A data breach occurs when personal information held by organisation is lost or accessed without authorisation. This can happen due to malicious actions (by external or internal parties), human error, or failures in information handling or security systems.
Types of Data Breaches
Unauthorised Access
This happens when someone accesses personal information without permission. This could be an employee looking at customer records without a legitimate reason or an external attacker compromising a computer network.Unauthorised Disclosure
This occurs when personal information is made accessible or visible to others outside the entity, losing effective control of that information. This can happen due to human error, such as sending an email to the wrong person, or through inadequate identity verification procedures leading to information being disclosed to scammers.Loss
This refers to the accidental loss of personal information, such as when an employee leaves documents, a laptop, or a storage device on public transport.
Harms Caused by Data Breaches
Data breaches can lead to various harms, including:
- Identity theft causing financial loss or emotional distress
- Financial fraud, such as unauthorised credit card transactions
- Threats to physical safety, including family violence
- Loss of business or employment opportunities
- Humiliation and damage to reputation or relationships
- Harassment or bullying
The Notifiable Data Breaches (NDB) Scheme
Certain data breaches must be reported to affected individuals and the Office of the Australian Information Commissioner (OAIC). An ‘eligible data breach’ occurs when:
- There is unauthorised access to or disclosure of personal information, or information is lost in circumstances where unauthorised access or disclosure is likely.
- This is likely to result in serious harm to any individuals involved.
- The entity cannot prevent the likely risk of serious harm through remedial action.
If a data breach is suspected, your organisation must assess whether it meets the criteria for an ‘eligible data breach’ and notify the necessary parties if it does. This allows individuals to take steps to mitigate harm, such as changing passwords and being alert to identity fraud.
Responding to a Data Breach
Not all data breaches are ‘eligible’ under the NDB scheme, but your agency should have a response plan in place. This plan should include:
- Containment
Prevent further compromise of personal information. - Assessment
Gather facts, evaluate risks, and take remedial action. - Notification
Inform affected individuals and the OAIC if required. - Review
Analyse the incident and implement measures to prevent future breaches.
By understanding and preparing for data breaches, community organisations can protect personal information and maintain trust with the individuals they serve.
