Privacy Obligations - Lessons and reminders from the Red Cross Data Breach
November 2016 | Article | Mary Sheargold
On Friday 28 October 2016 the Australian Red Cross announced that one of its IT providers had inadvertently caused the personal information of over half a million Australian blood donors to be published on a public-facing website. The extent of the damage from this data breach remains unknown. The breach is currently under investigation by the Australian Cyber Security Centre and the Office of the Australian Information Commissioner (OAIC). This is the most significant data breach reported in Australia’s cyber history. It provides a timely reminder to charities and the not-for-profit sector regarding the importance of protecting donors’ personal information – especially where sensitive information, as described below, is collected.
It’s vital that charity and not-for-profit boards and senior executives remain fully informed about their privacy obligations - and ensure that these obligations are given strong operational effect across their organisation.
What are your obligations under the Privacy Act?
Any organisation in Australia with an annual turnover greater than $3 million is bound by the 13 Australian Privacy Principles (APPs) set out in the Privacy Act 1988 (Cth) (the Act). The APPs also apply to any health service provider, companies that trade in personal information, and several other narrow groups of organisations, regardless of annual turnover.
The 13 APPs impose a range of obligations on organisations to protect the privacy of persons from whom information is collected. The obligations range from ensuring secure protection of any data stored to notifying people about the types of information collected and what will be done with it.
There are provisions relating to:
- the way in which you may store personal information (for example, where cloud storage is used, requiring any offshore third parties engaged to facilitate such storage to be compliant with the obligations under the APPs);
- the ways in which information may be shared with third parties generally (e.g. sale of databases to marketing companies, etc.);
- an obligation to maintain the accuracy of personal information collected and stored (e.g. accuracy; is the information up to date?); and
- additional care that must taken when collecting government related identifiers (Medicare numbers, drivers licence numbers, tax file numbers and Centrelink details etc.) and other 'Sensitive Information'.
What is ‘Sensitive Information’?
APP3 governs the circumstances in which your organisation may be able to collect Sensitive Information. Sensitive Information includes information about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices criminal record or health information.
When can you collect Sensitive Information?
Sensitive information can only be collected if an individual consents to the collection of the information, and it is reasonably necessary for, or directly related to, one or more of your organisation’s functions. For example, the media was quick to comment on the potential disclosure of sensitive information the Red Cross collects regarding its donors’ propensity to engage in at-risk sexual behaviour. It is reasonably necessary for the Red Cross to collect that information to help ensure the quality of its blood supply. Similarly, it may be considered reasonably necessary for organisations such as faith-based schools to collect information regarding a prospective student’s religious affiliations (and that of his/her parents).
Do you really need to worry about this?
The answer to this question is a resounding ‘Yes’. Apart from honouring the trust that people who provide sensitive information rely on, when the APPs were introduced in March 2014, the Act also incorporated significant penalties for breaches of the obligations. The maximum fine for a breach of the APPs currently sits at $1.8m. Further, the Act now provides the OAIC with a range of options to investigate organisations, especially where data breaches occur. For example, the OAIC can instigate an ‘own motion’ investigation, where an organisation is put under the microscope on suspicion of a data breach. The outcome of an own motion investigation can comprise a range of penalties, including the fines described above.
Mandatory data breach notifications
Since the overhaul of Australia’s federal privacy legislation in 2013-14, there has been great debate as to whether breaches such as the one the Red Cross found itself in last week should be subject to a mandatory OAIC disclosure obligations. In March 2016, the federal Attorney-General issued a discussion paper in relation to mandatory obligations to notify regarding a serious data breach. It seems increasingly likely that some form of mandatory reporting obligation will be introduced to the Act in the near future.
What should you do now?
If you have not reviewed your privacy policies since the APPs were introduced in 2014, this is a timely reminder of the importance of doing so. Many not-for-profit groups will be bound by the APPs, and it is important that you understand and uphold your obligations.
We can assist you with a privacy law health check to ensure your organisation and those who support you are not left exposed. Please contact us.
Mary Sheargold | Senior Associate