Privacy Breaches and Cyber Liability Protection

What your faith-based organisation needs to know...

Millions of Australians have recently been impacted by the significant cyber-attacks carried out against Optus, Woolworths, and Medibank. These incidents have once again firmly placed the spotlight on the importance for ALL organisations to understand their obligations to protect private information, and the need to ensure systems are in place to prevent private information being unlawfully accessed or inadvertently being released. Whilst much attention has been focused on these large companies, smaller organisations such as Harcourts Real Estate in Victoria and a tech company responsible for holding sensitive information of thousands of Victorian School students have also recently been compromised.

Due to the increased growth of cyber-attacks, malware and ransomware it is becoming essential that faith organisations, charities and not-for-profits are aware of their exposures, their obligations to protect sensitive information and ways in which they can protect themselves from potential cyber-crime.

In February 2018, new legislation was introduced under the Privacy Act 1988 (Cth), ensuring that organisations which are captured by the Act, must take appropriate steps to guarantee the privacy and security of Member’s personal information.

This is known as the Notifiable Data Breaches Scheme which requires organisations to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals in the event of an ‘eligible data breach’.

This legislation may capture a number of faith-based organisations, charities or not-for-profit groups.

Organisations may be responsible for a data breach, even if it has been as a result of an external cyber-attack. Some insurance policies may specifically exclude cover for cyber-attacks, therefore it is important to ensure that you have appropriate systems in place to avoid attacks as well as a sound data breach response plan.

In this article we will explore:

Who the legislation applies to
What it means for faith-based organisations and Not-For-Profits
Penalties for not complying with the new legislation

What a Data Response Plan is and how to develop one
Insurance options available to your church or charity

What is the Privacy Act?

The Australian Privacy Principles (or APPs) are a set of 13 values that form the foundation of the privacy protection structure in the Privacy Act 1988 (Cth). The Privacy Act requires certain organisations to comply with the obligations set out under the Act, but many organisations, despite being exempt from the application of the APPs still commit to protecting privacy where possible, by complying with the provisions of the Privacy Act that relate to the handling of personal information. Many church organisations will include a Privacy Policy outlining their position on their website.

The Australian Privacy Principles address the following:

  1. 1
    Open and transparent management of personal information
  2. 2
    Anonymity and pseudonymity
  3. 3
    Collection of solicited personal information
  4. 4
    Dealing with unsolicited personal information
  5. 5
    Notification of the collection of personal information
  6. 6
    Use or disclosure of personal information
  7. 7
    Direct marketing
  8. 8
    Cross-border disclosure of personal information
  9. 9
    Adoption, use or disclosure of government related identifiers
  10. 10
    Quality of personal information
  11. 11
    Security of personal information
  12. 12
    Access to personal information
  13. 13
    Correction of personal information

Click here to access a copy of the Australian Privacy Principles from the Office of the Australian Information Commissioner: https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines

What is 'Personal Information'?

  • An individual’s name, date of birth, address, phone number or signature
  • Employee record information
  • Sensitive information (e.g. counselling notes, health information, criminal records)
  • Photographs
  • Student records
  • Internet protocol (IP) addresses
  • Voice print and facial recognition bio-metrics (because they collect characteristics that make an individual’s voice or face unique
  • Location information from a mobile device (because it can reveal user activity patterns and habits)

What is 'Sensitive Information'?

  • Racial or ethnic origin
  • Political opinions or associations
  • Religious or philosophical beliefs
  • Trade union membership or associations
  • Sexual orientation or practices, criminal records
  • Health or genetic information
  • Some aspects of bio-metric information

The Privacy Act gives individuals greater control over how their information is handled, allowing them to know how it is collected and managed, and to make a complaint about an organisation which is governed by the Privacy Act if it is believed that their personal information has been mis-handled.

This could include information which has been accessed as a result of a cyber-attack on your systems or has accidentally been released due to human error.

Under the Privacy Act, Australian Government agencies and organisations with an annual turnover of more than $3 million have a responsibility under the Act.

An organisation can include:

  • An individual or sole trader (though generally this would not apply to an individual acting in a personal capacity)
  • A body corporate
  • A partnership
  • Any other unincorporated association, or
  • A trust

What does this mean for Churches, Charities or
Not-For-Profits?

This new legislation holds faith based organisations, charities and not-for-profit organisations to the same standard as “for profit” companies.

As such, significant reputational damage can be caused should your organisation fail in it’s handling or protection of the sensitive information that you may have been entrusted with. The damaging effects of a breach may not only affect the trust and confidence placed in your organisation, but may also affect your ability to access government funding and support.

Even if your organisation is not captured by the new legislation, it still makes good sense to have a Privacy Policy and a sound cyber protection policy in place which ensures that your systems (and their information) are properly protected and that your staff and volunteers are trained in how to manage information, identify potential cyber risks or attacks and what to do in the event of a breach.

Example

UnitingCare Queensland was the victim of a cyber-attack in April 2021 at the hands of one of the most notorious cyber ransom gangs in the world.  As a result, some of the organisations digital and technology systems became inaccessible.  In addition, UnitingCare were also cut off from the Commonwealth My Health Record system by the Australian Digital Health Agency, as a precautionary measure due to fears that personal health information of patients, residents and clients had been exposed.

Other examples include a data breach affecting Family Planning NSW where sensitive data of 8000 clients was breached, and an incident involving Red Cross where the information of 550,000 blood donors was accidently released.

These are only a few of the non-profits that have been targeted in recent years, although the actual number in the community sector may be greater given that non-profits with revenues under $3 million are exempt from the Privacy Act's reporting requirements.

Penalties for not complying with the new legislation

All organisations must now be able to demonstrate that they have taken appropriate steps to implement privacy compliance in their organisation, and have a data breach response plan.

Organisations who are captured by this legislation and who fail to act, and report breaches may see fines and penalties imposed against them. Proposed amendments to the Privacy Act likely to come into force soon will significantly increase the penalties for serious or repeated privacy breaches, and will give the Privacy Commissioner a greater range of compliance powers. 

The maximum penalty that may be imposed for a major or recurring privacy breach would increase as a result of the changes made by the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, as detailed below:

Non-Corporate Entity

Body Corporate

Current Penalty $444,000

Current Penalty $2.5 million

New Penalty $2.2 million

New Penalty: Either

  • $50 million
  • Three times the value of any benefit, directly or indirectly obtained, that is reasonably attributed to the privacy breach; or 
  • 30% of the entity’s adjusted turnover in the relevant period,

whichever is the highest

Statistics from the Office of the Australian Information Commissioner

The most recent report issued by the Office of the Australian Information Commissioner highlights the following statistics.

How do I know if our organisation is compliant? Can you answer YES to all of the following questions?

  • Do you have a Privacy Policy? Has it been updated recently?
  • Do you have a Privacy Officer? https://www.oaic.gov.au/s/privacy-officer-toolkit/
  • Have you developed a Data Breach Response Plan for your organisation?
  • Do have a cyber security checklist to ensure your systems and processes are safe?
  • Do you train your staff and volunteers in how to manage sensitive information and identify potential cyber risks?

What is a Data Breach Response Plan?

A Data Breach Response Plan is a documented policy which sets out the procedure an organisation will follow when a breach has been discovered or is suspected to have occurred. A data breach is deemed to have occurred when personal information (as defined by section 6 of the Privacy Act 1988) is lost or subjected to unauthorised use, access, disclosure or any other form of misuse.

What is a Data Breach?

A Data Breach arises when the following three criteria are satisfied:

  • There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information that your organisation holds
  • This is likely to result in serious harm to one or more individuals, and
  • Your organisation has not been able to prevent the likely risk of serious harm with remedial action

Example of a Data Breach Response Plan

Examples of Serious Harm can include:

  • Identity theft (which could affect your finances and credit report)
  • Financial loss through fraud
  • A likely risk of physical harm (such as an abusive ex-partner)
  • Serious psychological harm
  • Serious harm to an individual’s reputation

Examples of Data Breaches may include:

  • Loss or theft of physical devices (such as laptops and storage devices), or paper records which contain personal information
  • Unauthorised access to personal information by an employee
  • Inadvertent disclosure of personal information due to “human error”, for example an email sent to the wrong person
  • Disclosure of an individual’s personal information to a scammer, as a result of inadequate identity verification procedures

How you should be managing personal information?

  • Ensure private information is only collected if necessary and relevant to church’s mission or ministry
  • Advise individuals of intended use of data at time of collection
  • Store all data securely and ensure data is up to date, or destroyed if no longer required

In the interest of limiting the possibility of a cyber-attack, it is important for your organisation to develop a Cyber Security Checklist which will help ensure that your systems are secure, and your staff and volunteers are trained to understand the risks.

Download Cyber Security Checklist

Whilst all faith based organisations or charities may not be captured by the new Notifiable Data Breach legislation, all organisations are highly vulnerable to falling victim to cyber criminals by way of phishing emails, social engineering, ransomware, malware and the like.

Regardless of size, you have a duty of care to ensure that the information entrusted to you is kept safe to avoid individual’s personal information being put at risk, and to protect the reputation of your church or ministry.

Insurance options

In response to the increased threat of cyber-crime, the insurance industry has developed specific Cyber Liability products which specifically address these types of issues and can provide cover and assistance to deal with these types of claims. 

Some of the products already offered by ACS Insurance Services, provide some limited cover for cyber-crimes, but if you are interested in pursuing more comprehensive cover, please contact our office we can advise you of further options that may be available to you. 

You can find out more by visiting www.acsfinancial.com.au/church-insurance

Additional Resources

DISCLAIMER: The information on this website reflect some of the commercial aspects and potential risks/obligations for your Church, School or Organisation.  The information is given as a guide only and does not represent a definitive list or legal view in any way shape or form.  You are advised to seek your own professional advice on all your individual needs. ACS Financial Pty Ltd (ACN 062 448 122) (AFSL 247388).

Want to PROTECT your Church, Ministry or Christian School?

Hi there, we're ACS Financial - Insurance and Protection specialists for Australian Churches, Ministries and Christian Schools.  

Get A Quick Quote! 

About ACS Financial

Trusted leaders in Insurance and Protection, Lending, Investment and Risk Management for Churches, Ministries and Christian Schools and we've been serving our clients for over 25 years... 

Thinking About Cyber Liability Protection For Your Church?

Cyber Liability protection is a smart choice made by many Churches, Ministries and Schools in today's tech-savvy world. Speak to one of our friendly staff to find out more. 

Call: 1800 646 777 

"It's only in the midst of a crisis that you understand the value of an insurance broker who understands your unique needs.  Cyclone Debbie hit our village and our church and caused flooding of over 4 meters devastating most of the village, including our church, contents and equipment.  We're with ACS and when crisis hit they understood our unique needs, looked after us and were able to help us get back on track so that we could go and help the community. "   
-----------------------------------------------------
PASTOR ROB STUTTLE
Living Waters Church

Want a competitive quote on your Home, Car and Contents insurance?

Find out why thousands of Christians around Australia are trusting ACS Financial as their insurance brokers.  Find out how much you could save... 

Get A Quick Quote! 

Thinking About Cyber Liability Protection For Your Church?

Cyber Liability protection is a smart choice made by many Churches, Ministries and Schools in today's tech-savvy world. Speak to one of our friendly staff to find out more. 

Call: 1800 646 777