Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Australian Red Cross Blood Service data breach

Australian Red Cross Blood Service data breach

7 August 2017

The Australian Information and Privacy Commissioner, Timothy Pilgrim, has concluded an investigation into the Australian Red Cross Blood Service’s DonateBlood.com.au data breach.

The Commissioner considers that the community can have confidence in the Australian Red Cross Blood Service’s commitment to the security of their personal information, following his investigation.

The investigation found that a file containing information relating to approximately 550,000 prospective blood donors was saved to a publicly accessible portion of a webserver managed by a third party provider. This was an inadvertent error by an employee of the third party provider. Upon being notified, the Australian Red Cross Blood Service took immediate steps to contain the breach and notify affected individuals.

‘Data breaches can still happen in the best organisations — and I think Australians can be assured by how the Red Cross Blood Service responded to this event. They have been honest with the public, upfront with my office, and have taken full responsibility at every step of this process,’ said the Commissioner.

While the Blood Service had in place policies and practices to protect personal information as required by the Privacy Act 1988, there were two matters within the Blood Service’s control that were a contributing factor to the data breach.

‘This incident is an important reminder that you cannot outsource privacy obligations. All organisations must put in place reasonable measures to ensure their third party providers’ compliance with appropriate privacy and data security practices and procedures.’

The Blood Service has enhanced its information handling practices since the incident and has provided assurance to the Commissioner and the Australian community through an enforceable undertaking. The third party contractor, Precedent Communications Pty Ltd, has also provided an enforceable undertaking with the Commissioner’s office.

For more information about individuals’ privacy rights and managing privacy obligations visit www.privacy.gov.au.

Back to Contents

Comment by the Australian Privacy Commissioner — Australian Red Cross

28 October 2016

The Australian Red Cross Blood Service has advised my office of a data breach from the DonateBlood website. In doing so, Red Cross has provided details of what occurred and steps taken to contain the breach. I welcome their prompt actions to prevent any further disclosure of this highly sensitive personal information.

My office encourages voluntary notification of data breaches, particularly where there is a risk to an individual as a result of a breach. This is good privacy practice as it gives individuals the opportunity to take proactive steps to protect their personal information and also helps to protect an organisation’s reputation by displaying transparency.

I will be opening an investigation into this matter and will work with the Red Cross to assist them in addressing the issues arising from this incident. The results of that investigation will be made public at its conclusion.

If people have privacy concerns about this incident they can contact my office for free confidential advice on enquiries@oaic.gov.au or 1300 363 992.

Back to Contents