Privacy breach results in an enforceable undertaking

In 2021, an unknown user gained access to an Oxfam Australia (Oxfam) database, causing a data breach that resulted in the loss of up to 1.7 million Oxfam records.

Oxfam was immediately alerted to the incident and notified the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre of the incident in February 2021.

Oxfam alerted its supporters of the potential risk shortly afterwards and, on 1 March 2021, began notifying supporters about steps that they could take to protect personal information, such as accessing IDCARE.

In September 2021, the Australian Information Commissioner investigated whether Oxfam’s acts and practices met its requirements under the Privacy Act, concluding in late 2024.

Following the conclusion of the investigation, Oxfam presented the Privacy Commissioner with an enforceable undertaking (EU) which was accepted.

The Commissioner’s acceptance of the EU was not a finding that Oxfam had breached the Privacy Act or the Australian Privacy Principles but rather highlighted the need for charities and not-for-profits to remain vigilant and follow responsible privacy practices.

An organisation facing investigation and perhaps eventual prosecution by the regulator for a breach can forestall the costs of further investigation and maybe litigation by agreeing to an enforceable undertaking. The undertaking can specify actions the organisation has decided to take or refrain from taking to comply with the provisions causing the investigation.

The sting in the tail is that if the regulator considers that the organisation has breached any of the terms of an enforceable undertaking, the regulator may apply to the Court to enforce the enforceable undertaking. Failure to comply with an order of a Court may be a criminal offence.

It allows the regulator to reform the policies and procedures of a defaulting organisation without more drastic action, such as fines, which would harm innocent beneficiaries.

Oxfam is undertaking a range of measures outlined in the EU, particularly about not storing specific personal information longer than 7 years, avoiding the use of shared credentials, implementing password security controls, sharing staff guidance, procedures and training, and using privacy threshold assessments about any project that involves handling personal information for testing purposes. It has also contributed to an awareness-raising campaign directed at others in the not-for-profit sector about the incident.

The OAIC outlined the significant issues for NFPs about data privacy as follows:

• NFPs may have obligations under the Privacy Act and Australian Privacy Principles when collecting and handling personal information.
• Regardless of whether the Privacy Act applies to an NFP, good privacy practice enables a nonprofit to build trust, maintain stronger relationships with the community, and reduce the risk of harm to the entity, its staff, and its supporters, which may result from a data breach.
• It is essential to ensure an NFP only collects personal information needed, stores that information securely, and deletes the data when it is no longer required.
• NFPs should only retain personal information where there is an ongoing need to hold this information. Retention policies should be regularly reviewed to determine if the retention of information is still required and to destroy or de-identify personal information that is no longer required.
• Part of good privacy practice should include having a data breach response plan that enables a quick response to a data breach.
• When entering into arrangements with third parties, NFPs should take reasonable steps to ensure that the third party’s privacy practices meet the expectations of both the NFP and the wider community. Requirements should include conducting periodic reviews of arrangements and ensuring that third parties delete any personal information at the end of the contract term.

The Privacy Act has been under review since 2020. Whilst that reform is yet to be realised and implemented, the recommendations show that the community expects organisations to protect an individual’s right to privacy proactively.  Organisations need to assume privacy by design as a default position.

Charities and NFPs rely on their social licence to exist and function. This inherently requires the community to trust charities with sensitive and personal information.  This is particularly so where charities provide assistance and support to those at their most vulnerable.

This undertaking may be viewed at: https://www.oaic.gov.au/news/media-centre/oaic-accepts-oxfam-australia-enforceable-undertaking