But we only used the customer data for our IT project...

As we move further into the digital era and now, by necessity thanks to the recent global pandemic, businesses are all striving to provide an easy online customer experience. Businesses collect and create data about customers every day and that data is used for various purposes including improving the online customer experience and upgrading their online systems. The question is, do those businesses have a right to use that personal data to do whatever they wish.

On 25 November 2020, Flight Centre learnt the hard way of keeping privacy front of mind for all business activities and the importance of complying with the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs) even when engaging in activities such as IT projects to create or enhance technological solutions.

In March 2017, Flight Centre held a hackathon where registered participants engaged in a two day session to create technological solutions for the Flight Centre customer user experience. Participants were provided with a dataset containing 106 million rows of data (Hackathon Data). The Hackathon Data was only intended to contain customers’ year of birth, postcode, gender and booking information. Unfortunately, only a sample of the Hackathon Data was checked and it was later identified by a participant at the hackathon that passport numbers, credit card details, usernames and passwords and dates of birth were also provided unintentionally within the free text portion of the Hackathon Data. Within 30 minutes of notification of the data breach, Flight Centre removed all access to the Hackathon Data and commenced its investigations into the incident.

Flight Centre found that the data breach was low risk as disclosure was only to a limited group of known recipients and there was no evidence of misuse of the data, malicious intent in the disclosure of the data or unauthorised access into Flight Centre’s systems. Despite the low risk rating, Flight Centre proceeded to undertake remedial action which included, amongst other things:

• Conducting post incident reviews;
• Notifying potentially impacted customers who could be identified;
• Offering identified impacted customers:
  • free identity theft and credit monitoring;
  • reimbursement of reasonable costs to replace a potentially compromised passport;
• Placing the details of those disclosed credit cards onto a fraud watchlist with its merchant bank;
• Reviewing and updating policies, procedures and training as they related to privacy and data handling;
• Engaging security specialists to monitor the dark web and other locations where the data may be published.

Notwithstanding the steps taken by Flight Centre post the data breach and its numerous policies, procedures, technical security protections and training, the Privacy Commissioner elected to investigate the data breach pursuant to section 40(2) of the Privacy Act and in its decision [1] declared that:

• Flight Centre had engaged in conduct constituting an interference with the privacy of approximately 6,918 individuals;
• Flight Centre must not repeat the conduct referred to in paragraph [1] of the determination; and
• It is inappropriate for any further action to be taken in the matter.

The Privacy Commissioner’s declaration was based on its determination that Flight Centre had breached:

• APP 1.2 (open and transparent management of personal information) by failing to take such reasonable steps in the circumstances so as to implement practices, procedures and systems to ensure compliance with the APPs;
• APP 6.1 (use or disclosure of personal information) by disclosing the individuals’ personal information to third parties participating in a design jam event without consent, for a purpose other than the primary purpose of collection; and
• APP 11.1 (security of personal information) by failing to take such steps as are reasonable in the circumstances to protect individuals’ personal information from misuse and loss and from unauthorised access, modification or disclosure.

In making this determination, the Privacy Commissioner relied on various publications of the Office of the Australian Information Commissioner (OAIC) including the Australian Privacy Principles Guidelines, Privacy Regulatory Action Policy and Guide to Privacy Regulatory Action.

Whilst Flight Centre had in place many of the policies, procedures, training and technical solutions in place to comply with its obligations under the Privacy Act, it was found that there were still gaps.

The gaps identified by the Privacy Commissioner included:

• A failure to enter into contractual mechanisms with the event participants to ensure at a minimum that:
  • the personal information provided was to be used only for the purpose of providing the agreed services (i.e. that development of technical solutions); and
  • that the Hackathon Data would be deleted at the conclusion of the hackathon;
• Failing to undertake a privacy impact assessment for the hackathon;
• Failing to take steps to ensure staff were aware of and implemented policies when engaging third parties that required such third parties to enter into confidentiality deeds prior to receiving the Hackathon Data;
• While there were policies in place that prohibited the entry of personal information into free text fields in the Flight Centre systems, there was a failure to have appropriate technical solutions that detected and prevented the entry and storage of personal information in free text fields that created an inherent security risk;
• Failing to implement an automated scanning script over the entire Hackathon Data set to detect any personal information that should not have been included rather than a manual check of a sample of the Hackathon Data.
• Failing to operationalise its polices already in place that would have made staff more aware of what they should and should not do with respect to personal data – that is, targeted training and implementing sufficient quality control and assurance procedures.
• Failing to obtain consent of the customers to use the personal information contained within the Hackathon Data for a secondary purpose not reasonably contemplated by the existing privacy policy in place.

The key takeaway for businesses from this decision is to take privacy obligations seriously: implement the principle of privacy by design and tailor documents, systems processes and practices to the activities of your business, read the publications available on the OAIC website, continually engage with a lawyer with expertise in the area of privacy and data protection not just when things go wrong, do not assume that once you have a policy that you are compliant forever and make privacy part of your risk assessment processes for each activity undertaken

The content of this article is intended to provide a general guide to the subject matter. Specific advice should be sought about your specific circumstances.