14 June 2018
Glasses in front of a computer

What is a data breach?

The Commonwealth Privacy Act 1988 now establishes a Scheme which compels notification of data breaches where the breach is such that it is likely to result in serious harm to an individual whose personal information has been accessed. If hackers have accessed resumes held by Queensland Rail and WorkCover Queensland, then it’s highly likely that personal information of candidates has been accessed and given the seriousness of the breach, it’s likely that this will amount to an “eligible data breach” under the Scheme.

When is notification of a breach required?

Under the legislation, notification is only required where serious harm is likely, however where personal information such as contact details, date of birth, address, occupation and personal interests have been disclosed by accessing a resume, it would be difficult to argue that the breach is not a serious one.

If an organisation discovers that its database has been hacked, then it has an obligation to take steps to assess the breach and decide if serious harm could occur to any individual affected. If so, the organisation must notify the Australian Information Commissioner and also the individual person or people involved.

These mandatory data breach reporting rules apply to Government Agencies, businesses and non-for-profit organisations who have an annual turnover of $3 million or more. The rules also apply to organisations who have lower turnover if they are credit reporting bodies, health service providers, educational entities or the like.

What happened with PageUp?

According to their statement, released on 12 June 2018, in response to what is being claimed as Australia’s largest data breach to date, PageUp said, “Advanced methods were used to gain unauthorised access to PageUp’s IT systems in Australia, Singapore and the UK.

PageUp are an international HR Software company who host a platform via which applicants apply for jobs within organisations who use the software to manage those applications.

Disturbingly PageUp have confirmed, “After extensive review we now know that certain personal data relating to our clients, applicants, references and our employees has been accessed by a cyber attacker”.

Two organisations who have been affected include WorkCover Queensland and Queensland Rail and it appears the hackers have been able to access names, addresses, emails, phone numbers, usernames and passwords.

“We continue to run forensic analysis, but based on our current information we believe the affected data may include names, street addresses, email addresses, and telephone numbers. Some employee usernames and passwords may have been accessed, however current password data is protected using industry best practice techniques including hashing and salting, and therefore is considered to be of very low risk to individuals”, the statement said.

What do WorkCover and Qld Rail need to do now?

WorkCover Queensland and Queensland Rail will need to immediately take steps to contain the data breach, conduct an investigation and notify the affected individuals where possible. The Privacy Act requires that steps must be taken to remediate the risk of harm and to consider what action can be taken to prevent future breaches.

Whose responsibility does the protection of the data rest with?

Responsibility for compliance with the mandatory reporting requirements of the Privacy Act rests with the entity that holds the personal information. If that is held by PageUp, then they have the responsibility to comply with their legal obligations to not just investigate and remediate the data breach, but to notify those who are affected by it.

Will people be able to claim for damages if their details were accessed by the hackers?

It’s not well settled at law as to whether there is a recognised cause of action for invasion of privacy. Currently, a person would only be able to claim damages for breach of privacy or release of personal information where there was negligence or a breach of contract on the part of the entity that allowed the personal information to be disclosed. Even then, for a cause of action to be viable, there would need to be some measurable loss or damage caused – and that is very difficult to establish in most cases.

How far reaching are these privacy laws?

It is likely that there will soon be a case that sets a precedent dealing with this issue but for now, what is required is a legislative response to a growing risk and concern. Should we as individuals have a right to expect that our personal information is kept confidential? Should we as individuals have a right to recover damages against a corporation or entity that allows or permits our personal information and data to be released to someone else without our consent?

The issue goes further than just personal information held in a database. Should we as citizens have a right to expect that in our own homes and in our backyards, we are entitled to privacy? Should a photographer with a telescopic lens be permitted to take photographs of us in own home and space and then sell those for their own financial gain? There are competing considerations but what we need to do is start a conversation so that the community can set its own expectations and standards and have our Politicians craft legislation to reflect those in appropriate laws that protect all Australians.

The recent hacking incident demonstrates how vigilant businesses and government agencies must be in protecting data they hold and to the consequences of a breach not just for those whose information has been accessed, but for the reputation of the organisation.