14 August 2017

Always look on the bright side

The Australian Information and Privacy Commissioner last week reported conclusion of an investigation into the Australian Red Cross Blood Service’s DonateBlood.com.au data breach.

The OAIC media release states
The Commissioner considers that the community can have confidence in the Australian Red Cross Blood Service’s commitment to the security of their personal information, following his investigation.
The investigation found that a file containing information relating to approximately 550,000 prospective blood donors was saved to a publicly accessible portion of a webserver managed by a third party provider. This was an inadvertent error by an employee of the third party provider. Upon being notified, the Australian Red Cross Blood Service took immediate steps to contain the breach and notify affected individuals.
‘Data breaches can still happen in the best organisations — and I think Australians can be assured by how the Red Cross Blood Service responded to this event. They have been honest with the public, upfront with my office, and have taken full responsibility at every step of this process,’ said the Commissioner.
While the Blood Service had in place policies and practices to protect personal information as required by the Privacy Act 1988, there were two matters within the Blood Service’s control that were a contributing factor to the data breach.
An observer who is less inclined to embrace the OAIC's 'always look on the bright side' philosophy might conclude that the "policies and practices" in place were inadequate and that there are grounds for reviewing expectations.

The media release goes on to state
‘This incident is an important reminder that you cannot outsource privacy obligations. All organisations must put in place reasonable measures to ensure their third party providers’ compliance with appropriate privacy and data security practices and procedures.’
The Blood Service has enhanced its information handling practices since the incident and has provided assurance to the Commissioner and the Australian community through an enforceable undertaking. The third party contractor, Precedent Communications Pty Ltd, has also provided an enforceable undertaking with the Commissioner’s office.