Privacy Breaches and Cyber Liability Protection
What your faith-based organisation needs to know...
Due to the increased growth of cyber-attacks, malware and ransomware it is becoming essential that faith organisations, charities and not-for-profits are aware of their exposures, their obligations to protect sensitive information and ways in which they can protect themselves from potential cyber-crime.
The Australian Privacy Principles (or APPs) are a set of 13 values that form the foundation of the privacy protection structure in the Privacy Act 1988 (Cth).
The Privacy Act requires certain organisations to comply with the obligations set out under the Act, but many organisations, despite being exempt from the application of the APPs still commit to protecting privacy where possible, by complying with the provisions of the Privacy Act that relate to the handling of personal information.
The Australian Privacy Principles address the following:
- Open and transparent management of personal information
- Anonymity and pseudonymity
- Collection of solicited personal information
- Dealing with unsolicited personal information
- Notification of the collection of personal information
- Use or disclosure of personal information
- Direct marketing
- Cross-border disclosure of personal information
- Adoption, use or disclosure of government related identifiers
- Quality of personal information
- Security of personal information
- Access to personal information
- Correction of personal information
Image courtesy from Office of the Australian Information Commissioner: https://www.oaic.gov.au/privacy/australian-privacy-principles/read-the-australian-privacy-principles/
In February 2018, new legislation was introduced under the Privacy Act 1988 (Cth), ensuring that organisations which are captured by the Act, must take appropriate steps to guarantee the privacy and security of Member’s personal information.
This is known as the Notifiable Data Breaches Scheme which requires organisations to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals in the event of an ‘eligible data breach’.
This legislation may capture a number of faith based organisations, charities or not-for profit groups.
Organisations may be responsible for a data breach, even if it has been as a result of an external cyber-attack. Some insurance policies may specifically exclude cover for cyber-attacks, therefore it is important to ensure that you have appropriate systems in place to avoid attacks as well as a sound data breach response plan.
In this article we will explore:
What is the Privacy Act?
The Privacy Act regulates the way in which an organisation must handle an individual’s personal information.
What is 'Personal Information'?
- An individual’s name, date of birth, address, phone number or signature
- Employee record information
- Sensitive information (e.g. counselling notes, health information, criminal records)
- Student records
- Internet protocol (IP) addresses
- Voice print and facial recognition bio-metrics (because they collect characteristics that make an individual’s voice or face unique)
- Location information from a mobile device (because it can reveal user activity patterns and habits)
What is 'Sensitive Information'?
- Racial or ethnic origin
- Political opinions or associations
- Religious or philosophical beliefs
- Trade union membership or associations
- Sexual orientation or practices, criminal records
- Health or genetic information
- Some aspects of bio-metric information
The Privacy Act gives individuals greater control over how their information is handled, allowing them to know how it is collected and managed, and to make a complaint about an organisation which is governed by the Privacy Act if it is believed that their personal information has been mis-handled.
This could include information which has been accessed as a result of a cyber-attack on your systems or has accidentally been released due to human error.
Under the Privacy Act, Australian Government agencies and organisations with an annual turnover of more than $3 million have a responsibility under the Act.
An organisation can include:
- An individual or sole trader (though generally this would not apply to an individual acting in a personal capacity)
- A body corporate
- A partnership
- Any other unincorporated association, or
- A trust
What does this mean for Churches, Charities or Not-For-Profits?
This new legislation holds faith based organisations, charities and not-for-profit organisations to the same standard as “for profit” companies.
As such, significant reputational damage can be caused should your organisation fail in it’s handling or protection of the sensitive information that you may have been entrusted with. The damaging effects of a breach may not only affect the trust and confidence placed in your organisation, but may also affect your ability to access government funding and support.
In an article published in The Age newspaper on February 21 2019, it was reported that the Melbourne Catholic Archdiocese had fallen victim to a cyber-attack which could have potentially seen significant amounts of sensitive information accessed by cyber criminals.
Fortunately, the church was able to contain the breach to their internal IT system which prevented significant damage. This highlights the need and benefit of having solid processes in place to protect your information and systems
Penalties for not complying with the new legislation
All organisations must now be able to demonstrate that they have taken appropriate steps to implement privacy compliance in their organisation, and have a data breach response plan.
Organisations who are captured by this legislation and who fail to act, and report breaches may see fines and penalties imposed of up to $360,000 for individuals and $1.8M for organisations.
- Businesses/Organisations are required to alert the Privacy Commissioner and affected clients/staff if their systems are hacked
- Legislation applies to businesses or organisations with a turnover of more than $3 million
- In the 12 months since the new legislation was introduced, data indicates that 35% of reported data breaches were attributed to human error. This highlights the need for organisations to implement strategies which focus on staff training and awareness in order to reduce loss.
How do I know if our organisation is compliant? Can you answer YES to all of the following questions?
- Do you have a Privacy Officer? https://www.oaic.gov.au/s/privacy-officer-toolkit/
- Have you developed a Data Breach Response Plan for your organisation?
- Do have a cyber security checklist to ensure your systems and processes are safe?
- Do you train your staff and volunteers in how to manage sensitive information and identify potential cyber risks?
What is a Data Breach Response Plan?
A Data Breach Response Plan is a documented policy which sets out the procedure an organisation will follow when a breach has been discovered or is suspected to have occurred. A data breach is deemed to have occurred when personal information (as defined by section 6 of the Privacy Act 1988) is lost or subjected to unauthorised use, access, disclosure or any other form of misuse.
What is a Data Breach?
A Data Breach arises when the following three criteria are satisfied:
- There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information that your organisation holds
- This is likely to result in serious harm to one or more individuals, and
- Your organisation has not been able to prevent the likely risk of serious harm with remedial action
Examples of ‘Serious Harm’ can include:
- Identity theft (which could affect your finances and credit report)
- Financial loss through fraud
- A likely risk of physical harm (such as an abusive ex-partner)
- Serious psychological harm
- Serious harm to an individual’s reputation
Examples of Data Breaches may include:
- Loss or theft of physical devices (such as laptops and storage devices), or paper records which contain personal information
- Unauthorised access to personal information by an employee
- Inadvertent disclosure of personal information due to “human error”, for example an email sent to the wrong person
- Disclosure of an individual’s personal information to a scammer, as a result of inadequate identity verification procedures
How you should be managing personal information?
Ensure private information is only collected if necessary and relevant to church's mission or ministry and advise individuals of the intended use of data at time of collection. You must also store all data securely and ensure data is up to date or destroyed if no longer required.
Legislation aside, social engineering, phishing scams and cyber fraud or crime is on the rise, and here at ACS Insurance Services, we have had many conversations with clients both large and small, who have fallen victim of what are becoming very sophisticated cyber-crimes.
Cyber Security Checklist
In the interest of limiting the possibility of a cyber-attack, it is important for your organisation to develop a Cyber Security Checklist which will help ensure that your systems are secure, and your staff and volunteers are trained to understand the risks.
Downloadable Checklist (click on the image below)
Whilst all faith based organisations or charities may not be captured by the new Notifiable Data Breach legislation, all organisations are highly vulnerable to falling victim to cyber criminals by way of phishing emails, social engineering, ransomware, malware and the like.
Regardless of size, you have a duty of care to ensure that the information entrusted to you is kept safe to avoid individual’s personal information being put at risk, and to protect the reputation of your church or ministry.
In response to the increased threat of cyber-crime, the insurance industry has developed specific Cyber Liability products which specifically address these types of issues and can provide cover and assistance to deal with these types of claims.
Some of the products already offered by ACS Insurance Services, provide some limited cover for cyber-crimes, but if you are interested in pursuing more comprehensive cover please contact our office we can advise you of further options that may be available to you.
Australian Government – Office of the Australian Information Commissioner – Notifiable Data Breaches:
Australian Government – Office of the Australian Information Commissioner – Notifiable Data Breaches Scheme 12-month insights report:
Australian Government – Office of the Australian Information Commissioner – The Privacy Officer Toolkit:
Australian Privacy Principles from the Office of the Australian Information Commissioner:
DISCLAIMER: The information on this website reflect some of the commercial aspects and potential risks/obligations for your Church, School or Organisation. The information is given as a guide only and does not represent a definitive list or legal view in any way shape or form. You are advised to seek your own professional advice on all your individual needs.
ACS Financial Pty Ltd (ACN 062 448 122) (AFSL 247388).
Want to PROTECT
your Church, Ministry or Christian School?
Hi there, we're ACS Financial, Insurance and Protection specialists for Australian Churches, Ministries and Christian Schools.
Get A Quick Quote!
About ACS Financial
Trusted leaders in Insurance and Protection, Lending, Investment and Risk Management for Churches, Ministries and Christian Schools and we've been serving our clients for over 25 years...
Save up to 40% on your personal home, car and contents insurance with one quick call.
Call:1800 646 777
"It's only in the midst of a crisis that you understand the value of an insurance broker who understands your unique needs. Cyclone Debbie hit our village and our church and caused flooding of over 4 meters devastating most of the village, including our church, contents and equipment. We're with ACS and when crisis hit they understood our unique needs, looked after us and were able to help us get back on track so that we could go and help the community. "
PASTOR ROB STUTTLE
Living Waters Church
Need help with Insurance And Protection?
Find out why thousands of Australian Churches, Ministries and Christian Schools trust us with their insurance and protection needs. The only question is, when will you?
Get A Quick Quote...