Publication date: 28 July 2017

Enforceable undertaking

Under s 33E of the Privacy Act 1988 (Cth)

This undertaking is offered to the Australian Information Commissioner by:

Australian Red Cross Blood Service

a division of the Australian Red Cross Society (ABN 50 169 561 394)
Level 3, 417 St Kilda Road, Melbourne, Victoria 3004

The Australian Red Cross Blood Service (Blood Service) offers this enforceable undertaking under s 33E of the Privacy Act 1988 (Cth) to address the concerns identified by the Australian Information Commissioner (Commissioner) in the investigation commenced by the Office of the Australian Information Commissioner (OAIC) on 27 October 2016.

Review of third party management policy and standard operating procedure

1 The Blood Service undertakes to engage, in consultation with the OAIC, an appropriately experienced and qualified independent third party (the Reviewer) to conduct the review outlined in paragraph 2 below.

2 Between July and December 2018, the Reviewer will review:

  1. the Blood Service’s compliance with its Third Party Management Policy (Policy) and Third Party Management Standard Operating Procedure (Procedure)
  2. the effectiveness of the Policy and Procedure

The Reviewer may make recommendations for improvements to the Policy and Procedure. The reviewer will provide a report of its review to the Blood Service and to the OAIC.

Compliance reporting

3 The Blood Service will confirm in writing to the Commissioner when it has implemented each undertaking referred to in paragraphs 1 to 2 of this undertaking. The Blood Service will provide sufficient details and supporting documentary and electronic evidence to establish that it has complied with the undertaking, including the report of the Reviewer referred to in paragraph 2.

4 The Blood Service will provide all relevant documents and information requested by the Commissioner from time to time for the purpose of assessing the Blood Service’s compliance with the terms of this enforceable undertaking.

Other matters

5 The Blood Service will pay the costs of its compliance with this enforceable undertaking.

6 The Blood Service nominates Marion Hemphill, General Counsel and Head of Government Relations as the person responsible for overseeing compliance with the requirements of this undertaking and reporting to the OAIC.


7 The Blood Service acknowledges that the Commissioner:

  1. may issue a media release, media interview or social media posts on execution of this undertaking referring to its terms and to the circumstances which led to the Commissioner’s acceptance of the undertaking
  2. may from time to time publicly refer to this undertaking, including any breach of this undertaking by the Blood Service
  3. will publish this undertaking as well as a summary of the undertaking, on the OAIC website, excluding any confidential schedules

8 The Blood Service acknowledges that:

  1. The Commissioner’s acceptance of this undertaking does not affect the OAIC’s power to investigate, or pursue other enforcement options available to the Commissioner in relation to any contravention not the subject of the background section of this enforceable undertaking, or arising from future conduct.
  2. This undertaking in no way derogates from the rights and remedies available under the Privacy Act to any other person, arising from any conduct described in this undertaking or arising from future conduct.
  3. If the Commissioner considers that the Blood Service has breached this enforceable undertaking, the Commissioner may apply to the Federal Court or Federal Circuit Court to enforce the undertaking under s 33F(2) of the Privacy Act.

Confidentiality of information provided to OAIC

9 The Commissioner and the OAIC acknowledge that information provided by the Blood Service in accordance with this undertaking is likely to contain sensitive commercial information. The Commissioner acknowledges that this information is provided by the Blood Service in confidence.

10 The Commissioner and the OAIC:

  1. will only publish or otherwise disclose information provided in accordance with this undertaking with the Blood Service’s written agreement
  2. will only use this information for the Commissioner’s privacy regulatory activities


Shelly Park, Chief Executive
Australian Red Cross Blood Service (a division of the Australian Red Cross Society)
Date: 26 July 2017

Accepted by Timothy Pilgrim, Australian Information and Privacy Commissioner, under s 33E of the Privacy Act:

Date: 28 July 2017