Our recent newsletter on IT security and privacy discussed the determination by the Privacy Commissioner relating to the hacking of a customer database held by AAPT.

The newsletter stated in error that the hackers had used vulnerabilities in Cold Fusion software that had not been updated by Melbourne IT.  The findings of the Privacy Commissioner stated that it was AAPT, and not Melbourne IT, who was responsible for updating the Cold Fusion software application to newer versions of the application as they became available.  Melbourne IT was not responsible for updating the versions of the software and did not breach any privacy obligations. 

This case signals the need for all providers and customers of IT services to ensure that their contracts clearly state which party is responsible for updating software.

The Privacy Commissioner’s determination is of great interest and comfort to the operators of IT services such as Melbourne IT and also to the operators of many cloud computing facilities.  The primary responsibility for data security under the current NPPs and the new APPs falls on the party that holds the personal information. 

It is now timely to check your contract with external parties to avoid breaches of the Privacy Act 1988 (Cth).