The Australian Red Cross announced on 28 October 2016 that it had become aware of a file containing over 550,000 Australian donors’ personal information had been made publicly accessible. According to reports, the information was available from 5 September 2016 to 25 October 2016.
As far as the Australian Red Cross is aware, the data was only accessed once on 25 October 2016 when a third party conducted a security scan, discovered the breach and notified the Australian Cyber Emergency Response Team (AusCERT) of which the Red Cross is a member. The cause of the breach appears to be a third party organisation which develops and manages the Red Cross’s website.
Privacy Act applies to Red Cross
As the Australian Red Cross is a large organisation and a charity, the federal Privacy Act 1988 and the Australian Privacy Principles apply to the organisation. The Act and the Australian Privacy Principles regulate how the privacy laws apply to organisations, what personal information is, and how organisations are meant to protect personal information.
More about privacy law in general can be read in our article, Privacy Law in Australia. Specific rules organisations must follow to protect personal information are discussed in our article, Privacy Act Obligations to Protect Clients’ Personal Information.
Personal information caught in the breach included sexual risk questions
The Privacy Act 1988 defines personal information as information that can be used to identify a person. This includes a person’s name, address or their occupation.
The information in the file which was breached included the following:
- Full names;
- Dates of birth and gender;
- Phone numbers and email addresses; and
- A series of yes / no questions used by the Australian Red Cross to determine donor risk.
The yes / no risk questions included the question, “in the last 12 months, have you engaged in at-risk sexual behaviour?” While the information does not contain the same, more in-depth, questions which are asked in the Australian Red Cross’s Donor Questionnaire Form, the questions posed do represent a privacy concern for the affected individuals.
Privacy Act obligations did not compel the Red Cross to disclose the breach
Despite the Privacy Act applying to the Red Cross, there was no obligation for the Australian Red Cross to disclose the breach. This is because there is currently no law which obliges organisations to disclose security breaches involving personal information. This is despite the Office of the Australian Information Commissioner’s guidelines recommending that organisations do so.
As a consequence, the Australian Red Cross security breach is the largest breach reported in Australia, not just because it affects over half a million Australian donors, but also because there are no laws which mandate organisations to report such security breaches. For this reason, the Australian Red Cross did the right thing in notifying the individuals affected by the breach.
Australian Privacy Principle 11 does not go far enough
Australian Privacy Principle 11 (APP 11) mandates the organisations take reasonable steps to ensure personal information that it holds is not lost, interfered with, accessed without authority, misused, disclosed or otherwise modified.
While arguably APP 11 is what motivated the Australian Red Cross to become a member of AusCERT and to publicly disclose the breach, the Privacy Principle does not require organisations to disclose breaches as part of the obligation to ensure personal information is secure.
This is a significant shortfall of the legislation if individuals and organisations want to prevent further data breaches. As is the case with the rule of law in general, the law and the policy which guides the law must be on the same page. In this regard, it makes sense that for organisations to ensure the security of personal information, disclosure of security breaches should be mandated by law.
The Australian Information Commissioner has the power to order damages
While organisations currently have no legal obligation to report on security breaches of the personal information they hold, organisations will be held accountable for not complying with other privacy obligations.
Under section 52 of the Privacy Act, the Australian Information Commissioner can make determinations on privacy complaints, which includes apologies and damages. For the Commissioner to make a determination, a complaint must be presented outlining the privacy breach and the specific Privacy Principle that was not complied with.
Submissions as to the effects, both economic and non-economic, should be included if damages are sought.
If you have received an email or a text message from the Australian Red Cross informing you that your data was included in the file, you should contact the Red Cross to determine what information of yours was specifically breached. You can contact the Australian Red Cross directly via the following dedicated contact details:
Hotline: 13 95 96
Renewed push for mandatory data breach reporting
The Australian Red Cross breach renews the push for the Federal Parliament to enact legislation which makes reporting on security breaches involving individual’s personal information mandatory.
The Australian Government conducted community consultation in early 2016 to determine the extent of mandatory notification laws and the effects it would have on the public and the private sector. The election was called in May 2016 and since then, no further progress has been made.