The Office of the Australian Information Commissioner (OAIC) received 539 data breach notifications from July to December 2020, an increase of 5% from the 512 notifications received from January to June 2020, and a 2% increase compared to the same period in 2019.
Malicious or criminal attacks have remained as the leading source of data breaches, accounting for 58% of notifications, while human error accounted for 38% of notifications, an OAIC report has found.
This wasn’t the case for federal government entities, information and privacy commissioner Angelene Falk noted.
“Agencies experienced a higher proportion of human error breaches compared to other industry sectors,” she said.
Of the 33 reports of data breaches made by government agencies, human error accounted for 29 notifications (88%).
Almost half of these human error breaches resulted from personal information being sent to the wrong recipient, the OAIC found.
Unauthorised disclosure accounted for 10 human error breaches, with five involving a failure to redact, four involving unintended release or publication, and one breach involving unauthorised verbal disclosure.
Three human error breaches were caused by failure to use BCC when sending an email, and two related to loss of paperwork or a data storage device.
The OAIC noted that most government human error breaches typically affected small numbers of individuals.
The federal government took longer than other industries to identify breaches.
Only 61% of Commonwealth entities identified an incident within 30 days of it occurring, compared to 88% of health service providers, 87% of entities in the legal, accounting and management services sector, and 68% for the finance sector.
Government entities also took longer than other sectors to notify the OAIC of data breaches.
In light of the OAIC’s findings, Falk has reminded government agencies of their obligations.
“Specific privacy requirements are imposed on Australian government agencies that are intended to build a consistent, high standard of personal information management across the Australian Public Service,” she told The Mandarin.
“These include obligations to conduct privacy impact assessments, have a privacy management plan, appoint a privacy officer and a privacy champion, and to provide privacy education and training at regular intervals.
“It is important that Australian government agencies meet these obligations and exercise good privacy practices in order to maintain public trust and confidence in their information handling practices.”
The OAIC has called on entities, including government agencies, to have effective systems in place for detecting, containing, assessing, notifying and reviewing data breaches.
Falk said organisations should use the new report to review their processes and ensure they are fit for purpose.
“We are nearing three years of operation of the Notifiable Data Breaches scheme and expect that entities have systems in place to report breaches in line with legislative requirements,” she said.
“We also expect organisations to have improved the security of personal information they hold to prevent breaches.
“We will continue to closely monitor compliance with the scheme and prioritise regulatory action where there are significant failings.”