New report identifies human error as leading cause of breaches in NSW agencies
Today, the Acting Privacy Commissioner has released the first NSW Mandatory Notification of Data Breach Scheme Trends Report for November 2023 to June 2024. The Report provides preliminary insights into the operation of the MNDB Scheme drawing from statistical data and the IPC’s engagement with agencies.
According to the Report, 79% of all notifications made to the Privacy Commissioner were caused by human error with the most common type of breach arising from emails being sent either to the wrong recipient or with an incorrect attachment containing another person’s personal information.
Acting Privacy Commissioner Sonia Minutillo said, “The high frequency of notifications caused by human error reinforces that agencies must embed robust privacy practices into the design of their systems and processes of work, particularly with the use of email.
“An agency’s staff can be its most valuable asset for ensuring that personal information is safely and securely handled. This relies on the agency creating a pro-privacy culture where all staff have an appreciation of their role and an understanding of their obligation to protect the personal information the agency holds.”
The Report also found that over 71,000 individuals were affected by the breaches notified during the reporting period, with the highest number of affected individuals in the University sector.
Acting Commissioner Minutillo said, “While the total number of those affected may be high, the report notes that in most cases around 70% of breaches affected 10 or fewer individuals, with only one breach involving more than 25,000 individuals.
“However, it is important to remember that even though most breaches affected a small number of people, this does not mean that they are not serious or won’t result in significant harm to an individual.”
The Acting Privacy Commissioner recommends that all NSW agencies review and reflect on the findings from this first Report and how they might improve their own systems and processes for handling personal information.
“Going forward, the IPC will continue to provide guidance and support to agencies as they operationalise their data breach response function and grow their maturity in complying with the requirements of the MNDB Scheme,” said Acting Commissioner Minutillo.
The report is available for access via the IPC website.
ENDS
For further information, please contact:
The Manager, Communications and Corporate Affairs on 0435 961 691 or email communications@ipc.nsw.gov.au
About the Mandatory Notification of Data Breach Scheme
The Mandatory Notification of Data Breach (MNDB) Scheme commenced on 28 November 2023 to ensure that NSW public sector agencies respond swiftly to data breaches and provide transparent information to those individuals affected by a breach.
The Scheme imposes obligations on agencies to mitigate the harm that may arise from a data breach, make notifications to the affected individuals and the Privacy Commissioner when an eligible data breach occurs, take steps to prevent further breaches occurring and provide advice to individuals on the steps they should take following a data breach.
About the Information and Privacy Commission:
The Information and Privacy Commission NSW (IPC) is an independent integrity agency that supports the NSW Information Commissioner and the NSW Privacy Commissioner. Its vision is that privacy and access to government information are valued and protected n NSW. The Information Commissioner is the chief executive of the Commission.
About the NSW Privacy Commissioner
Ms Sonia Minutillo was appointed as the Acting Privacy Commissioner in February 2024. As Acting Privacy Commissioner, her role includes the promotion of public awareness and understanding of privacy rights in NSW, as well as providing information, support, advice and assistance to agencies and the public.
The Privacy Commissioner administers the Privacy and Personal Information Protection Act 1998 (PPIP Act) and the Health Records and Information Privacy Act 2002 (HRIP Act).
For further information about the IPC visit our website at www.ipc.nsw.gov.au
