In October 2016, the Australian Red Cross Blood Service (“ARC”) became aware that a database containing records of over 550,000 blood donors had inadvertently been uploaded by a contractor to a publicly available website. The database comprised records of donors who donated blood between 2010-2016. The database contained contact details and sensitive information, such as whether the donor had ever engaged in any at-risk sexual behaviour or illicit drug use.
AusCert, a computer emergency response team associated with the University of Queensland, alerted the ARC of the breach. The ARC quickly took steps to control the security breach and released a statement apologising for the breach. It established a hotline where concerned donors could access information about whether their personal information was part of the leaked data.
On 27 October 2016, the Privacy Commissioner announced an investigation into the breach and to investigate the data handling practices of the ARC and the contractor involved in the breach, Precedent Communications Pty Ltd. The investigation took 10 months to complete.
How it happened
The Commissioner found the data breach occurred when an employee of an ARC contractor, Precedent Communications, uploaded the database on a web-server on 5 September 2016. The database was accessed by an unknown individual on 25 October 2016, which contacted the ARC via AusCert.
Results of the Commissioner’s investigation
The Commissioner found that the data breach was the result of a once-off human error on the part of an employee of the ARC’s contractor. It occurred without the authorisation or direct involvement of ARC and was outside the scope of Precedent’s contractual obligations it owed to ARC. Therefore, the Commissioner held ARC did not disclose the information within the meaning of the Privacy Act.
The Commissioner also concluded that ARC had in place policies and practices to protect personal information, including documented information security policies and regular staff training. However, although the data breach was caused by human error, the Commissioner found that the ARC had contributed to the circumstances giving rise to the breach and which were breaches of the Privacy Act. In particular, the Commissioner determined that ARC had not taken reasonable steps to protect the personal information held on the Donate Blood website and had not taken reasonable steps to destroy or de-identify the information when it was no longer needed.
First, the Commissioner found that ARC had not agreed to contractual measures or other reasonable steps to ensure that Precedent had adequate security measures for personal information Precedent held. Secondly, the Commissioner found that the information was held on the Donate Blood website for a longer period than was required.
By virtue of the agreement between ARC and Precedent, the Commissioner held that ARC retained effective ownership of the data and therefore, even though ARC did not have physical control of the data, ARC was bound to protect that data. The Commissioner held that ARC had not assessed the adequacy of Precedent’s security measures and practices before entering into the contract with Precedent to develop and maintain the Donate Blood website in 2015. ARC’s requirements in relation to information security were not clearly articulated or proportional to the scale and sensitivity of the information.
The Commissioner held that a reasonable step in the circumstances would have been to include specific contractual requirements for how Precedent would handle and store the donors’ personal information and a reporting mechanism to ensure those requirements were being met.
The Commissioner found that the information ARC collected through the Donate Blood website was gathered for the primary purpose of allowing donors to make appointments to donate blood. Once the information was transmitted to the Blood Service Marketing and National Call Centre, the information was no longer needed for that purpose or for any other function or activity of ARC. Accordingly, the information should have been destroyed or de-identified.
A summary of steps ARC has taken since the data breach
ARC has reviewed its information handling practices and taken steps to enhance its practices.
ARC has destroyed all historical data from the Donate Blood website database and implements a practice of deleting personal information collected through the website fortnightly. ARC has developed and is implementing policies and procedures to monitor compliance by its third parties of compliance with data security requirements. ARC has limited the personal information it collects via the public Donate Blood website, with the more sensitive information to be collected through ARC’s call centre.
ARC has engaged external consultants to review incident management response and data security governance, process and systems, in order to identify areas of improvement and to develop strategies to implement the improvement.
ARC now requires privacy impact assessments to be completed prior to negotiation of any significant contract to ensure privacy and data sharing are considered, with appropriate protections put in place.