The recently released Office of the Information Commissioner's Annual Report for 2013-14 includes a summary of incidents involving breaches of the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) for the reporting period and together, these cases provide a useful reminder to schools of 'what not to do' and potential vulnerabilities in their privacy programs. The two cases summarised in this article were just some of the 'Commissioner initiated investigations' referred to in the Annual Report.

Although both investigations were conducted under the National Privacy Principles (NPPs), which were replaced by the APPs on 12 March 2014, the important lessons arising from the cases are still relevant for schools and how they approach their obligations under the APPs.

Importantly, NPP 4 (Data security) was the relevant provision in both cases and it required organisations to take reasonable steps to:

• protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure (4.1); and
• destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed (4.2).

APP 11 ‘Security of personal information’ has replaced NPP 4.

Reasons why the Commissioner will get involved

If a breach of privacy occurs at a school, the Commissioner may be asked to investigate by a member of the school community (parents, teachers, guardians etc) whose personal information is affected by the breach.

To decide whether or not to open an investigation into an organisation's privacy practices the Commissioner will first conduct its own risk assessment using the following factors:

• the number of people affected and the possible consequences for those individuals;
• the sensitivity of the personal information involved;
• the progress of an organisation's own investigation into the matter and consideration of the actions taken by the entity in response; and
• the likelihood that the investigation will reveal acts or practices that involve systemic interferences with privacy and/or that are unidentified.

It's interesting to keep these factors in mind when reading the following case summaries, which are based on more detailed information available on the OAIC website.

Case One: Cupid Media June 2014

Cupid Media Pty Ltd (Cupid) operates dating websites based on personal profiles including ethnicity, religion and location. On 13 December 2013, the Commissioner opened an investigation into Cupid in response to media allegations that personal information of as many as 42 million Cupid users had been acquired by unauthorised persons, and were found on a server operated by hackers. According to the OAIC summary of this case, Cupid confirmed that this data breach had occurred and gave the following account of how it occurred:

• a rogue file was identified on one of its web servers;
• an internal investigation was conducted which identified that attackers had exploited a vulnerability within the application server platform used by Cupid, which allowed them to gain access to Cupid's web servers; and
• with access to Cupid's web servers, the attackers were able to upload a shell file that allowed the attackers to gain unauthorised access to Cupid's data.

The vulnerability was later fixed by Cupid's IT team, but not before the accounts and personal information of approximately 254,000 Australian users were compromised. Although the media had reported that many more users has been affected, the figure was not accurate because it included 'junk' accounts and duplicate accounts. At the time of the data breach, Cupid did not have any particular systems in place to identify accounts that were no longer needed or in use, or a process for how the destruction or de-identification of personal information related to such accounts would occur.

Cupid advised that the categories of personal information compromised in the data breach consisted of:

• full names;
• dates of birth (for some customers);
• email addresses; and
• passwords.

The Commissioner found that Cupid failed to take reasonable steps to:

• ensure the security of the personal information that it held; and
• destroy or permanently de-identify the personal information it held.

According to the OAIC website, Cupid has since addressed the OAIC's recommendations, including by implementing a policy for determining when personal information is no longer required.

We previously reported on the 'Shellshock' vulnerability and the risk it poses to your school's data security. The Cupid case demonstrates how such vulnerabilities can lead to a highly publicised data security breach. It also shows the importance of having an integrated privacy program which includes a policy on how to de-identify or destroy personal information when it's no longer needed.

Does your school have a record management policy?

Case Two: Pound Road Medical July 2014

On 25 November 2013, the OAIC was notified that there were boxes of unsecured medical records at a site owned and controlled by the Pound Road Medical Centre (PRMC). A medical centre was previously operated at the site and medical records created at that time were stored in a locked shed at the back of the site. The shed was broken into and as a result, the boxes of medical records were compromised.

According to the OAIC summary of this case, PRMC estimated there were paper based health records for approximately 960 patients stored in the shed, and therefore that at least 960 individuals' personal information was compromised in the data breach. The categories of personal information compromised in the data breach included:

• patients' 'identifying particulars' e.g. full name of patient, last address of the patient, date of birth, Medicare number and treatment details/progress notes;
• a document completed by patients to include their name, date of birth, country of birth, marital status, occupation, address and phone number; and
• staff pay records.

The majority of the records identified in the shed following the data breach related to patients who ceased to be active patients prior to 2004. The majority of records were therefore at least eleven years old.

The Commissioner found that PRMC failed to take reasonable steps to:

• ensure the security of the personal information that it held, and
•  destroy or permanently de-identify the personal information it held.

PRMC argued that the personal information which was the subject of the data breach did not relate to current patients. However, as noted by the OAIC, personal information that is not current or that does not relate to current patients may still cause harm in the event that it is compromised.

The Commissioner found that more stringent steps were required of PRMC to keep this information secure than may be required of organisations that do not handle sensitive information. According to the OAIC website, PRMC has since computerised all patients' health records and paper-based consultation notes and selected investigation results are now scanned and added to each patient's computerised health record.

This case is an important one for schools as they also hold 'sensitive information' and 'health information' about their current and former students, both of which are forms of 'personal information' under the current Privacy Act.

Does your school have policies in place to manage personal information?

Messages for schools

Although neither case resulted in Cupid or PRMC paying a financial penalty, the reputational damage they incurred is significant and a reminder of the importance of having secure data retention policies and procedures in place as part of a privacy program.

For more information about how to comply with your school’s privacy obligations download the CompliSpace Whitepaper or view the CompliSpace privacy for non-government schools webinar.