The revelation by technology giant Cisco on 7 November 2016 of its leak of personal data is the latest in a string of high-profile data breaches in Australia, following hot on the heels of Australia’s largest ever (to date) personal data breach by the Australian Red Cross Service (Australian Red Cross) and the leak of the personal data of Apple’s customers. In all of these cases, the leak was apparently due to human error and not inadequacies in the cybersecurity systems of these organisations – wrongly configured settings in the case of Cisco, erroneous loading of personal data on a publicly-facing website in the case of the Australian Red Cross, and inappropriate conduct on the part of Apple’s employees.
As well as being damaging to their reputations (not to mention ethically reprehensible in the case of Apple), these incidents demonstrate the difficulties that organisations face in complying with the Australian Privacy Principles (APP), and in the cases mentioned, specifically, APP 11.
The Technical and Human Aspects of Australian Privacy Principle 11
APP 11 provides that organisations and business subject to the APP (APP Entities) are required to take such steps as are reasonable to protect personal data that they hold. Given the way APP 11 is drafted, it is almost intuitive for APP Entities to focus (almost) entirely on the technical aspect of data protection, e.g. ensuring that they have the most updated and secure cybersecurity apparatus, and that such systems are in line with prevailing Australian and international industry standards, at the expense of the human aspect of data protection (as was demonstrated by the human errors involving Cisco, the Australian Red Cross and Apple).
While the Office of the Australian Information Commission (OAIC) is currently investigating these incidents and no conclusive findings have as yet been issued, APP Entities would do well to learn from these incidents and focus more (if not as much as they do on the technical aspect) on the human aspect of APP 11. In this regard, APP Entities should ensure that they have clear internal data protection policies and processes, including policies and processes which set out, amongst other things:
- what personal data is;
- managing personal data and how important data protection is, including, how extra care should be exercised when managing personal data;
- the importance of protecting personal data; and
- how to manage data breaches.
APP Entities should also ensure that their employees and vendors (and other service providers) are well acquainted and fully understand such policies and processes by, amongst other things:
- providing reading materials, including explanatory materials;
- providing training sessions and seminars; and
- continually emphasising that the protection of personal data and personal data security are of utmost importance to the APP Entity.
APP Entities can also consider obtaining legal advice, or guidance from the OAIC, or both, with respect to such policies and processes as well as related materials.
The Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth)
It should also be noted that currently, Australian law – save for some exceptions – does not require APP Entities to disclose breaches of security, including, leaks of personal data, to the OAIC and affected individuals (though APP Entities are encouraged to do). As such, but for the public nature of the personal data leaks involving Cisco, the Australian Red Cross and Apple, it is possible that the OAIC and affected individuals might never have found out about the leaks, if those organisations had chosen to not notify them.
However, this situation is likely to change in the short term. The Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) is currently before the Parliament and if passed, will create a legal obligation for APP Entities to notify the OAIC and affected individuals of eligible data breaches.