11 Nov 2021 This week in tax
In this week’s TaxVine, the first preamble in a two-part series, The Tax Institute’s Risk Officer, Michelle Greenfield, considers the Notifiable Data Breaches scheme and some recent findings. Given the increased activity by scammers, media reporting of victims and government focus on safeguarding data, it is timely to remind our members about your obligations to report certain data breaches.
Notifying data breaches … need to know
The Notifiable Data Breaches scheme
Data breach… if this term rings alarm bells for you, it should. In today’s data-driven world, data breaches are increasingly, and alarmingly, common. Personal information is most often held in soft copy (as opposed to hard copy) and is not always held by the organisation that collected the information. This increases the risk of serious data breaches. Globally, various governments have responded to this risk by taking legislative action to regulate the handling of personal information.
In Australia, the Privacy Act 1988 (Privacy Act) regulates the handling of personal information about individuals. It sets out the Australian Privacy Principles (APPs), which are principles-based law that govern standards, rights and obligations around:
- the collection, use and disclosure of personal information;
- an organisation or agency’s governance and accountability;
- the integrity and correction of personal information; and
- the rights of individuals to access their personal information.
The Privacy Act also regulates the privacy component of the consumer credit reporting system, tax file numbers and health and medical research.
The Privacy Act includes the Notifiable Data Breaches (NDB) scheme which took effect on 22 February 2018. This is a mandatory notification scheme. The NDB scheme was established to improve consumer protection and drive better security standards for protecting personal information. Under the scheme, any organisation or government agency covered by the Privacy Act must notify individuals affected and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to an individual whose personal information is involved.
The APPs apply to most Australian government (and Norfolk Island Government) agencies and some private sector organisations — collectively referred to as ‘APP entities’. Private sector organisations that have an annual turnover exceeding $3 million a year must comply with the APPs as well as all health service providers and credit reporting bodies. An organisation includes individuals, bodies corporate, partnerships, trusts and other unincorporated associations, co-operatives, companies limited by guarantee. However, if you are a Tax File Number recipient, regardless of whether your operating revenue is more than $3 million, the Privacy Act and the NDB scheme apply to you. The scheme also applies to small businesses that meet certain criteria, for example, those who trade in personal information (further information is available here).
The APP entity must take reasonable steps to protect personal information that you hold from misuse, interference, loss and from unauthorised access, modification or disclosure.
Key findings from the Notifiable Data Breaches Report: January – June 2021
The Privacy Act is administered by the OAIC. The OAIC periodically produces a data breach report that provides statistical insights into the data breaches that have been reported to the OAIC in a given period.
The most recent report, Notifiable Data Breaches Report: January – June 2021, issued in August 2021, shows the top five industry sectors to notify data breaches. The health sector remains the highest reporting industry sector, and together with the Finance sector, has consistently reported the most data breaches compared to other industry sectors since the NDB scheme began. The report also shows that Finance (including Superannuation) ranked second, and Legal, Accounting and Management Services ranked third (based on 446 notifications).
Sources of data breaches
A breakdown of the sources of data breaches shows that malicious or criminal attacks remain the leading source of data breaches, accounting for 65% of the breaches. The OAIC have also found that Finance and Legal, Accounting and Management Services are experiencing a much higher rate of breaches resulting from this threat. While the majority of breaches in this category involved cyber incidents — such as phishing, malware, ransomware and compromised or stolen credentials — this category also includes social engineering or impersonation, rogue employee or insider threat, and theft of paperwork or data storage device.
It is important to note that human error made up 30% of the breaches. In assessing your risks of a data breach, it is important to design your control measures by factoring in the risk of human error. Notifiable data breaches show that compromised or stolen credentials through phishing continue to be an area of vulnerability in most organisations. There is also the risk of inadvertent disclosure of personal information. Education and awareness training for staff within the organisation is critical to managing this risk.
The OAIC has seen it fit to highlight ransomware and impersonation fraud as concerns due to the significant increase in such incidents in the last reporting period. Ransomware is a form of malware designed to encrypt files on a device, rendering any files and the system that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.
Contact information, identity information and financial details are the most common types of personal information involved in data breaches.
Implications for our members
A data breach is an unauthorised access or disclosure of personal information, or loss of personal information. An eligible data breach, under the NDB scheme, occurs when the data breach is likely to result in serious harm to any of the individuals to whom the information relates and the entity has been unable to prevent the likely risk of serious harm with remedial action.
‘Personal information’ is information or an opinion about an identified person (or a person who is ‘reasonably identifiable’). Personal information includes a person’s name, address, contact details, date of birth, gender and race. Sensitive information and health information are subcategories of personal information that are subject to stricter legal requirements for collection, storage, use and disclosure.
In the event of a data breach or suspected breach, the APP entity must have in place a response plan that should reflect the following approach:
- Contain the data breach to prevent any further compromise of personal information
- Assess the data breach by gathering the facts and evaluating risks, including potential harm to affected individuals and where possible, taking action to remediate any risk of harm
- Notify individuals and the OAIC if required. If the breach is an ‘eligible data breach’ under the NDB scheme, it may be mandatory for the entity to notify.
- Review the incident and consider what actions can be taken to prevent future breaches.
Once you suspect that a data breach may be an eligible data breach under the NDB scheme, you have 30 days within which you must complete an assessment of whether the breach qualifies as an eligible data breach.
The Australian Privacy Commissioner can impose a penalty for privacy breaches. The maximum penalty amounts for a body corporate is the greater of:
- $10 million;
- three times the value of any benefit the relevant court has determined that the body corporate obtained directly or indirectly that is reasonably attributable to the contravention; or
- if the court cannot determine the value of that benefit — 10% of the annual turnover of the body corporate during the 12-month period ending at the end of the month in which the contravention happened or began.
For a person other than a body corporate, the maximum penalty amount is $500,000.
Privacy by design to prevent data breaches
Privacy should be incorporated into your business planning, staff training, priorities, project objectives and design processes. You should design your personal information security measures with the aim of:
- preventing the misuse, interference, loss or unauthorised accessing, modification or disclosure of personal information;
- detecting privacy breaches;
- being ready to respond to potential privacy breaches in a timely and appropriate manner; and
- integrating privacy into your risk management strategies — this is an important element of ‘privacy by design’.
Regardless of whether your organisation is an APP entity, the Australian Privacy Principles set best practice for privacy. Handling personal information in a lawful, transparent and respectful way is an important part of building the trust of the people your organisation works with, as well as avoiding any legal consequences of a data breach, including substantial financial penalties.
Further information is available from:
- the OAIC website;
- the ATO website; and
- the TPB website on how to protect your practice from cyber-attacks.
Next week, Part 2 of this series will further consider the impact of the NDB scheme on our members, including perspectives from the Tax Practitioners Board and the ATO.
Our Tax Policy Assistant, Zoe Beesley, has posted in Community about this preamble. Join the conversation and share your thoughts and ideas on the Notifiable Data Breaches scheme.
As always, we welcome your views and thoughts, which you can provide here.
Risk Officer, The Tax Institute