Sending the wrong message: human error and the risk to privacy

When we think of data breaches, we usually think of delinquent hackers exploiting technical or human flaws in IT systems to hunt down the personal information of others. But in many cases the risk that private information will fall into the hands of the wrong person is much closer to home - and more everyday than we would like to think.

One in three reported data breaches are the result of simple human mistake. Whether it be sending an email containing someone’s personal information to the wrong recipient or falling foul of a malicious scam (phishing or impersonation), unauthorised access to confidential information is regularly facilitated by human error. According to the latest report from the Office of the Australian Information Commissioner, the risk to privacy from human error is on the increase.

Collecting personal information: their consent and your care

Most activities at the University involve the collection of personal information, such as the information that is needed to manage student, staff and alumni records, build research data sets and engage with the community. Personal information is essentially any data that enables a person to be identified, or that details aspects of someone’s personal life. Collection of such data should only be done with the informed consent of the individual and after establishing careful procedures to keep that information secure.

The University takes data security very seriously, recognising that good information management supports successful learning, teaching, research and innovation. Caring about the information provided is an essential part of the University’s success and reputation. Inattention can put that information at risk.

Sharing personal information: communicate with care

Technology allows us to work quickly and share information - almost instantaneously. When personal information is involved, it is even more important than usual to take extra care when communicating or sharing.

The measures each of us use when handling and sharing personal information as a part of our work are critical in guarding against data breaches. So, when you’re sending emails or linking to files containing personal or personally identifiable data, pause before you hit ‘send’ to ask yourself these questions:

  • Is the communication necessary? Only share personal information as required for the purpose and in accordance with the conditions under which the information was collected. Collection, use and disclosure must always align with the University’s Privacy Policy and Student Privacy Statement.
  • Are the recipients appropriate? Take a moment to check that the names and email addresses of those who will receive this communication are correct, particularly if you have multiple recipients. Before replying to all, or forwarding an email to new recipients, consider whether it is appropriate to share the contents of the entire email chain or any attachments. Remember that email addresses are personal data too and using bcc can prevent disclosure of this information.
  • Are the attachments appropriate? Check and ensure that any attachments are appropriate to send to a group and do not inappropriately reveal personal information about individuals. In some cases it may be necessary to redact identifiable data or find another way to provide information in a de-identified form. This applies to linked documents you have saved to share on a common drive.
  • Is the information and attachment the right one for the recipient? If you are communicating with multiple individuals about their personal information, take extra care to check that you are providing the right attachment to the right person. It is easy to inadvertently forward someone else’s personal information, so take care with document labelling and double check before you send.
  • How sensitive is the information I am sharing? The security measures which should be applied when transmitting data will vary depending on the classification. Refer to the Information classification and protection guideline to work out the relevant classification and security protocols you should apply.

When something goes wrong: respond to human error

Sometimes we do get it wrong, however, and inadvertently disclose personal information. If this happens there are steps that you should take immediately to reduce the risk of harm to the individuals affected:

  • Recall the email if possible
  • If that is not possible, note the date and time of sending
  • Email the recipient/s immediately and advise that the email has been sent in error and ask that they:
    • Not read, save or forward the information attached
    • Delete the email and attachment from their inbox and from their backup system permanently
    • Confirm via email that they have taken the above actions.
  • Advise your supervisor of the error and the steps taken
  • Follow the steps set out in the Data Breach Response Plan and submit a Data Breach Report as soon as possible.

Depending on the nature of the information and the potential for harm to those affected, the University may convene a data breach response group to assess and control risks to individuals and systems. This may include communicating with individuals and supporting them to deal with what has happened. In some cases, a notification to the Officer of the Australian Information Commissioner may be required.

Avoiding data breaches requires care and an appreciation of the value of the information entrusted to the University. Responding to data breaches requires the same, as well as a willingness to be open and honest when we make mistakes.

Further information

The University’s Privacy Impact Checklist is a tool which can help you assess the integrity of data management practices in your research, teaching or academic work.

For more information about how privacy and data security is managed within the University, refer to:

Tagged in legal alerts, news & announcements, communications, data protection, information management, privacy & records, records management