7 December 2020

Australian Information Commissioner and Privacy Commissioner Angelene Falk has determined that Flight Centre interfered with the privacy of almost 7,000 customers by disclosing their personal information to third parties without consent.

The information, including individuals’ credit card and passport details, was released by Flight Centre Travel Group Ltd during a ‘design jam’ in 2017.

Commissioner Falk has found the company breached three Australian Privacy Principles (APPs) by:

  • not taking reasonable steps to implement practices to ensure compliance with the APPs
  • disclosing individuals’ personal information without consent, and
  • failing to take reasonable steps to appropriately secure the personal information.

The Flight Centre design jam brought together 16 teams to create technological solutions for travel agents. Participants were given access to a dataset which included customers’ personal information, despite preliminary checks to de-identify or remove personal information.

The error was only found after the information had been available for 36 hours.

“This determination is a strong reminder for organisations to build privacy by design into new projects involving personal information handling, particularly where large datasets will be shared with third party suppliers for analysis,” Commissioner Falk said.

“Organisations should assume that human errors – such as the inadvertent disclosure of personal information to suppliers – could occur and take steps to prevent them.

“They should also carry out Privacy Impact Assessments for data projects to assist in identifying and addressing all relevant privacy impacts.”

Commissioner Falk said the determination also highlighted that privacy policies are intended to be transparency mechanisms, and organisations should not rely on them to provide notice and obtain consent in relation to personal information handling.

Flight Centre’s privacy policy included some general statements about disclosing personal information to improve and develop their products.

However, the Commissioner found that this did not amount to valid consent from individuals to disclose their information to the design jam because it was not sufficiently specific and bundled together different uses and disclosures of personal information.

The determination notes that Flight Centre acted promptly when it became aware of the breach, and restricted access to the personal information, investigated the incident and reviewed and implemented changes to relevant practices, procedures and systems.

Commissioner Falk said these actions were a positive step to mitigate against similar future breaches, that she appreciated Flight Centre’s cooperation with her investigation and the steps taken to lessen the effect on individuals, including payments of at least $68,500 to replace passports.

The determination orders Flight Centre to not repeat the activities. No further action will be taken in the matter.

The full determination can be found on AustLII.