by Harry Rosenthal, General Manager, Risk Management Services

While higher education institutions have suffered privacy violation events in the past, including illegal hacking of web portals, release and tampering of personal details or disturbing student services software, the new requirements will require institutions to take certain steps in response to an eligible data breach. Such incidents will be publicised far more widely than past loss events, for which there were no reporting requirements. These events could result in significant expense and reputation damage, including a loss of public trust. While there is still a great deal of detail left to be determined by the Office of the Australian Information Commissioner (OAIC), our sector needs to be prepared for these future breaches.

As the only risk financing entity owned by the Australian higher education sector, Unimutual is interested in identifying emerging regulation and risk issues affecting teaching, research and community engagement. Working with Members, we identify changes in the risk profile of the sector, and develop strategies to minimise the impact of potential risks on our membership.

Who is affected?

Members will recall our Emerging Risk Notification 61 regarding the Privacy Amendment (Notifiable Data Breaches, NDB) Act which will commence on 22 February 2018. This gives affected entities a long lead time in which to prepare and ensure compliance with this new legislation. At this time, it is clear that universities, other than those located in Canberra, or those which are private, are State entities and not Australian Privacy Principle (APP) entities for the purpose of the Privacy Act. It is our understanding that they are not covered under the current legislation. Unimutual’s ACT, private and non-university Members, may, however, be affected and we feel it would be more efficient if the sector worked in a collaborative way, sharing information and working together to address the new Act and to develop risk mitigation strategies.

What does the sector need to know?

The Act has made several aspects of compliance quite clear such as defining (I paraphrase here):

What is a data breach?

• Unauthorised access or disclosure of personal information

What is an eligible data breach?

• Where a reasonable person would conclude there is a likelihood of serious harm to any of the affected individuals

What is serious harm?

• While undefined, is likely to include serious physical, psychological, emotional, economic and financial harm

What are the penalties for failure to comply?

• Maximum penalty of $360,000 for individuals and $1,800,000 for bodies corporate

How to prepare?

To better manage this emerging risk, Unimutual has a number of suggestions which will help Members frame the issue in their own institutions:

1. Assign responsibility.

Ensure your organisation’s individual responsible for current privacy governance and compliance matters is aware of the NDB scheme and how it will impact the institution. This may require coordination by several divisions in your institution, and we suggest that ultimately one group coordinate education and compliance. The selected individual may want to join the government Privacy Professional Network to keep informed of the latest developments. The best resource at this time, of course is the Office of the Australian Information Commissioner, and the new NDB webpage.

2. Audit your institution’s exposure.

We suggest Members examine the types of personal data currently collected, to identify business units holding data which could result in serious harm, if breached. Examples could include: medical clinics, legal centres, gyms, day-care facilities, payment services, member services, and guest services. The institution may want to check current security associated with this data storage. A useful guide to securing personal information provided by the government can be found here.

3. Consider contract services.

The Mutual is aware some institutions outsource many activities which collect personal information from stakeholders, such as credit card services, data storage or cloud services, third-party service suppliers such as residential halls, IT suppliers, etc. Notifiable Data Breaches involving your data could cause as much reputation damage if accidently lost by a contractor and third party. You may want to consider including clauses in new service contracts to address the issue of notifiable data breaches.

4. Search your SOUL.

At our Adelaide conference in 2016, we introduced Members to the Society of University Lawyers (SOUL), a professional association of university legal staff. This network can greatly assist the sector in better understanding the potential ramifications of the NDB scheme and its compliance. Each university has a representative to SOUL, who could provide significant insight in to compliance and response.

5. Set the gauge for reporting.

It is our experience that each institution has its own risk appetite/culture in reporting matters regarding their reputation and serious loss events. Some institutions’ culture promotes reporting of all incidents, in order to better understand the range of risks they face, while others, are less forthcoming with reporting and notification. The notification requirements of the NDB scheme should mesh very well with the institutions’ own risk appetite/culture, and discussions should take place as soon as possible about reporting triggers, and who is authorised to pull them.

6. Be prepared.

It is unknown when your organisation’s first data breach will take place, and response actions should not be developed only as the event progresses. We recommend that Members develop a Breach Response Plan before an event occurs so staff are best equipped to respond to a significant data breach. The plan would include elements such as:

• A clear policy on reportable incidents
• Procedures for reporting and coordinating the incident
• A panel of experts to analyse the breach to determine if it is reportable
• Communication channels to be used for internal and public communication

All plans would be designed to be compliant with the scheme as well as to minimise any reputational damage to the institution. Planning in this case would be time well spent, and the drafting of holding statements, letters to stakeholders, and website announcements would expedite the response and mitigate any adverse publicity.

In summary

While the details of the NDB scheme are still taking shape, it would be wise to establish systems to respond to future data breaches – especially if you are an affected entity. The risk presented by this scheme is clear, with numerous examples of the reputation and financial impacts following a significant data breach. However, there is also an opportunity to improve our data collecting and storage methods, to more closely examine our contractors, and to make our data security more robust.

It is an opportunity for the sector to work together in collaboration. This can be done through existing sharing networks such as SOUL or Unimutual, or through bespoke special interest groups, to ensure there is a consistent sector-wide response to this compliance requirement and a shared experience and expertise is cultivated. Serious data loss impacts all higher education institutions, not just those who were unfortunate enough to be afflicted. A collaborative approach will reduce costs, and improve mitigation actions.