On 22 February 2018, changes to the Federal Privacy Act 1988 will bring a new Notifiable Data Breach (NDB) Scheme into force. This makes it compulsory for schools to notify specific types of data breaches to the individuals affected by the breach, and to the Office of the Australian Information Commissioner (OAIC).
A data breach occurs when personal information is lost or subject to unauthorised access, modification, disclosure, or other misuse or interference. Data breaches are not limited to cyber-attacks, but more commonly occur from human error or failure to follow information-handling policies that lead to personal information being lost or disclosed to the wrong person.
Not all data breaches will be NDBs. For there to be an eligible data breach, it should have the likelihood of resulting in serious harm to the affected individuals. Serious harm could include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation.
Studentnet has created its own Data Breach Plan to contain, assess and respond to data breaches, which has contact details for the appropriate staff, clarifies their responsibilities, and documents the processes for responding to a data breach.