The benefits of collaboration can be seen through the increasingly common organisation of ‘design jams' and ‘hackathons'. These events, which bring together teams of participants from different organisations to create novel solutions to real-world problems, are usually conducted as a friendly competition for minor prizes and are often utilised by not-for-profit organisations.

Despite the best intentions behind these events, a recent case investigated by the Office of the Australian Information Commissioner (OAIC) has demonstrated the need for entities to maintain vigilance and not become complacent when conducting these events.

What was the problem?

Information made available to participants in a ‘design jam' accidentally included personal information, including credit card data.

Background

In early 2017, Flight Centre invited travel agents to participate in a ‘design jam' during which the participants were tasked with creating technological solutions that could assist travel agents deal with customers during the sales process. 

Flight Centre provided 90 participants with access to a data set that contained 28 million rows of data that had been taken from Flight Centre's quoting, invoicing and receipting system. The information was thought to have been de-identified and Flight Centre employees reviewed the top 1,000 rows to ensure there was no personal information.

36 hours after the information had been made available to participants, Flight Centre was notified that credit card information was visible in a free text field within the data. On review, Flight Centre found that 4,011 credit cards and 5,092 passport numbers (relating to 6,918 individuals) had been mistakenly disclosed.

In addition, a number of usernames, passwords and dates of birth had also been disclosed. The personal information was found in a free text field in which Flight Centre employees had documented customer information in breach of company policy.

What did Flight Centre do?

Upon being notified of the breach, Flight Centre took a number of remedial actions, including removing access to the data set and obtaining verbal confirmation from each participating team that they had destroyed all copies of data. Flight Centre also conducted a post-incident review (including a risk assessment, which deemed the incident as ‘low risk') and notified individuals and offering them free identity theft and credit monitoring coverage and reasonable costs for replacement of their passports.

What did the OAIC do?

The OAIC determined that the disclosure of personal information by Flight Centre was in breach of Australian Privacy Principles 1.2, 6 and 11.1. 

In coming to the decision, the OAIC rejected Flight Centre's submissions that the release of data was a ‘use' rather than a disclosure, and found that the data had been released to an extent that it was no longer within Flight Centre's effective control. Factors such as allowing participants to download the data, and the need for Flight Centre to contact each participant to confirm the deletion, indicated that this was a clear disclosure of personal information to unauthorised third parties.

The OAIC then reiterated that entities cannot infer consent simply because they provided an individual with their privacy policy. Even if customers had indicated their agreement to the uses and disclosures set out in Flight Centre's privacy policy (whether explicitly or through their continued engagement with Flight Centre), the OAIC took the view that the privacy policy had bundled the different uses and disclosures of personal information together in such a way that it was not specific enough to obtain valid consent.

As such, Flight Centre had not obtained valid consent and the disclosure of a customer's information for a secondary purpose, being the design jam, was not within the reasonable expectation of Flight Centre's customers.

Despite Flight Centre having important policies and procedures documented, it did not make it sufficiently clear to its staff that personal information should only be entered into certain fields and there were otherwise a number of areas where policies were either not followed or were inadequate to address the risk of an incident occurring. 

The determination noted that failure to comply with these policies was likely to have been occurring for a significant period of time, which indicated insufficient quality control and assurance procedures.

Given that Flight Centre had cooperated with the investigation and had already incurred various costs (including $68,500 to replace passports), the determination held that there would be no further action taken by the OAIC.

Key takeaways for organisations

The Flight Centre determination acts as a stark reminder of the impact of human error, the implications of failing to ensure policies and procedures are followed and the need for APP entities to maintain vigilance over retained personal information.

The determination stated entities should always assume that human errors (such as the accidental disclosure of personal information) will occur. Policies and procedures should be designed to minimise the impact of this human error and, to the extent possible, prevent it. 

The determination also found that Flight Centre's full suite of policies may have been too complex and confusing for its staff. APP entities should ensure their policies are clear and concise. Staff need to be sufficiently trained to know how they should be handling and storing personal information, and steps should be taken to operationalise information security policies. 

When conducting a project or organising a collaboration, entities should ensure that all participants are aware of their privacy obligations and, at a minimum, contractual mechanisms must be put in place to ensure that personal information can only be used for the purpose it was provided (and is deleted afterwards). This could be in the form of a binding non-disclosure agreement that each participant is required to sign before participation. If data sets are being provided to participants, another reasonable step could be to implement an automated scanning technique to review the data for any personal information before it being disclosed.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.