Source: Privacy Commissioner
Agencies often associate the Privacy Act’s security requirements with technology controls that can protect personal information, such as IT systems and cyber-security protections.
However, many notifiable privacy breaches result from failures in things like robust physical record-keeping practices, or building and maintaining staff capability and awareness through effective privacy training.
Agencies failing to implement these controls cause a range of privacy breaches that are reported to our office, often because of unauthorised or accidental access to, or disclosure of, personal information.
The Privacy Act states that the loss of personal information is also a privacy breach (section 112).
‘Accidental loss’ privacy breaches can result in agencies being unable to determine whether personal information has been accessed, and therefore whether serious harm has been caused to affected individuals as a result. If it’s unclear whether serious harm has occurred as the result of such a breach, agencies still have an obligation to assess whether it’s reasonable to believe serious harm is likely to occur, and notify us if that is the case.
An unsecured USB stick containing personal health information was lost
We were notified of a breach where a health agency had lost a USB stick. The device was not encrypted or password protected and contained personal information belonging to over 2,000 individuals. This included their names, dates of birth, NHI numbers, types of services accessed, and some medical conditions. It also included pay history for some staff members.
The information had been copied onto the USB stick from the organisation’s IT systems to support a data modelling task. The staff member was unable to complete this exercise within the health agency’s cloud environment and downloaded the relevant data to the USB stick as a workaround solution. The staff member went home at the end of the day, having thought the device was secured in their desk drawer. They were unable to locate the stick the next morning.
After retracing their steps inside and outside the office, including checking their house, driveway and car, the staff member reported the device’s loss to their manager. The agency then conducted an internal investigation and notified OPC of the breach once the device’s loss was confirmed.
In this instance, the agency’s investigation found the staff member had not followed its information and privacy policy when copying information from the cloud to the USB device, and in failing to password protect the device prior to its loss.
The agency advised us it was not aware of any harm caused from the breach, and considered the device was likely still within its premises or had been accidentally disposed of. The agency notified us on a precautionary basis but did not believe a notifiable breach had occurred.
Identifying the breach as reaching the notifiable threshold
Section 113 sets the following criteria for assessing whether a privacy breach is likely to cause serious harm to an affected individual, for the purpose of determining whether a breach is notifiable:
- any action taken by the agency to reduce the risk of harm following the breach
- whether the personal information is sensitive in nature
- the nature of the harm that may be caused to affected individuals
- the person or body that has obtained or may obtain personal information because of the breach (if known)
- whether the personal information is protected by a security measure
- any other relevant matters.
We assessed this incident against section 113 as follows:
- Efforts to locate the information were unsuccessful and therefore could not reduce the risk of harm.
- The information that was lost included health information, which is inherently sensitive. The sensitivity of this information and the vulnerability of some of the affected individuals increased the likelihood of serious harm occurring from this breach.
- The breach posed a risk of humiliation or loss of dignity, or damage to an affected individual’s reputation or relationships, if the information was/is made known to others.
- The person or agency that could have obtained this information, if any, was unknown. Any mitigating factors such as the likely intent of a recipient or containment therefore not could be determined.
- The device was not encrypted or password protected, leaving the device vulnerable to unauthorised access on an ongoing basis.
We formed a view from the above considerations that it was reasonable to believe this breach was likely to cause serious harm to affected individuals, in turn meeting the notifiable privacy breach threshold prescribed by the Privacy Act.
In addition to notifying our office, agencies must ensure affected individuals are notified as soon as practicable after becoming aware that a notifiable privacy breach has occurred, unless certain exceptions under the Privacy Act apply.
After further follow-up, we were satisfied the agency had met its notification obligations.
Our regulatory response
We considered options for responding to this breach using our Compliance and Regulatory Action Framework.
This matter raised concerns under Information Privacy Principle 5 of the Privacy Act as well as Rule 5 of the Health Information Privacy Code 2020, which require agencies to ensure reasonable safeguards are in place to protect personal (in this case, employment) information and health information respectively.
While the agency had privacy and security policies in place to help ensure information is appropriately safeguarded, these policies were not followed. Therefore, this breach indicated weaknesses in staff awareness of privacy and security requirements.
We accepted the agency’s view that the incident was a result of human error, but considered gaps in privacy awareness should be addressed to ensure the agency’s information and privacy policy is correctly followed by staff.
The agency engaged positively with us, ensuring further training was delivered to improve staff awareness of privacy obligations, including further promoting its existing information and privacy policy. The agency also investigated the technical issue that caused the initial download to address the ‘workaround’ issue which led to the breach. This provided us with assurances the agency had taken reasonable steps to respond and improve its privacy safeguards.
We advised the agency that we would take no further compliance action in response to this breach, as it had met its notification obligations under the Act and had taken reasonable steps to mitigate the risk of similar incidents in the future.
What your agency can learn from this incident
Accidental loss of personal information held by an agency can constitute a notifiable privacy breach under the Privacy Act, even when it seems unlikely that a third party will locate and access it. We have published guidance to help agencies’ considerations when assessing breaches against section 113 of the Privacy Act.
Human error and failure to follow process are common drivers behind many breaches that are reported to us, with root causes ranging from high staff workloads and time pressures to operational workarounds that all increase the likelihood of mistakes.
Agencies must ensure they continue to promote and maintain privacy awareness and build staff capability to mitigate the risk of breaches arising from these issues.
Keeping information secure isn’t just about having robust policies in place for staff to follow. Some reasonable safeguards in these areas include:
- Reviewing organisational policy about the types of information that can be stored on a portable device.
- Using extra security measures for portable devices such as encryption, password locks, and remote wiping.
- Ensuring papers, computers or other electronic devices aren’t visible in homes, public places or in parked cars.
- Developing and implementing a privacy training programme that covers how to appropriately collect, use, protect, disclose, and dispose of personal information, supported by documented policies and procedures.
- Using privacy awareness activities to reinforce training programmes through regular reminders.
