How to Minimise Data Breaches in your Agency

Privacy and Security
Written By O*NO Legal Team

O*NO! Did you know that human errors are one of the largest sources of data breaches reported? And these are only those that are reported. There are several other ways your agency is leaking money and clients by data breaches that you may not be aware of, or are yet to uncover.

But why do they keep happening? Aren’t they avoidable? Let’s take a look at some common reasons data breaches may be occurring in your agency and how you could avoid them.

What are human error causes?

Sending personal information to the wrong recipient via email happens more than any more than any other kind of human error data breach.

Other examples where human error is a direct cause include:

  • accidental online publication of personal information;

  • including all email addresses in the ‘To’ field instead of ‘BCC’ when sending a group email, exposing everyone’s contact details;

  • failure to remove or de-identify personal information from records before disclosure;

  • loss of paperwork or electronic storage devices;

  • throwing out customer records out in a general waste bin.

Human error as a trigger

Although human error directly causes a third of data breaches, it is widely recognised that human error is a contributing factor to almost all data breaches. 

But it can also be said that it is rarely just one human act or error that results in data being breached.

Or rather, when a person triggers a data breach they are not necessarily the sole cause. Breaches often occur due to the combined effect of failures at multiple levels across an organisation.

The problem is, if a system is not designed to deal with human error, that system is designed to fail.

This is because human errors are foreseeable. Systems must therefore be designed to minimise the harm or effect of human errors.

Privacy by design

The fact that there is a human factor involved in so many data breaches means staff training is critical, and information-handling awareness can certainly be improved through training.

On the other hand, human error is inevitable – so this should be factored into your risk management strategies, with strong emphasis on underlying processes and technologies that will support data protection.

Business practices should be designed to

  • prevent accidental disclosure of personal information

  • recognise & assess data breaches quickly

  • be ready to respond - know the steps you need to take.

Policy Errors

The Australian Privacy Commissioner has found that data breaches result not only from human errors, but from the failure of systems to plan for the risks of human error.

If staff aren’t taught why certain instructions or directions are necessary, they probably won’t understand the risks involved.  

Let’s say you have identified operational risks, and have gone to the effort of putting a plan or policy in place. But this may not help if the people who must follow it do not understand what the policy is supposed to achieve, or how the policy avoids risk.

The lesson is that if staff are trained to understand the privacy risks and how they occur, they are more likely to follow the instructions you have in place to avoid them. 

Privacy Culture

This comes back to workplace culture. Staff may know what they are supposed to do to in order to protect information, but without a culture that promotes privacy, they still fail to do the right thing because it’s easier not to, or because they don’t realise why certain instructions are important.

What’s more, with good culture & training staff can actually help to prevent breaches by detecting flaws in your system!

Key Takeaways

  • If privacy is not a part of your general workplace culture, data breaches will be more common. Make privacy a priority and a regular focus for employees.

  • Even if you have good security, people still make mistakes.

  • Failure to de-identify data, restrict access, or only collect data that is reasonably necessary will mean that human errors are more likely to trigger flaws inherent in your system, resulting in serious data breaches.

Your next steps

Is your agency privacy prepared? To ensure your agency’s privacy framework is legally compliant, prepared for a privacy crisis (like a data breach), and that your a*rse is actually covered why not take a Privacy Prepared Health Check. Now you can diagnose the your agency’s areas of concern and risk, and develop an action plan to implement your very own privacy prepared framework. Book your FREE 10 minute call to get started or for more information click here.

O*NO Legal Team
Previous

Are my contractors actually employees? The good, the bad and the watch out!
Next

5 Critical Questions to Ask When Going into Business with Others