The Office of the Australian Information Commissioner (OIAC) has released the Data Breach Report for 1 July to 31 December 2023. The key findings include a 19% increase in notifications in the second half of 2023, and that the top 5 sectors to notify of data breaches were health, finance, insurance, retail and the Australian Government.
The OAIC has identified the security of personal information as a regulatory priority and is prioritising regulatory action that addresses areas where there is the greatest risk of harm to individuals. This is where there may be:
- serious failures to take reasonable steps to protect personal information
- inappropriate data retention practices
- failures to comply with the reporting requirements of the NDB scheme, particularly where the OAIC has publicised risks and mitigations.
The report points out that entities are expected to have established processes in place to ensure an effective response to data breaches and compliance with the requirements of the NDB scheme. This expectation is reflected in 2 determinations made by the Information Commissioner in October 2023: Datateks Pty Ltd (Privacy) [2023] AICmr 97 and Pacific Lutheran College (Privacy) [2023] AICmr 98. Read more here