Privacy Breaches and Cyber Liability Protection
What your faith-based organisation needs to know...
Millions of Australians have recently been impacted by the significant cyber-attacks carried out against Optus, Woolworths, and Medibank. These incidents have once again firmly placed the spotlight on the importance for ALL organisations to understand their obligations to protect private information, and the need to ensure systems are in place to prevent private information being unlawfully accessed or inadvertently being released. Whilst much attention has been focused on these large companies, smaller organisations such as Harcourts Real Estate in Victoria and a tech company responsible for holding sensitive information of thousands of Victorian School students have also recently been compromised.
Due to the increased growth of cyber-attacks, malware and ransomware it is becoming essential that faith organisations, charities and not-for-profits are aware of their exposures, their obligations to protect sensitive information and ways in which they can protect themselves from potential cyber-crime.
In February 2018, new legislation was introduced under the Privacy Act 1988 (Cth), ensuring that organisations which are captured by the Act, must take appropriate steps to guarantee the privacy and security of Member’s personal information.
This is known as the Notifiable Data Breaches Scheme which requires organisations to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals in the event of an ‘eligible data breach’.
This legislation may capture a number of faith-based organisations, charities or not-for-profit groups.
Organisations may be responsible for a data breach, even if it has been as a result of an external cyber-attack. Some insurance policies may specifically exclude cover for cyber-attacks, therefore it is important to ensure that you have appropriate systems in place to avoid attacks as well as a sound data breach response plan.
In this article we will explore:
What is the Privacy Act?
The Australian Privacy Principles (or APPs) are a set of 13 values that form the foundation of the privacy protection structure in the Privacy Act 1988 (Cth). The Privacy Act requires certain organisations to comply with the obligations set out under the Act, but many organisations, despite being exempt from the application of the APPs still commit to protecting privacy where possible, by complying with the provisions of the Privacy Act that relate to the handling of personal information. Many church organisations will include a Privacy Policy outlining their position on their website.
The Australian Privacy Principles address the following:
- 1Open and transparent management of personal information
- 2Anonymity and pseudonymity
- 3Collection of solicited personal information
- 4Dealing with unsolicited personal information
- 5Notification of the collection of personal information
- 6Use or disclosure of personal information
- 7Direct marketing
- 8Cross-border disclosure of personal information
- 9Adoption, use or disclosure of government related identifiers
- 10Quality of personal information
- 11Security of personal information
- 12Access to personal information
- 13Correction of personal information
Click here to access a copy of the Australian Privacy Principles from the Office of the Australian Information Commissioner: https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines
What is 'Personal Information'?
What is 'Sensitive Information'?
The Privacy Act gives individuals greater control over how their information is handled, allowing them to know how it is collected and managed, and to make a complaint about an organisation which is governed by the Privacy Act if it is believed that their personal information has been mis-handled.
This could include information which has been accessed as a result of a cyber-attack on your systems or has accidentally been released due to human error.
Under the Privacy Act, Australian Government agencies and organisations with an annual turnover of more than $3 million have a responsibility under the Act.
An organisation can include:
What does this mean for Churches, Charities or
Not-For-Profits?
This new legislation holds faith based organisations, charities and not-for-profit organisations to the same standard as “for profit” companies.
As such, significant reputational damage can be caused should your organisation fail in it’s handling or protection of the sensitive information that you may have been entrusted with. The damaging effects of a breach may not only affect the trust and confidence placed in your organisation, but may also affect your ability to access government funding and support.
Even if your organisation is not captured by the new legislation, it still makes good sense to have a Privacy Policy and a sound cyber protection policy in place which ensures that your systems (and their information) are properly protected and that your staff and volunteers are trained in how to manage information, identify potential cyber risks or attacks and what to do in the event of a breach.
Example
UnitingCare Queensland was the victim of a cyber-attack in April 2021 at the hands of one of the most notorious cyber ransom gangs in the world. As a result, some of the organisations digital and technology systems became inaccessible. In addition, UnitingCare were also cut off from the Commonwealth My Health Record system by the Australian Digital Health Agency, as a precautionary measure due to fears that personal health information of patients, residents and clients had been exposed.
Other examples include a data breach affecting Family Planning NSW where sensitive data of 8000 clients was breached, and an incident involving Red Cross where the information of 550,000 blood donors was accidently released.
These are only a few of the non-profits that have been targeted in recent years, although the actual number in the community sector may be greater given that non-profits with revenues under $3 million are exempt from the Privacy Act's reporting requirements.
Penalties for not complying with the new legislation
All organisations must now be able to demonstrate that they have taken appropriate steps to implement privacy compliance in their organisation, and have a data breach response plan.
Organisations who are captured by this legislation and who fail to act, and report breaches may see fines and penalties imposed against them. Proposed amendments to the Privacy Act likely to come into force soon will significantly increase the penalties for serious or repeated privacy breaches, and will give the Privacy Commissioner a greater range of compliance powers.
The maximum penalty that may be imposed for a major or recurring privacy breach would increase as a result of the changes made by the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, as detailed below:
Non-Corporate Entity | Body Corporate |
---|---|
Current Penalty $444,000 | Current Penalty $2.5 million |
New Penalty $2.2 million | New Penalty: Either whichever is the highest |
Statistics from the Office of the Australian Information Commissioner
The most recent report issued by the Office of the Australian Information Commissioner highlights the following statistics.
How do I know if our organisation is compliant? Can you answer YES to all of the following questions?
What is a Data Breach Response Plan?
A Data Breach Response Plan is a documented policy which sets out the procedure an organisation will follow when a breach has been discovered or is suspected to have occurred. A data breach is deemed to have occurred when personal information (as defined by section 6 of the Privacy Act 1988) is lost or subjected to unauthorised use, access, disclosure or any other form of misuse.
What is a Data Breach?
A Data Breach arises when the following three criteria are satisfied:
Example of a Data Breach Response Plan
Examples of Serious Harm can include:
Examples of Data Breaches may include:
How you should be managing personal information?
In the interest of limiting the possibility of a cyber-attack, it is important for your organisation to develop a Cyber Security Checklist which will help ensure that your systems are secure, and your staff and volunteers are trained to understand the risks.
Download Cyber Security Checklist
Whilst all faith based organisations or charities may not be captured by the new Notifiable Data Breach legislation, all organisations are highly vulnerable to falling victim to cyber criminals by way of phishing emails, social engineering, ransomware, malware and the like.
Regardless of size, you have a duty of care to ensure that the information entrusted to you is kept safe to avoid individual’s personal information being put at risk, and to protect the reputation of your church or ministry.
Insurance options
In response to the increased threat of cyber-crime, the insurance industry has developed specific Cyber Liability products which specifically address these types of issues and can provide cover and assistance to deal with these types of claims.
Some of the products already offered by ACS Insurance Services, provide some limited cover for cyber-crimes, but if you are interested in pursuing more comprehensive cover, please contact our office we can advise you of further options that may be available to you.
You can find out more by visiting www.acsfinancial.com.au/church-insurance
Additional Resources
DISCLAIMER: The information on this website reflect some of the commercial aspects and potential risks/obligations for your Church, School or Organisation. The information is given as a guide only and does not represent a definitive list or legal view in any way shape or form. You are advised to seek your own professional advice on all your individual needs. ACS Financial Pty Ltd (ACN 062 448 122) (AFSL 247388).