It’s an essential addition to your policy portfolio. Why? Because not-for-profits have a responsibility to treat information carefully. Cyberattacks and identity theft have become common, personal data is being sold for profit, and health information must be stored securely. This free 15-page policy template – produced with the assistance of our legal partner Moores – will help you to protect private information and meet your legal obligations.
This policy features best-practice processes for:
- data collection, use and disclosure
- data storage, destruction & de-identification
- data quality, security and retention
- openness about data, with measures for access and corrections
- proper use of “identifiers”, anonymity and third parties
- whether the Privacy Act 1988 applies to your organisation
- the type of information you hold and how it’s collected
- employee, contractor, job applicant and volunteer information
- marketing and fundraising
- handling disclosures and sensitive information
- managing security and data breaches
- updating or destroying information
NFPs must respond to data threats to comply with laws
Moores privacy expert Cecelia Irvine-So told ICDA the pandemic had seen a spike in ransomware attacks and privacy breaches, but that a good policy would help groups to keep information safe, and to respond better to breaches.
According to the Office of the Australian Information Commissioner (OAIC) there were 518 notifiable data breaches in the six months to June 2020, with a big spike in May. Significantly, ransomware attacks leapt 150% over the previous six months.
And these are only the notifiable breaches in which it was expected that the breach would risk “serious harm” to victims.
While malicious attacks accounted for 61% of the notifications, human error was behind 34% of the breaches. Once again, the health services industry – which has many not-for-profit operators – was the worst affected, with more than one in five reported cases.
The education sector was also in the top five sectors for notifications, while charities continue to account for many notifications.
Cyberattacks such as the the July phishing attack on Scouts Victoria highlight the risks to not-for-profits.
Key questions to boost data security, privacy
Our Community’s director of data intelligence, Sarah Barker, stressed that cyber attacks were not the only threat.
“There are other causes of data breaches which are even more common, such as unauthorised access or accidental data loss,” she said.
The advent of COVID-19 had accelerated the need for groups to address privacy issues.
“There has been a rapid shift for organisations adapting to remote working and providing services online. This means a greater reliance on digital systems. Now is a great time to ensure there are appropriate controls in place, even for small organisations.”
Ms Barker urged organisations to ask themselves key questions to better understand data privacy, such as:
- What personal information do we collect? This may be information about donors, supporters, volunteers, people you serve and other contacts.
- How is this data used? Do you have consent to use the data for that purpose?
- Where is this data stored? Is it secure, and who has access to it? Many organisations rely on cloud-based tools for surveys, mailing list, document storage and contact management – these tools might be hosted outside Australia.
- What would we do if there was a data breach?
Why people are the weak link in your privacy, cybersecurity
Recently, Our Community hosted a webinar on this very issue: Cyber trends – protecting your people, processes and technology.
Presenter Adam Smallhorn, from the Commonwealth Bank’s cyber security outreach team, outlined some of the other methods organisations can use to protect themselves.
He said the three keys to good cybersecurity are:
Mr Smallhorn said it was necessary to look at all those areas.
But as he puts it, “the easiest attack vector for criminals is people”.
In the presentation, Mr Smallhorn demonstrated how easy it is for crooks to target organisations.
In one example, he showed how a would-be hacker could simply look at a founder’s bio, usernames, social media accounts, birthdays and other dates, favourite sports teams, pets; and children’s names, and use that information in a freely available password generator.
Password generators are able to compose 10,000 likely passwords in “milliseconds”. Those can be used to access websites, emails and worse.
“That’s why we say that people are actually a huge component of your cybersecurity.”
He said that phishing scams accounted for most successful cyberattacks, and that even though 80 percent of workers knew the risks, “they click on the link anyway”.
He stressed that raising awareness of the risks – and increasing knowledge about the signs of phishing scames, such as misspellings and requests for personal information – was very important for organisations.
Questions to ask include “Have I talked to my staff, my team about this? Are we vulnerable to attack?”
His top tips?
- Lead by example, and expect your organisation to use strong passwords
- Make someone in the organisation responsible for cyber security
- Focus on the people and process, not just technology
- Build a cybersecurity culture
- Use the free resources available.
He suggested a good place to start your cyber safety journey was with Damn Good Advice on Cyber Safety and Fraud Prevention, jointly produced by Our Community and CommBank.