Author: Katherine Czoch / Source: Mondaq
- Data Breach by Australian Red Cross Blood Service
- Australian Information and Privacy Commissioner’s findings
- Need for entities to ensure they take adequate precautions as to data management even when outsourcing to a third party IT provider
Introduction
On 7 August 2017, the Australian Information and Privacy Commissioner (Commissioner) released his findings into a data breach by the Australian Red Cross Blood Service (ARCBS).
The findings illustrate that organisations covered by the Privacy Act 1988 (Cth) cannot abdicate their privacy obligations to third party providers, and that appropriate action in response to a data breach can minimise regulatory action.
Facts
www.donateblood.com.au, the website of ARCBS was managed by an independent IT contractor, Precedent Communications Pty Ltd (Precedent).
On 5 September 2016, a Precedent employee inadvertently placed a database file containing private sensitive information relating to approximately 550,000 prospective blood donors to a public-facing web server.
On 26 October 2016, ARCBS took a number of steps to contain the data breach, including closing its website and notifying affected individuals and providing assistance.
On 27 October 2016, the Commissioner opened an investigation into the incident under the Privacy Act.
The legislation
The Privacy Act applies to all private sector organisations with an annual turnover of more than $3 million and some small business. Organisations covered by the Act must comply with Australian Privacy Principles (APP) contained in Schedule 1 of the Act.
APP 6 states that an entity must only use or disclose personal information for the primary purpose of its collection, unless it can rely on certain exceptions.
APP 11.1 states that an entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure.
APP 11.2 states that if personal information about an individual is no longer required for a use or disclosure allowed by the APP, then reasonable steps to destroy or deidentify that information must be taken.
Serious or repeated breaches of privacy breaches can result in monetary penalties of up to $1.7 million for corporations and monetary penalties of up to $340,000 for individuals.
Findings against ARCBS
The Commissioner found that ARCBS did not breach APP 6, as it did not disclose the data; this was done by a Precedent employee, and…
Click here to read more