5 December 2022

Provider alert - Preventing and managing data breaches  

This alert is to remind providers of their obligations to comply with privacy laws including personal information security requirements and mandatory data breach reporting obligations.

Preventing and managing data breaches  

A data breach is an unauthorised access or disclosure of personal information, or loss of personal information.

The security of personal information is a critical issue for participants. Providers must pay careful attention to the privacy and security of information that they hold.

Many providers use digital platforms and technologies that store personal information about participants, as well as using information technology services to support their business.

With the rapid evolution of data security threats, providers should ensure that they have robust measures in place to support the security of participants’ data, and to respond if there is a data breach. These measures should be suitable and proportionate to your organisation and the types of participant information you hold.

A data breach involving personal information can put affected individuals at risk of serious harm and can also damage an organisation’s reputation. Being prepared for a data breach and putting in place a quick and effective response is essential for all providers that handle personal information about participants. 

Provider obligations

All NDIS providers are required to respect the privacy of people with disability. Providers must also comply with privacy laws including personal information security requirements and mandatory data breach reporting obligations.

The NDIS Code of Conduct requires all providers to respect the privacy of people with disability and promptly take steps to raise and act on concerns about matters that may impact the quality and safety of supports and services provided to them.

The NDIS Practice Standards specify the quality standards that registered NDIS providers must meet to provide supports and services to NDIS participants. Relevantly, these include:

• Information Management, which includes the management of each participant’s information in a way that ensures the information is identifiable, accurately recorded and confidential.
• Privacy and Dignity, in which each participant can access supports that respect and protect their dignity and right to privacy.

The Quality Indicators provide further guidance for registered NDIS providers in meeting their obligations under the NDIS Practice Standards. For instance, in respect of Information Management, a registered NDIS provider should be able to demonstrate that documents are stored with appropriate use, access, transfer, storage, security, retrieval, retention, destruction and disposal processes. These processes should be relevant and proportionate to the scope and complexity of supports delivered.

In relation to Privacy and Dignity, a registered NDIS provider should be able to demonstrate that it has consistent processes and practices in place that respect and protect the personal privacy of each participant.

Registered NDIS providers must also comply with Commonwealth, state and territory laws as a condition of registration.

The Privacy Act 1988 (Cth) (the Privacy Act) contains Australian Privacy Principles (APP) that set out entities’ obligations for the management of personal information.

This includes how personal information is handled across different technologies and different uses. Specifically, APP 11 requires entities to take reasonable steps to protect the personal information they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure.

The Privacy Act also requires entities to notify affected individuals and the Australian Information Commissioner of certain data breaches.

Providers may have other data protection and reporting obligations under the laws of their state or territory, or relating to certain categories of information, such as health information.

The Australian Information Commissioner can take a range of actions in response to a failure to comply with the Privacy Act and related requirements.  

Visit the OAIC website for more information about data breaches and the Australian Privacy Act.

Preventing cyber threats and managing data breaches

Even the smallest cyber security incident or data breach can have devastating impacts to the individuals affected, the reputation of the Provider and confidence in the NDIS.

Providers should take action to prevent or limit the possibility of a data breach and to support a quick response if a breach occurs.

Prevention

• Ensure your workers are aware of cyber security issues, threats and risks, especially from phishing and other threats targeting access to your systems.
• Make sure your workers understand the importance of protecting credentials such as usernames and passwords.
• Use multi-factor authentication for all remote access to business systems and for all users when they access or change important or sensitive data.
• Automatically update operating systems, software applications, browsers and plugins with patches and fixes.
• Install anti-virus protections to help guard against malware that steals credentials and personal information.
• Automatically back up data to the cloud or an external hard drive.
• Put in place appropriate strategies to reduce cyber security risks that are suitable to your organisation and the data you hold about participants.
• Include data management and cyber security as part of your governance and operational management.
• Exercise due diligence in engaging external suppliers for information management or other services that will enable third parties access to your information systems.
• Your internal processes and your workforce are the last, and one of the most important lines of defence in protecting your business from cyber security threats. Ensure you train your staff in how to prevent, recognise and report cyber security or data breach incidents.

Managing a breach

• Develop a data breach response plan that sets out roles and responsibilities involved in managing a data breach and the steps you will take if it occurs.
• Know the steps to take in a data breach incident.
• Notify the Australian Information Commissioner of notifiable data breaches.  
• Inform the NDIA at privacy@ndis.gov.au if the data breach includes personal information about participants, such as participant ID, participant names or other identifying information or plan details. The NDIA can arrange to monitor expenditure against participant plans and take action to safeguard participant funds where needed.

Notify the NDIS Commission of any changes

Registered NDIS providers must notify the NDIS Commission of certain changes and events, especially those that significantly affect your ability to comply with any of your conditions of registration.

Use the NDIS Commission Portal to notify us of any changes or events that are due to a data security breach impacting your ability to comply with your obligations.  

More information

Visit the Office of the Australian Information Commissioner (OAIC) website for information and guidance material on managing data breaches, developing a data breach response plan and reporting notifiable data breaches and a guide to securing personal information

The Australian Cyber Security Centre (ACSC) has information and guidance material on steps you can take to protect yourself, your organisation and participants from a data breach, including the strategies to mitigate cyber security incidents and questions for boards to ask about cyber security.

The ACSC’s Small Business Cyber Security Guide is also a useful resource.

Visit IDCare for national identity and cyber support services to help reduce the harm to individuals and organisations from the compromise and misuse of identity information.

If you suspect someone is doing the wrong thing with NDIS funds, you should report it. You can report suspected fraud or non-compliance by calling the NDIS Fraud Reporting and Scams Helpline on 1800 650 717 or by emailing fraudreporting@ndis.gov.au.

You can also report it to the NDIS Commission. The NDIS Commission works closely with the NDIA particularly where the issue affects the provision of quality NDIS supports and services to participants. Call the NDIS Commission on 1800 035 544 or email contactcentre@ndiscommission.gov.au.