Man with glasses freelance working from home with his dog sitting together at workspace

Who let the data out? New report shows significant increase in data breaches that resulted from human error

Malcolm Campbell ||

The Office of the Australian Information Commissioner (OAIC) recently published its Notifiable Data Breaches Report (Report), which was based on notifications made under the Notifiable Data Breaches (NDB) Scheme between the period  1 July 2020 to 31 December 2020. The Report revealed a significant increase in data breaches that resulted from human error. The Report provides a timely reminder of the importance of organisations’ taking active steps to prevent data breaches.

What is the NDB scheme?

The OAIC introduced the scheme in February 2018 to protect consumers by encouraging better standards when dealing with consumer’s personal information. Under the scheme, any organisation or agency covered by the Privacy Act 1998 must notify the OAIC and all affected individuals when they have reasonable grounds to believe that an eligible data breach has occurred.

Who does the scheme apply to?

The following entities are covered by the scheme:

  • Australian Government agencies;
  • Organisations’ that have an annual turnover of more than AU$3 million;
  • Private sector health service providers;
  • Credit reporting bodies;
  • Credit providers;
  • Tax file number recipients; and,
  • Entities that trade in personal information.

What is an eligible data breach and what must be done if a breach occurs?

If a data breach meets the following criteria, it will be classified as an eligible data breach:

  1. Personal information that an entity holds has been lost or there is unauthorised access or disclosure of personal information.
  2. From the perspective of a reasonable person, the breach is likely to result in serious harm to affected individual/s.
  3. The entity has not been able to prevent the risk of harm with remedial action.

In the context of a data breach, serious harm can include serious physical, psychological, emotional, financial, or reputational harm.

An entity must take reasonable steps to complete its assessment within 30 days after it suspects an eligible data breach. If an eligible data breach is established, the entity must then, as soon as practical provide a statement to the Information Commissioner and notify the affected individuals promptly.

What were the key findings of the Report?

The Report demonstrated that in the period from 1 July 2020 to 31 December 2020:

  • the OAIC received 539 data breach notifications, which is an increase of 5% compared to the previous six months;
  • 58% of notifications resulted from malicious or criminal attack, 38% resulted from human error, and 5% were as a result of system fault;
  • there was an 18% increase in data breaches attributed to human error (173 to 204 notifications); and,
  • the health sector remained the highest reporting industry sector (23% of notifications).

The key concern has been the significant increase in breaches that resulted from human error.

What can organisations do to prevent data breaches and meet their obligations under the scheme?

The OAIC has stated that “organisations need to reduce the risk of a data breach by addressing human error – for example, by prioritising staff training on secure information handling practices.”

Organisations should also implement the following to prevent and mitigate data breaches:

  • strong password protection strategies for example, increasing password complexity and length;
  • raising staff awareness about the importance of protecting credentials;
  • training staff on cyber security awareness; and,
  • using multi-factor authentication for remote access to business systems.

Organisations should also have a data breach response plan in place to promptly respond to data breaches. The plan should address how to:

  1. Contain the breach
  2. Assess the risks for individuals associated with the breach
  3. Consider breach notification
  4. Review the incident and take action to prevent future breaches.

How can we help?

If you require assistance with understanding your privacy obligations, putting in place a data breach response plan, or responding to a data breach, please do not hesitate to contact a team member of Coleman Greig’s Commercial Advice Team, who would be more than happy to assist you.


Send an enquiry

Any personal information you provide is collected pursuant to our Privacy Policy.


More posts

Can i put my home on Airbnb?

Airbnb is a form of short-term rental accommodation. To add your property to Airbnb in NSW, you are required to meet several laws and regulations governing short-term rentals.

When are liquidators required to seek approval to retain legal counsel?

When does a liquidator (or the company he or she is appointed to) need court, creditor, or committee approval to validly retain a solicitor to act in a liquidation matter which is likely to extend for longer than three months?  The answer to this question has only recently been settled.

Proposed changes to building and construction law in NSW

The Building Bill 2022 (the Bill) is the key avenue through which the NSW Government has proposed to reshape the culture of the building and construction industry by eliminating poor performance and improving the quality of building statewide.

Can you dismiss an employee who fails to return to the office?

Slowly but surely, most employers are requiring employees to return to the office for at least a portion of their working week. Some employers continue to struggle with employees resistant to returning to the office or those who have an expectation that they can continue to work from home whenever it suits them.

New powers to combat phoenixing in construction

The rise of phoenixing in the building and construction industry in Australia in recent years has proved a significant challenge to regulators. Mismanagement of time or cashflow can quickly propel businesses into insolvency.

The NSW Building Commission’s extraordinary powers

In late 2023, the NSW Government passed the Building Legislation Amendment Bill 2023 (Amendment Bill). The Amendment Bill established the NSW Building Commission and granted it extraordinary powers to enter construction sites, inspect work and take away information and materials.

© 2024 Coleman Greig Lawyers   |  Liability limited by a scheme approved under Professional Standards Legislation. ABN 73 125 176 230