Released every month our debt collection blog contains news, stories and tips to keep you informed.
Reviewing our obligations under the Privacy Act when collecting debts, it is useful to look at the Case Note Decisions that the Office of the Australian Information Commissioner (previously known as the Privacy Commissioner) has made thus far in 2014.
Case 1. Telstra: The Australian Privacy Commissioner opened an investigation in response to media reports that personal information of Telstra customers was available online. In relation to the security of information, in the circumstances of the case adequate security measures were not taken and destruction or de-identification of data no longer required was not carried out. Following the breach, Telstra acted appropriately by disabling access to the information and has addressed the Commissioners recommendations (partially and still addressing remaining as at March 2014). Based on Telstra's ongoing implementation of recommendations made by the Commissioner the investigation was then closed.
Case 2. Multicard: Personal information collected for granting Maritime Security Identity Cards was made available online to the public (instead of being placed on a non-public / non search engine indexed page). The Commissioner found that adequate precautions were not taken to secure personal information and disclosed personal information. There were concerns raised by the Commissioner about investigation of the breach. An independent auditor was engaged at the request of the Commissioner to certify the planned remediation steps be carried out. Owing to Multicard's ongoing addressing of the Commissioners recommendations, the investigation was closed.
Case 3. Cupid Media: An online dating website who had records stored on a server stolen by hackers. The Commissioner found that Cupid had reasonably secure systems in place (intrusion prevention, patch applications etc) however the users passwords were stored in plain text instead of being "hashed out", thereby breaching data security. Cupid had also not taken adequate steps to de-identify data / destroy data no longer required to be held. The Commissioner found Cupid acted appropriately responding to the breach and that Cupid was addressing the Commissioners recommendations, and subsequently closed the investigation
Case 4. Pound Road Medical Centre: A medical practice who had moved premises, and left old medical records in a garden shed at the old medical practice that was locked and broken into with records stolen (2 years after the move!). The Commissioner found the physical security of the records to be deficient. The Commissioner closed its file following the review, remediation and implementation of the Commissioners recommendations.