Is Your School Complying With the Notifiable Data Breach Guidelines?
What your school needs to do if it suspects a data breach
From February 2018, amendments to the privacy law will come into effect. The new legislation creates a positive obligation to conduct an assessment where an entity suspects, rather than believes, an eligible data breach has occurred.
The notification obligations, which will require an entity to notify affected individuals and the regulator, Office of the Australian Information Commissioner (OAIC), of any eligible data breach, will not arise where the data breach is only suspected. However, if during the course of an assessment, it becomes clear that there has been an eligible breach, then the entity needs to promptly comply with the notification requirements.
What is an ‘eligible data breach’?
A ‘data breach’ is any unauthorised access or disclosure of personal information your school holds, or where that information is lost and likely to give rise to unauthorised access or disclosure.
An ‘eligible’ data breach arises where a reasonable person would conclude that the breach is likely to result in serious harm to the person that the information relates to.
What does an assessment involve?
The OAIC has released a draft resource to assist relevant entities on their obligation to assess a suspected data breach. The OAIC makes clear that the obligation is not only to assess the relevant circumstances, but to have in place:
practices;
policies; and
The key issue is that entities must take reasonable steps to ensure a “reasonable and expeditious” assessment is completed within 30 days of becoming aware of the suspected breach. As the Privacy Act does not set out how entities should assess a suspected data breach, your school will need to have a team ready and a response plan in place.
The OAIC recommends a risk based approach to the assessment and that the following 3 stage process could be appropriate:
Initiate – decide if an assessment is necessary and who will be responsible for carrying it out. This raises a question of who is on the team and in what role? A range of skills are required.
Investigate – this stage also raises issues about implementing a process.
Evaluate – make a decision based on the outcome of the investigation as to whether the breach is an eligible breach.
The OAIC recommends that the process be fully documented.
A key takeaway from this resource is to have a nominated person responsible for undertaking and reporting on the assessment process. The person will need to be provided with the resources to do this task, within the timeframe, and in a way that will withstand scrutiny by the regulator.
Canon’s imageRUNNER ADVANCE Gen III Series III multifunction devices take advantage of McAfee Embedded Control to protect your business. This advanced solution helps you manage security policies and protects against the execution of unauthorised applications with intelligent whitelisting.
When you’re working with students and their families, and interfacing with the government, data security is paramount.
Canon’s iR-ADV Gen III Series III multifunction devices are packed with features to protect your business from cyber attacks and data breaches. Embedded features at startup and during operation help protect the boot process, firmware, and applications against tampering by malicious third parties.
Sometimes lawyers can get a bad rap if they don’t adapt adopt to new technologies.
In the 12 months since the Notifiable Data Breach Scheme came into effect, 964 breaches were reported. See which are the top reporting sectors, what types of information was leaked and what your business can learn to mitigate the risk internally.
Canon’s imageRUNNER ADVANCE Gen III Series III multifunction devices take advantage of McAfee Embedded Control to protect your business. This advanced solution helps you manage security policies and protects against the execution of unauthorised applications with intelligent whitelisting.
The Notifiable Data Breach Scheme came into effect on 22 February 2018. Since then, the total cost per data breach has cost Australian businesses an average of US$2.13 million. Can your organisation afford to continue ignoring the risks?
Confidentiality is essential in the legal profession and the stakes are high for your clients and your professional reputation. Canon’s iR-ADV Gen III Series III multifunction devices are designed to boost efficiency and are packed with security features to minimise the risk of cyber-attack.
Managing patient health records requires the strictest security protocols. Canon’s user-friendly iR-ADV Gen III Series III multifunction devices deliver the print, copy, fax and scan features you need within a networked environment, with multi-layered security to minimise your risk of a data breach.
In the new era of law, contracts are being completely re-designed or even re-imagined in various ways to make them easier to understand
As technology enters classrooms, auditoriums and libraries, it brings new risks to the education sector. All it takes is one click from a student device to potentially compromise your entire network. Faced with these various threats, does the education sector receive a ‘High Distinction’ for its efforts to protect its troves of student and staff data? Recent findings from the inaugural Canon Business Readiness Index on Security suggest not.