Under s 33E of the Privacy Act 1988 (Cth)
This undertaking is offered to the Australian Information Commissioner by:
Avid Life Media Inc. (ALM) (trading as Ruby Corp.)
20 Eglington Avenue West, Suite 1200, Toronto, ON M4R 1K8, Canada
ALM offers this enforceable undertaking under s 33E of the Privacy Act 1988 (Cth) to address the Commissioner’s concerns identified in a joint investigation commenced by the Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner (OAIC) on 21 August 2015.
Security of personal information
To address the Commissioner’s recommendations relating to security of personal information:
- ALM undertakes to, by 31 December 2016, conduct a comprehensive review of the protections it has in place to protect personal information.
- ALM undertakes to, by 31 May 2017, augment its information security framework to an appropriate level, and implement that framework.
- ALM undertakes to, by 31 May 2017, adequately document the framework referred to in paragraph 2 and its information security processes generally.
- ALM undertakes to take steps to ensure that staff are aware of and follow security procedures, including developing an appropriate training program and delivering it to all staff and contractors with network access (the Commissioner notes that ALM has reported completion of this recommendation).
- ALM undertakes to, by 31 July 2017, provide the OAIC with a report from an independent third party documenting the measures it has taken to come into compliance with the above recommendations, or provide a detailed report from a third party certifying compliance with a recognised privacy/security standard satisfactory to the OAIC.
To address the Commissioner’s recommendations relating to the retention of personal information of users whose accounts are deactivated, inactive or deleted:
- ALM undertakes to, by 31 March 2017, cease its practice of retaining indefinitely personal information of users whose accounts are deactivated or inactive; determine an appropriate period following account deactivation, or following an extended period of inactivity, upon which to delete personal information, based on ordinary usage patterns and its business needs; and inform users of these policies.
- ALM undertakes to, by 31 March 2017, ensure that it is not holding personal information beyond the retention period described above and periodically review its retention policy to ensure that the retention period chosen remains the appropriate period.
- ALM undertakes to, by 31 March 2017, implement the retention schedule for both future and currently deactivated accounts.
- ALM undertakes to, by 31 March 2017, implement the retention schedule for both future and currently inactive accounts.
- ALM undertakes to continue to provide a no-cost option for individuals to withdraw their consent for ALM to hold their account profile information. This need not include all of the premium deletion services currently offered as part of the full delete service, specifically, it need not include the deletion of personal information sent to other ALM users from those users’ in-boxes.
- ALM undertakes to, by 31 March 2017, submit to the OAIC details of the steps it has taken to comply with paragraphs 6 – 10.
To address the Commissioner’s recommendations relating to accuracy of information:
- ALM undertakes to, by 31 March 2017, amend its account creation process to allow users to join the Ashley Madison website without providing an email address, or if it continues to require email addresses from new users, implement technical measures to enhance the accuracy of email addresses provided, to the reasonable satisfaction of the OAIC.
- ALM undertakes to, by 31 March 2017, submit to the OAIC details of the steps it has taken to comply with paragraph 12.
Compliance reporting, monitoring and enforcement
- ALM will confirm in writing to the Commissioner that it has implemented each undertaking referred to in paragraphs 1 to 13 of this undertaking. ALM will provide sufficient details and supporting documentary and electronic evidence to establish that it has complied with the undertaking, such as copies of its information security management framework and processes, privacy policies and procedures, training material and the independent third party’s final report, and any response by ALM to the third party’s recommendations.
- ALM will provide all documents and information requested by the Commissioner from time to time for the purpose of assessing ALM’s compliance with the terms of this enforceable undertaking.
- ALM acknowledges that the Commissioner may from time to time publically refer to this undertaking, including any breach of this undertaking by ALM, and that the Commissioner will publish this undertaking on the OAIC’s website.
- ALM further acknowledges that:
- the Commissioner’s acceptance of this undertaking does not affect the OAIC’s powers to investigate, or pursue other enforcement options available to the Commissioner in relation to any contraventions not the subject of the related report of investigation, or arising from future conduct
- this undertaking in no way derogates from the rights and remedies available under the Privacy Act to any other person, arising from any conduct described in this undertaking or arising from future conduct.
Cancellation of undertaking
- When the Commissioner is satisfied that all of the conditions outlined in paragraphs 1 to 13 of this undertaking have been met the Commissioner will issue a written notice to ALM cancelling the undertaking.
Avid Life Media Inc
Date: 18 August 2016
Accepted by Timothy Pilgrim, Acting Australian Information Commissioner, under s 33E of the Privacy Act 1988:
Timothy Pilgrim PSM
Australian Privacy Commissioner
Acting Australian Information Commissioner
Date: 22 August 2016