Australia: Notifiable Data Breaches – Two years on

Since the mandatory data breach notification requirements were introduced in Australia in February 2018, the Office of the Australian Information Commissioner (OAIC) has published regular statistics on the operation of the scheme. These reports give a useful overview of the trends emerging in Australia over the last two years.

The high-level causes of notifiable data breaches have remained consistent throughout this period, with approximately one third of all notified breaches being caused by “human error” (e.g. incorrectly addressed emails, lost devices) and the vast majority of the balance owing to malicious or criminal attacks (most commonly phishing).

The number of notifications made per month is generally at its lowest in January and recently peaked at a high of 124 in May 2020.  This perhaps reflects the increased threat levels during the Covid-19 pandemic and the fact that many workplaces made the switch to home-working in March and April of this year.

The health sector has consistently been the highest reporting sector (in the most recent statistics for the period January – June 2020, the health sector accounted for 22% of all notified breaches), followed by the finance sector.  This is thought to be attributable to a number of factors, including:

  • the high volumes of data held by these sectors;
  • the sensitivity of the information held (which, under the Australian scheme, is a key factor when determining if notification is required); and
  • the relative maturity regarding detection, reporting and compliance in these sectors.

For further information, please contact Sarah Birkett (Senior Associate, Melbourne) or your usual DLA Piper contact.