IT Measures to Accommodate the Notifiable Data Breach Scheme

IT strategy expert Ian Patterson outlines a number of IT measures not for profits can take to prevent sensitive data breaches from occurring, and offers his tips for organisations to accurately detect and respond to data breaches.    

The Notifiable Data Breach (NDB) scheme was added to the existing Privacy Act earlier this year, changing the legal requirements of companies and organisations that experience a data breach. This topic has been covered quite a lot from a legal standpoint, but few are talking about practical solutions to help organisations prepare for a data breach.

Quick recap: What is the Notifiable Data Breach Scheme?

In February this year, amendments were made to the Privacy Act 1988, with the focus on improving communication between organisations and individuals following a data breach. These amendments to legislation are part of the Notifiable Data Breach scheme. NFPs with an annual turnover of more than $3 million and all health organisations are required to have contingencies in place to effectively notify affected individuals if data has been accessed without authorisation.

Following a data breach, notification must be given to the Office of the Australian Information Commissioner (OAIC) and an assessment of the breach must be made. However, preventative measures to reduce serious harm can remove the need for the organisation to notify affected individuals. You can read more about the NDB scheme and its regulatory environment in an earlier Pro Bono Australia article contributed by Law Squared.

Measures to Comply – Real-time Tracking

When people think “data” breach, most think of a coordinated effort by skilled hackers, rather than what usually happens, which is where an employee accidentally or deliberately exposes private information. This could occur via leaving a work phone on the train, sending an email to the wrong person, or by leaving a computer logged in. Yes, all these mundane events would be classed as an “eligible data breach” under the scheme, which is why it’s important to keep your data easily trackable in the event of a breach.

Potential tracking solutions include tracking of portable devices owned by the NFP, such as mobile phones, tablets and laptops. Databases containing any individual’s information should always be logged to pinpoint the exact extent of a breach if it occurs. Often, providing real-time tracking might mean finding the perfect balance between the privacy of your workers and ensuring data can be properly tracked.

Measures to Comply – Preventative Measures

If properly implemented, preventative measures are the key to removing the potential for sensitive information leaks, thereby limiting liability. Here’s some simple things nearly every organisation can implement:

• Lock-out timers on electronic devices.
• Authenticated security measures (i.e. digital approval from a higher-up to perform select tasks, regular password changes).
• Whitelisting select data.
• Greater data encryption measures.
• Regular reviews of access (based on the recommended data logging mentioned above).

These are all standard policies that any NFP should enact, but the specific measures you implement will of course depend on the nature of your NFP, the sensitivity of the information you keep, and how large your operations are. Can you think of any specialised equipment, software or anything unique to your NFP organisation that might require extra preventative protections? It can always pay to have an outside set of eyes evaluate your operations, so potential IT loopholes you mightn’t have even thought of can be identified.

Response Procedures

Having a contingency plan in place is obviously important, and the reaction to a data breach will obviously depend on your NFP’s unique circumstances. A good contingency plan should not only have effective, thorough steps, it should also include instructions for employees and volunteers who identify the breach, and who should coordinate efforts to resolve the breach.

It’s also a good idea to draft out a standardised message for a breach notification, with blank sections to fill-in based on the circumstances. As detecting, securing and notifying a data breach can be a scrambled, panicked process, it’s important to make sure the notification you send out to individuals meets all the necessary requirements.

They include:

• Organisation’s name, trading name and contact details;
• Details of the breach, including date and time (estimated if necessary);
• What kind of information was accessed and its potential implications; and
• Tips for individuals affected, i.e. office contact details or instructions to change passwords.

You can also include other information, such as how the breach occurred, what’s currently being done, and the number of people affected. Your breach statement will need to be sent to the OAIC, as well as the individuals affected (or, place copy of the breach posted on your website & other digital platforms if contacting the individuals is not realistic).

About the author: Ian Patterson is CEO of Human IT. With 19 years of experience in IT strategy, management and support, he is fiercely passionate about helping not-for-profit and for-purpose organisations create social value through IT.