The Office of the Australian Information Commissioner (OAIC) has revealed that it received 63 notifications since Australia’s Notifiable Data Breaches (NDB) scheme came into effect on February 22, 2018.
The Quarterly Statistics Report: January 2018-March 2018 revealed that health service providers accounted for 15 breaches; legal, accounting, and management services suffered 10; finance, including superannuation, reported eight breaches; education suffered six; and charities four.
The NDB scheme requires agencies and organisations in Australia that are covered by the Privacy Act 1988 to notify individuals whose personal information is involved in a data breach that is likely to result in “serious harm” as soon as practicable after becoming aware of a breach.
According to the OAIC report [PDF], 73 percent of eligible data breaches reported involved the personal information of less than 100 individuals, with just over half of the notifications involving the personal information of between one and nine individuals.
27 percent of notifications under the NDB scheme involved more than 100 individuals, the report highlighted.
Human error was the cause of the largest number of eligible data breaches reported, the OAIC said, accounting for 32 percent. It was closely followed by malicious or criminal attacks, at 28 percent, as the source of the data breach.
The most common kind of breached information reported to the OAIC was contact information, which was the subject of 78 percent of the total breaches reported.
Health information was potentially compromised in 33 percent of the cases; financial details in 30 percent; identity information in 24 percent; tax file numbers in 14 percent of the reported breaches; with the remaining 14 percent filed together under “other sensitive information”.
The NDB scheme uses the phrase “eligible data breaches” to specify that not all breaches require reporting.
In general terms, an eligible data breach refers to the unauthorised access, loss, or disclosure of personal information that could cause serious harm to the individual whose personal information has been compromised.
Examples of a data breach include when a device containing customers’ personal information is lost or stolen, a database containing personal information is hacked, or personal information is mistakenly provided to the wrong person.
An employee browsing sensitive customer records without any legitimate purpose could constitute a data breach, as they do not have authorised access to the information in question.