As Australia’s Notifiable Data Breaches scheme marks its fourth year of operation, the OAIC is urging organisations to have strong accountability measures in place to prevent and manage data breaches in line with legal requirements and community expectations.
“The scheme is now mature and we expect organisations to have accountability measures in place to ensure full compliance with its requirements,” Commissioner Falk said.
“If organisations wish to build trust with customers, then it is essential they use best practice to minimise data breaches and, when they do occur, they put individuals at the centre of their response.”
Australian Information Commissioner and Privacy Commissioner Angelene Falk said that being accountable will give people confidence that their personal information will be handled fairly and securely by the organisation.
“Australians expect that their personal information will be handled with care when they choose to engage with a product or service and are more likely to entrust their data to organisations that have demonstrated effective privacy management,” Commissioner Falk said.
In the latest Notifiable Data Breaches Report, it was revealed that there was a 6% increase in the data breach notifications received by the OAIC from July to December 2021.
Malicious or criminal attacks remain to be the leading source of breaches, accounting for 256 notifications. Meanwhile, there was a significant 43% increase in breaches caused by human error.
The health sector remains the highest reporting industry sector, followed shortly by finance.
However, the OAIC is still finding that some organisations are falling short of the scheme’s assessment and notification requirements.
“A key objective of the scheme is to protect individuals by enabling them to respond quickly to a data breach to minimise the risk of harm,” Commissioner Falk said.
“Delays in assessment and notification reduce the opportunities for an individual to take steps to protect themselves from harm.”
Commissioner Falk said swift assessment and notification is required, supported by systems to detect that a breach has occurred. For example, a notable proportion of organisations that experienced system faults did not become aware of the incident for over a year.
As the risk of serious harm to individuals often increases with time, the OAIC expects organisations to treat 30 days as a maximum time limit for an assessment of a data breach and to aim to complete the assessment in a much shorter timeframe.
Source: OAIC Media Release