The Office of the Australian Information Commissioner has published its Notifiable Data Breaches (NDB) Report for the period January to June 2023. The OAIC says it is prioritising regulatory action in instances of serious or repeated non-compliance with the requirements of the NDB scheme.
Timely breach reporting
The Commissioner emphasised that the OAIC expects entities to have processes to ensure a timely response and compliance with the requirements of the scheme should a data breach occur.
The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 provided the Commissioner with new and increased regulatory powers. This includes the power to require a person or an entity to provide information and documents relevant to a suspected or actual eligible data breach (s 26WU).
The OAIC says it used this power in the following situation :
“where the OAIC became aware of a suspected eligible data breach involving an IT service provider. The entity confirmed it had experienced a ransomware incident that compromised the information of 20 health service provider clients, including their patients’ treatment information.
The entity notified the impacted health service providers of the breach, presuming they would notify affected individuals if required. The entity declined to provide the health service providers’ details to the OAIC, claiming it did not have consent to disclose the information.
Following receipt of the s 26WU(3) notice, the entity provided the information required. This information enabled the Commissioner to ensure the affected individuals were notified and that all entities involved in the data breach complied with the NDB scheme.”
Breach Data
There was a 16% decrease in notification of breaches (409 in total).
The top 5 sectors to notify data breaches were:
Health service providers;
Finance (incl. superannuation);
Recruitment agencies.
Legal, accounting & management services; and
Insurance;
Malicious or criminal attacks remained the leading cause (70%) of data breaches.
Human error breaches were the fastest to be identified with 81% identified in 30 days or fewer. Only 57% of system faults were identified in the same timeframe
42% of all data breaches resulted from cyber security incidents (172 notifications).
Most data breaches (91%) involved the personal information of 5,000 or fewer individuals worldwide.
If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.
Author: David Jacobson
Principal, Bright Corporate Law
Email:
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.