• Data Retention

  The greater the amount of personal information an entity holds, the greater the potential scale and complexity of a data breach. APP entities should ensure they have systems and processes in place to regularly review the personal information that they hold and consider whether it is still necessary to retain that personal information. Having a data retention policy that is regularly audited and updated, and is operationalised, is critically important.
  

• Security of personal information

  Compromised account credentials caused 25% of all data breaches in the reporting period, and ensuring the security of personal information has been identified by the OAIC as a regulatory priority.
  

  The OAIC has strongly encouraged APP entities to uplift their access security and ICT security measures, including through implementing the Essential Eight cyber security strategies, multi-factor authentication, implementation of strong passphrases.

• Outsourcing personal information holding

  A significant data breach risk has been identified arising from sharing personal information to contracted service providers (e.g. cloud or software providers). The OAIC recommends mitigating this risk in contractual arrangements with third party service providers.

• Data Breach Response Plan

  The OAIC has re-emphasised its expectation that APP entities must have an effective data breach response plan in place.

  It expects all APP entities to have an up‑to‑date data breach response plan and notes that the following gaps have been specifically identified in recent determinations:

  • failure to include insurance coverage details, including the extent of the coverage and the contact details of the insurer
  • not documenting a process for engaging an external provider to investigate a suspected data breach where necessary
  • failure to understand and document the need for an investigation to be conducted expeditiously and for all reasonable steps to be taken to conclude an investigation within 30 days.
• Identification, Assessment and Notification Timeframes

  Identification timeframes: The faster a breach is detected, the faster an APP entity can contain and limit its impact. During the reporting period, 64% of breaches were identified within 10 days of the breach occurring.

  Assessment and Notification timeframes: The obligation to assess an incident may be triggered before all the facts of the incident are known. Similarly the obligation to notify may be triggered before all the facts of the incident are known. Early assessment is recommended to ensure timely notification to the OAIC and affected individuals.

  Importantly, the Report identifies that 28% of notifications to the OAIC did not occur within the 30 day timeframe.

• Individuals should be at the front and centre of a data breach response

  A key objective of the Scheme is to ensure individuals are promptly notified so they can quickly take steps to minimise their risk of harm. Effective actions identified by the OAIC include quickly putting steps in place to prevent further harm arising from a breach, and making improvements to security practices.

  APP entities should only notify individuals via their website where it is not practicable to notify individuals directly. Where this is the case, the website notification must include all the content required to be included within notifications to individuals.

• Regulatory Coordination

  The OAIC has highlighted that APP entities may have multiple data breach reporting obligations.

  The Australian Government is implementing measures to streamline the existing regulatory frameworks, including via the establishment of a National Office for Cyber Security.

Key takeaways

While the Report relates to APP entities who are subject to the Scheme, there are still some key takeaways for Victorian government entities and councils more generally.

Key Tips:

• There is an expectation that established data breach response processes are in place.

• An individual who has been impacted by a breach should always be ‘front and centre’ of the response. Prompt notification enables individuals to take action and ultimately minimise risk of harm.

In our experience, good data hygiene practices will always lie at the core of best practice when it comes to data breach readiness and response.

Compliance ‘basics’, such as developing and operationalising policies and procedures for data handling, implementing and testing your data breach response plan, and supplementing these steps with regular staff training, can be fundamental to success in the event of a breach.

The Office of the Victorian Information Commissioner provides resources to Victorian government agencies on reporting, and responding to, data breaches. It also has guidance notes on two particular key risk areas, namely inadvertent disclosure when sending emails and phishing attacks.