data Breach scheme and to assist them to document a response plan.

This update does not constitute legal advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. You should seek legal or other professional advice before acting or relying on any of the content.

Get in touch