Background triangle

Limelight Articles

Limelight 08/17

Data breach by Australian Red Cross Blood Service

Authors, Katherine Czoch , Jamie Ling , David Farrugia

Australian Information and Privacy Commissioner’s findings – Need for entities to ensure they take adequate precautions as to data management even when outsourcing to a third party IT provider

Introduction

On 7 August 2017, the Australian Information and Privacy Commissioner (Commissioner) released his findings into a data breach by the Australian Red Cross Blood Service (ARCBS).

The findings illustrate that organisations covered by the Privacy Act 1988 (Cth) cannot abdicate their privacy obligations to third party providers, and that appropriate action in response to a data breach can minimise regulatory action.

Facts

www.donateblood.com.au, the website of ARCBS was managed by an independent IT contractor, Precedent Communications Pty Ltd (Precedent).

On 5 September 2016, a Precedent employee inadvertently placed a database file containing private sensitive information relating to approximately 550,000 prospective blood donors to a public-facing web server.

On 26 October 2016, ARCBS took a number of steps to contain the data breach, including closing its website and notifying affected individuals and providing assistance.

On 27 October 2016, the Commissioner opened an investigation into the incident under the Privacy Act.

The legislation

The Privacy Act applies to all private sector organisations with an annual turnover of more than $3 million and some small business. Organisations covered by the Act must comply with Australian Privacy Principles (APP) contained in Schedule 1 of the Act.

APP 6 states that an entity must only use or disclose personal information for the primary purpose of its collection, unless it can rely on certain exceptions.

APP 11.1 states that an entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure.

APP 11.2 states that if personal information about an individual is no longer required for a use or disclosure allowed by the APP, then reasonable steps to destroy or de-identify that information must be taken.

Serious or repeated breaches of privacy breaches can result in monetary penalties of up to $1.7 million for corporations and monetary penalties of up to $340,000 for individuals.

Findings against ARCBS

The Commissioner found that ARCBS did not breach APP 6, as it did not disclose the data; this was done by a Precedent employee, and occurred without authorisation or direct involvement of ARCBS.

However, although ARCBS did not physically hold the personal information in the data file, it retained ownership of the data pursuant to the terms of its contract with Precedent. The Commissioner therefore found that both Precedent and ARCBS held the data and both organisations had obligations under APP 11.1 to protect the information.

The Commissioner found that ARCBS failed to implement appropriate contractual requirements or control measures to protect personal information handled by Precedent in that:

  • ARCBS failed to properly assess the adequacy of Precedent’s security measures and practices when it awarded the contract to Precedent;
  • the contractual arrangements between the ARCBS and Precedent focussed on service levels and did not include control measures to mitigate the risks of a third party provider; and
  • ARCBS’s requirements of Precedent in relation to information security were not clearly articulated or proportional to the scale and sensitivity of the information held.

Accordingly, the Commissioner found that while ARCBS’s personal information protections were strong, it did not take reasonable steps to protect personal information held on www.donateblood.com.au in breach of APP 11.1.

Further, the Commissioner found that as:

  • ARCBS’s data retention policy did not extend to the information stored on www.donateblood.com.au; and
  • it did not appear that there was any reason for historical data to be indefinitely stored on the database of www.donateblood.com.au,

ARCBS had failed to take reasonable steps to destroy or permanently de-identify personal information that was no longer in use or needed, in breach of APP11.2.

Despite the findings of breach, no penalty was imposed against ARCBS. The Commissioner was satisfied that the containment steps taken were appropriate to rectify the data breach and accepted an enforceable undertaking formalising its commitment to review certain measures within a specific timeframe.

Findings against Precedent

Despite the release being accidental, Precedent was found to be in breach of APP 6.1.

The Commissioner found that the steps taken by Precedent to protect the personal informal were lacking because live data was used for testing purposes on the User Acceptance Testing (UAT) environment (which was partly publicly accessible), when dummy data would have sufficed.

Further, given that Precedent was using live data, it did not have any processes in place to track any data base backups, or take steps to control for the possibility of human error by reducing and restricting access to its systems.

The Commissioner therefore found that Precedent did not take reasonable steps to protect the personal information held from misuse and loss and from unauthorised access, modification or disclosure, in contravention of APP11.1.

Similarly, no penalty was imposed against Precedent as it   has similarly proposed an appropriate set of measures to enhance its protection of personal information and provided an enforceable undertaking to implement these measures.

Issues for organisations

Entities regulated by the Privacy Act that outsource their IT need to carefully consider the adequacy of the IT provider’s security measures and practices, and ensure that the terms of the contract with that provided clearly outline the entities’ information security and provide for control measures to mitigate risk.

Such entities also need to take reasonable steps to destroy or permanently de-identify personal information which is no longer in use or needed.

Date: 17 August 2017

 

This publication constitutes a summary of the information of the subject matter covered. This information is not intended to be nor should it be relied upon as legal or any other type of professional advice. For further information in relation to this subject matter please contact the author.