Privacy is becoming an increasing risk for organisations, including those in the education sector.
This article by Moores’ privacy expert Cecelia Irvine-So first appeared in the Belonging Early Years Journal.
In 2018, Australia saw the introduction of the Notifiable Data Breach (NDB) Scheme and the prevalence of data breaches became clear. In the Office of the Australian Information Commissioner’s (OAIC) second quarterly report of the NDB Scheme, a total of 242 breaches were reported from 1 April to 30 June 2018.
The education sector was listed as the fourth most likely sector to suffer a data breach in the OAIC second quarterly report. Early learning providers are bound by the National Ouality Standards (the Standards), as well as the Australian Privacy Principles (APPs). Data security falls under Standard 7, relating to governance and leadership.
Early learning providers also have data security obligations under privacy laws in order to prevent data breaches. This article will set out the basics of privacy and outline an organisation’s data security obligations with a focus on the ECEC sector.
What is privacy?
Privacy is a set of principles protecting the collection, use, disclosure, storage and destruction of personal information. An early learning provider is likely to hold children’s health information such as allergies, medical conditions, disabilities, and medications – a type of information that is particularly sensitive.
Both personal information and sensitive information must be carefully secured by early learning providers to prevent data breaches and protect an individual’s privacy.
Most early learning providers are bound by the Privacy Act and APPs because they have a turnover of $3 million or more (or are part of a larger organisation with a turnover of $3 million or more).
Early learning providers need to be across all the privacy principles in order to appropriately and securely store privacy data. Most importantly, early learning providers will need:
- a privacy policy that not only complies with legislation, but that also realistically reflects operations
- a data breach response plan to follow in the event of a privacy or data breach
- practices, procedures and systems that will ensure compliance with the law.
Penalties of up to $1.8 million apply for companies that have a privacy breach.
Data breaches
Since February 2018, all companies who are required to comply with the Privacy Act must also prevent data breaches, and report any eligible data breaches that occur to the regulator.
The recent regulator’s report highlighted the main causes of data breaches. The majority of breaches were caused by malicious or criminal activity (59 per cent) or human error (36 per cent). The most common examples of malicious or criminal activity were:
- cyber incidents, including phishing, malware, ransomware, brute-force attack, compromised or stolen credentials, and hacking
- theft of paperwork or storage device
- rogue employee/insider threat.
Human error was a key source of data breaches.
The most common errors were:
- sending an email with personal information to the wrong person, or accidentally pressing ‘reply all’ or forgetting to Bcc
- lost laptops, removable storage devices and paper records
- employees accidentally accessing or disclosing personal information outside of the requirements of their employment.
How to respond to breaches
Only eligible data breaches need to be reported. Therefore, you need to be equipped to consider, in the event of a breach, whether the breach is ‘eligible’.
An eligible data breach arises when:
- there is unauthorised access to, or disclosure of, personal information, or a loss of personal information, that an entity holds
- this is likely to result in serious harm to one or more individuals
- the entity has not been able to prevent the likely risk of serious harm with remedial action.1
Your data breach response plan should contain the following elements:
- containment and assessment
- evaluation
- notification – if required, the affected individuals and the OAIC should be notified. Even if the data breach is not notifiable, the organisation may still need to notify other stakeholders such as its insurance company, board members, and/or service provider
- review and prevention.
Record keeping
Record keeping is an important aspect of data security and privacy compliance. Privacy legislation requires the destruction of personal information that is no longer needed. Equally, you must retain information you are required to keep!
Conclusion
As privacy and data security become an increasing concern, it is important that organisations prioritise action in relation to both prevention and response.
Assess which scheme or legislation applies to your organisation.
Review your privacy policy to ensure that it is tailored to your needs and compliance requirements.
Create a data breach response plan to ensure swift action to mitigate risk, including:
- legislative requirements to contact individuals affected
- steps for potential remedial actions to prevent serious harm eventuating
- when data breaches need to be reported and the process for reporting
- creating templates for notifications and external communication.
Provide training to your staff on your privacy policy and data breach response plan as well as when data breaches need to be reported. Review your service provider agreements and other information sharing arrangements to help you understand the responsibilities and rights of each party.
Early learning providers are uniquely placed in holding the sensitive information of young children and families. While privacy can seem like a daunting topic, taking an active approach can allow early learning providers to set themselves apart as leaders in the sector and ensure protection of families’ data.
How we can help
As a privacy expert and practice leader in the Corporate Advisory Team at Moores, Cecelia Irvine-So has significant experience working with education and early childhood clients, helping them prevent data breaches and respond if they do occur. For more information, please do not hesitate to contact us.