Don’t fly into a storm: how to protect clients from themselves in the data space

Lyn Nicholson and Samuel Lane
HOLDING REDLICH

Introduction

Many entities operating online acquire large quantities of data through various means, whether it be through payment details, subscriptions or online surveys. A lot of this data is acquired by entities online.

This article discusses a recent determination made by the Office of the Australian Information Commissioner (OAIC) against Flight Centre¹ which demonstrated the costs of human error against the backdrop of a growing e-commerce market.

Practical implications of the Flight Centre determation

There are practical steps that entities should consider implementing to limit their exposure to the consequences of human error in the handling of data. These steps include:

• putting in place contractual mechanisms with all third parties (such as a binding non-disclosure agreement) to ensure that personal information in the data can only be used for the purpose for which it was provided and is deleted afterwards
• implementing automated scanning techniques and systems to review data for any personal information before it is disclosed and to generally monitor ongoing employee compliance (which should be done in conjunction with a human review of the data set) and
• conducting formal and informal privacy impact assessments to identify risks and inadequacies in future projects involving the use of data

Flight Centre is not alone in succumbing to human error and, while the breach (the subject of this determination) occurred in 2017, the OAIC’s most recent Notifiable Data Breaches Report has identified that human error was the contributing source to 38% of data breach notifications from July to December 2020 — a rise of 18% from the previous reporting period.² This increase is especially significant when considering that COVID-19 has lead to a spike of cyber attacks and, despite this spike in malicious activity, human error was still responsible for an additional 18% of data breach notifications.

What was Flight Centre’s problem?

Personal information held by Flight Centre, including credit card data was accidentally made available to participants in a “design jam”.

Background to the Flight Centre incident

In early 2017, Flight Centre invited travel agents to participate in a “design jam” during which the participants were tasked with creating technological solutions that could assist travel agents deal with customers during the sales process.

Flight Centre provided 90 participants with access to a data set that contained 28 million rows of data that had been taken from Flight Centre’s quoting, invoicing and receipting system. The information was thought to have been de-identified and Flight Centre employees reviewed the top 1000 rows to ensure that there was no personal information.

Thirty six hours after the information had been made available to participants, Flight Centre was notified that credit card information was visible in a free text field within the data. On review, Flight Centre found that 4011 credit cards and 5092 passport numbers (relating to 6918 individuals) had been mistakenly disclosed.

In addition, a number of usernames, passwords and dates of birth had also been disclosed. The personal information was found in a free text field in which Flight Centre employees had documented customer information in breach of company policy.

What did Flight Centre do?

Upon being notified of the breach, Flight Centre took a number of remedial actions, including removing access to the data set and obtaining verbal confirmation from each participating team that they had destroyed all copies of the data. Flight Centre also conducted a post-incident review (including a risk assessment, which deemed the incident as “low risk”) and notified individuals to offer them free identity theft and credit monitoring coverage and reasonable costs for replacement of their passports.

What did the OAIC do?

The OAIC determined that the disclosure of personal information by Flight Centre was in breach of Australian Privacy Principles (APP) 1.2, 6 and 11.1.

In coming to the decision, the OAIC rejected Flight Centre’s submissions that the release of data was a “use” rather than a disclosure, and found that the data had been released to an extent that it was no longer within Flight Centre’s effective control. Factors such as allowing participants to download the data, and the need for Flight Centre to contact each individual participant to confirm the deletion, indicated that this was a clear disclosure of personal information to unauthorised third parties.

The OAIC confirmed that entities cannot infer consent simply because they provided an individual with their privacy policy. Even if customers had indicated their agreement to the uses and disclosures set out in Flight Centre’s privacy policy (whether explicitly or through their continued engagement with Flight Centre), the OAIC took the view that the privacy policy had bundled the different uses and disclosures of personal information together in such a way that it was not specific enough to obtain valid consent. This was particularly pertinent given that a consent request for sensitive information, such as passport and credit card numbers, should generally be sought separately and not as part of a privacy policy.³

Consequently, Flight Centre had not obtained valid consent and the disclosure of a customer’s information for a secondary purpose, being the design jam, was not within the reasonable expectation of Flight Centre’s customers.

Despite Flight Centre having important policies and procedures documented, it failed to make it sufficiently clear to its staff that personal information should only be entered into certain fields and that there were a number of areas where policies were either not followed or were inadequate to address the risk of an incident occurring.

The determination noted that failure to comply with these policies was likely to have been occurring for a significant period of time, which indicated insufficient quality control and assurance procedures.⁴

Given that Flight Centre had cooperated with the investigation and had already incurred various costs (including $68,500 to replace passports), the determination held that there would be no further action taken by the OAIC.⁵

What can organisations learn from this?

The Flight Centre determination acts as a stark reminder of the impact of human error, the implications of failing to ensure policies and procedures are followed and the need for APP entities to maintain vigilance over retained personal information and any other data collected online. We set out below a number of suggestions that organisations, and their lawyers, should take into consideration to prevent complacency.

Binding contractual agreements

When conducting a project, or organising a collaboration, entities should ensure that all participants are aware of their privacy obligations and, at a minimum, contractual mechanisms should be put in place to ensure that personal information can only be used for the intended purpose (and is deleted afterwards). In this respect, entities should not be relying on statements in their terms and conditions of participation that have words to the effect of “by participating in this event you consent to these terms”. Instead, participants should be required to sign a separate, binding non-disclosure agreement before their participation.

This is not, however, limited to projects and collaborations. Similar contractual mechanisms should be in place for any third party interactions which may result in either party disclosing personal information to the other. Entities should also consider obtaining warranties from third parties that, unless otherwise agreed, data provided by the third party does not contain personal information.

An effective way of obtaining this protection is by introducing these protections into an entity’s template contractor and service agreements. This ensures that these contractual mechanisms are not overlooked in the onboarding process.

Automated systems

If data sets are being provided to third parties, another reasonable step could be to implement an automated scanning technique to review the data for any unintentional personal information before it is disclosed. Any such automated scanning techniques should be undertaken in conjunction with a human review of the data before disclosure for maximum efficiency.

Automated scanning should not, however, be limited to disclosure situations and entities should also consider implementing technical controls to detect, on a regular basis, whether employees have inserted unauthorised information (such as credit card or passport numbers) into free text fields or other areas with insufficient security controls. This can help to reduce the entity’s risk exposure in situations where it would otherwise be relying on employees to comply with policies.⁶

Ongoing compliance reviews

As indicated in the determination, entities should always assume that human errors (such as the accidental disclosure of personal information) will occur.⁷ Policies and procedures should be designed to minimise the impact of human error and, to the extent possible, prevent it. These policies should be clear and easy to understand, otherwise, compliance can become too complex and confusing for staff. Procedures that include automated reminders and similar techniques may assist.

Similar to many other entities, Flight Centre took steps to keep its staff informed of their privacy obligations, including making policies readily available and providing annual training in the form of an information security module. This was not, however, sufficient to prevent ongoing breaches of Flight Centre’s policies over an extended period of time. Entities should be mindful of this and take steps to operationalise their information security policies, including regular compliance checks and implementing assurance processes.⁸

Privacy impact assessments

While it was not contemplated by Flight Centre that customer data would be used for new activities such as the “design jam”, Flight Centre should have conducted a privacy impact assessment (PIA) when launching the design jam (in accordance with the OAIC Guidelines on APP 1.2).

Similarly, entities should always consider undertaking a PIA whenever such a project may involve the management of personal information (whether disclosure, use or otherwise). Such a PIA can be formal or informal, depending on the size and complexity of the project. However, these assessments can help an entity and its advisors review the risks of the project being non-compliant with privacy legislation and take steps to prevent, or mitigate, that risk.

Conclusion

In our digital age most entities have online presence and collection of data is a central aspect.

The Flight Centre example demonstrates how data must be kept confidential and only be used for the purpose for which it has been provided. Lawyers need to ensure that their clients need to have relevant practices, procedures and systems in place when dealing with personal data.

	Lyn Nicholson General Counsel, Holding Redlich lyn.nicholson@holdingredlich.com www.holdingredlich.com
	Samuel Lane Lawyer,Holding Redlich Samuel.lane@holdingredlich.com www.holdingredlich.com

Read full article via the Internet Law Bulletin. For more information, contact us below.