Better data-breach responses needed

The big impact on millions of Australians of recent data breaches and the findings of the Notifiable Data Breaches Report: January to June 2022 stresses a need for organisations to have robust information-handling practices and an up-to-date data-breach response plan.

Top sectors to notify data breaches were health-service providers, finance (including superannuation), education, professional-services firms (legal, accounting, and management services), and recruitment agencies.

The Office of the Australian Information Commissioner’s report shows that human error was behind 63 per cent of breaches in the education sector and nearly 50 per cent of charity breaches. The counterpart figure for all Australian organisations is 33 per cent.

According to the report, 54 per cent of human-error breaches involved personal information being sent to the wrong recipient by various methods, including unintended publication, email, post, and data-storage devices.

More than half of charity breaches and 27 per cent of education breaches were malicious or criminal attacks.

The Privacy Act 1988 requires entities to take reasonable steps to conduct a data-breach assessment within 30 days of becoming aware that there are grounds to suspect that a breach has occurred. Once the entity forms a reasonable belief that there has been an eligible data breach, they must notify the OAIC and affected individuals as soon as practicable.

In the reporting period, 71 per cent (75 per cent in the previous period) of entities notified the OAIC within 30 days of becoming aware of an incident.

‘A key focus for the OAIC is the time taken by entities to identify, assess and notify us and affected individuals of data breaches,’ commissioner Angelene Falk said.

Commissioner Falk welcomed measures in the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 before Parliament, which give the commissioner stronger information-gathering powers to ensure that entities are reporting breaches and notifying individuals when they need to and increase penalties for serious or repeated privacy breaches.

The report can be accessed at