Publication date: 31 August 2016

Enforceable undertaking

Under s 33E of the Privacy Act 1988 (Cth)

This undertaking is offered to the Australian Information Commissioner by:

Australian Recoveries & Collections Pty Ltd
(ACN 149 169 308)

1. Definitions and interpretations

1.1 Definitions

In addition to terms defined elsewhere in this undertaking, the following definitions apply:

‘APP’ means Australian Privacy Principle

‘ARC’ means Australian Recoveries & Collections Pty Ltd (ACN 149 169 308)

‘Enforceable Undertaking’ means a written undertaking under s 33E of the Privacy Act given by an entity that the entity will:

  1. in order to comply with the Privacy Act, take specified action
  2. in order to comply with the Privacy Act, refrain from taking specified action
  3. take specified action directed towards ensuring that the entity does not do an act, or engage in a practice, in the future that interferes with the privacy of an individual

‘OAIC’ means Office of the Australian Information Commissioner

‘Optus’ means Singtel Optus Pty Ltd (ACN 052 833 208)

‘Privacy Act’ means the Privacy Act 1988 (Cth)

1.2 Interpretation

Unless the contrary intention appears, terms defined in the Privacy Act have the same meaning in this Enforceable Undertaking as they have in the Privacy Act.

2. Background

2.1 ARC is a debt recovery mercantile agent in Australia, and an organisation within the meaning of s 6C of the Privacy Act. As such, it is an APP entity under the Privacy Act and is required to comply with the Privacy Act and the APPs.

2.2 In November 2015, one of ARC’s clients was Optus.

2.3 Privacy incident details

2.4 On 16 November 2015, Optus notified ARC that a database file containing the personal information of some of its customers was listed on the website www.freelancer.com (freelancer.com). This website allows subscribed users to post a ‘job’ for other users to apply to complete the job.

2.5 Optus advised ARC that the personal information listed on freelancer.com was information that Optus had provided to ARC in its capacity as a debt recovery mercantile agent.

2.6 ARC immediately commenced an investigation that confirmed a senior employee had uploaded this information onto freelancer.com, with the intention of a user conducting data analysis on the information. This was without the knowledge of other staff at ARC and in contravention of its existing policies and contractual obligations.

2.7 On the same day, the information was removed from freelancer.com, and ARC obtained control of the responsible employee’s freelancer.com account, for which the email and password were immediately changed.

2.8 On 18 November 2015 Optus contacted the OAIC and notified it of the disclosure of personal information by ARC onto freelancer.com. Optus advised it would notify its customers whose personal information had been disclosed in this incident (the ’privacy incident’), and that it intended to contact any individuals that may have accessed the personal information through the freelancer.com.

2.9 Following an application by Optus, on 18 November 2015 the Supreme Court of NSW ordered freelancer.com to disclose to Optus the identity of the individuals who may have accessed the personal information posted by ARC. Freelancer.com subsequently confirmed that the personal information was potentially downloaded by 51 users. Optus then contacted those users whose contact information it could obtain in an attempt to ensure the information was destroyed.

2.10 On 25 November 2016, ARC provided the OAIC with a voluntary data breach notification to advise the OAIC of the privacy incident and the initial steps taken by ARC in response to the incident.

2.11 Relevant APPs

2.12 APP 6.1 provides that an APP entity must not use or disclose personal information collected for a particular purpose for another purpose unless the individual has consented, or an exception applies.

2.13 APP 11.1 provides that an APP entity must take reasonable steps to protect the personal information it holds from misuse, interference and loss and from unauthorised access and disclosure.

3. Acknowledgement of breach by ARC

3.1 ARC has acknowledged to the Commissioner that it breached APP 6.1 and APP 11.1 in relation to the privacy incident.

4. Regulatory outcome

4.1 Under s 29 of the Privacy Act, the Commissioner must have regard to the objects of the Act (set out in s 2A of the Privacy Act) in performing the Commissioner’s functions, and exercising the Commissioner’s powers, conferred by that Act.

4.2 The OAIC has also published its Privacy regulatory action policy which explains the OAIC’s powers and its approach to using its privacy regulatory powers and making related public communications.

4.3 The Commissioner acknowledges that ARC has been taking steps to address the breach and prevent further breaches from occurring, and has cooperated with the OAIC by responding to its inquiries after receiving the Voluntary Data Breach Notification.

4.4 Accordingly, having regard to the objects of the Privacy Act and the Privacy regulatory action policy, the Commissioner formed the view that the acceptance of this enforceable undertaking from ARC would be an appropriate regulatory outcome in relation to this matter.

4.5 In summary, ARC undertakes to:

  1. not repeat the conduct that led to the privacy incident
  2. implement improved information security
  3. implement privacy training for staff
  4. offer to reimburse the cost of a 12-month credit monitoring alert service for any individuals whose personal information was disclosed in this privacy incident
  5. in consultation with the OAIC, engage a qualified third party to review ARC’s handling of personal information, with specific reference to the security of personal information it holds, and implement any subsequent recommendations

4.6 At the time that ARC offered and the Commissioner accepted this enforceable undertaking, ARC has already commenced some of the actions outlined in this undertaking.

4.7 Commencement date

4.8 This undertaking comes into effect when:

  1. the undertaking is executed by ARC; and
  2. the executed undertaking is accepted by the Commissioner

(the ‘commencement date’)

5. Undertaking

5.1 General undertaking not to repeat conduct

5.2 ARC undertakes not to repeat the conduct that led to the privacy incident.

5.3 Implementation of improved information security

5.4 ARC undertakes to, within 3 months of the commencement date, improve its information security environment, by establishing a secure Digital Rights Management Server.

5.5 Privacy training for staff

5.6 ARC undertakes to, within 3 months of the commencement date:

  1. Develop and finalise privacy training for ARC staff members, through a third party (MCQ International) about ARC’s obligations under the Privacy Act, including:
    1. training on Information Security Awareness
    2. training on how ARC’s privacy obligations apply to staff members including scenario based training
    3. testing of staff member’s understanding at the completion of the training
  2. Require all current ARC staff to complete the privacy training outlined at paragraph 5.7(a)
  3. Modify its induction procedures to ensure all new staff complete privacy and information security training when they commence employment
  4. Modify its procedures to ensure that all ARC staff complete refresher privacy training at least once annually
  5. Create and maintain appropriate records of the privacy training all ARC staff have completed or are required to complete

5.7 Offer of credit protection to potentially affected individuals

5.8 ARC undertakes to reimburse the cost of a 12-month credit monitoring service for any individuals whose personal information was disclosed in this privacy incident. This offer was communicated to the relevant individuals by Optus when it notified them of the privacy incident.

5.9 ARC undertakes to, within 14 days of the commencement date, provide a contact point for any affected individuals that have not yet taken up the credit monitoring service that was offered to them, as referred to in paragraph 5.8. ARC will list the contact point on its website, along with information as to how affected individuals can take up the credit monitoring service.

5.10 Reviews and recommendations

5.11 ARC undertakes, within 14 days of the commencement date, to engage, in consultation with the OAIC, an appropriately experienced, qualified and independent third party (’the Reviewer’) to review ARC’s privacy practices and procedures as specified in paragraph 5.12.

5.12 ARC undertakes to engage the reviewer to:

  1. Review ARCs personal information handling procedures, including collection, record keeping and security, to assess whether ARC is taking reasonable steps to ensure the security of the personal information it holds in accordance with APP 11.1, and to identify possible areas for improvement
  2. Where areas for improvement are identified:
    1. Make recommendations for how ARC could implement those improvements (’recommendations’)
    2. Make recommendations as to the time it would reasonably take for ARC to implement the recommendations
  3. Finalise a report of the review set out in paragraph 5.12 a) within 6 months of the commencement date

5.13 Implementation of recommendations

5.14 With regard to the recommendations the Reviewer makes, referred to in paragraph 5.12 b) i, ARC undertakes to:

  1. Within 7 months of the commencement date, provide the OAIC with a project plan (’the project plan’) to implement any recommendations in accordance with the time recommendations referred to in paragraph 5.12 b) ii
  2. Implement the project plan to address the recommendations in accordance with the dates set out in the project plan

5.15 Provision of information to the OAIC

5.16 ARC undertakes to provide to the OAIC a copy of the Reviewer’s Report referred to in paragraph 5.12 c), including the recommendations, within two weeks of receiving it, and no later than 7 months from the commencement date.

5.17 ARC undertakes to, within 7 months of the commencement date, provide the OAIC with written confirmation that it has completed its obligations under the undertaking, excluding the implementation of the project plan referred to in paragraph 5.14.

5.18 ARC undertakes to provide to the OAIC written confirmation that the project plan referred to in paragraph 5.14 has been completed. In the event that the project plan takes longer than six months to implement, ARC will provide an interim report on its progress at six months, and every six months thereafter until completion.

6. Other matters

6.1 ARC nominates Mr Daniel O’Connell as the person responsible for overseeing compliance with the requirements of this undertaking and reporting to the OAIC. ARC has provided the OAIC with this person’s contact details.

7. Acknowledgements

7.1 ARC acknowledges that the Commissioner may from time to time publically refer to this undertaking, including any breach of this undertaking by ARC, and will publish this undertaking on the OAIC website.

7.2 ARC further acknowledges that:

  1. The Commissioner’s acceptance of this undertaking does not affect the OAIC’s power to investigate, or pursue other enforcement options available to the Commissioner in relation to any contravention not the subject of the background section of this enforceable undertaking, or arising from future conduct
  2. this undertaking in no way derogates from the rights and remedies available under the Privacy Act to any other person, arising from any conduct described in this undertaking or arising from future conduct, and
  3. if the Commissioner considers that ARC has breached this enforceable undertaking, the Commissioner may apply to the Federal Court or Federal Circuit Court to enforce the undertaking under s 33F(2) of the Privacy Act

[signed]

Craig Brugman
Executive Director
ARC

31 August 2016

Accepted by Timothy Pilgrim, Acting Australian Information Commissioner, under s 33E of the Privacy Act 1988:

[signed]

Timothy Pilgrim PSM

31 August 2016