The Australian Privacy Commissioner has released a joint report with the Privacy Commissioner of Canada regarding the data breach in July and August 2015 that occurred to a dating website operator's system. The affected websites included the Ashley Madison dating website. Among other disclosures, the unauthorised access resulted in online posting of details from approximately 36 million Ashley Madison user accounts.
The report provides useful tips to organisations about the Commissioner's expectations for complying with the Australian Privacy Principles (APPs). In particular:
- Appropriate privacy safeguards are crucial - organisations must have appropriate privacy safeguards for the type, quantity and sensitivity of personal information they hold and the business they conduct. Appropriate measures include:
- Documented information security policies and practices for managing network permissions which will foster a security aware culture.
- Documented risk management processes about how to determine what security measures are appropriate for the risks faced by the organisation, including periodic and pro-active assessments of privacy threats and evaluations of security practices to ensure they remain appropriate.
- Adequate training for all personnel to ensure they are aware of their specific privacy and security obligations.
- Disclaimers cannot absolve an organisation of its privacy obligations - user terms which state that the security or privacy of information submitted to the website can not be guaranteed, or that users proceed at their risk, can not absolve an organisation of its privacy law obligations.
- Privacy practices must keep up with business change and growth - rapidly growing organisations must also grow their security practices in proportion to the nature and breadth of personal information held and the nature of the risks which the organisation faces.
- Have a proper destruction policy and follow it - organisations should have an appropriate destruction policy giving guidance for destruction such as the retention periods for certain types of information. Technical practices should be reviewed to ensure that personal information which has been marked for destruction is properly destroyed.
- Re-think the need to collect - organisations should consider whether collecting certain personal information is reasonably necessary for the organisation's functions. Where appropriate give people the option not to provide personal information (eg, if appropriate give an alternate option to providing an email address).
- Be transparent about privacy practices - organisations should ensure their terms and conditions appropriately reflect their processes and are not misleading.
Avid Life Media who runs the Ashley Madison website has provided an enforceable undertaking to the Privacy Commissioner about addressing the issues identified in the report. The undertaking requires that Avid Life Media submit to the Office of the Australian Information Commissioner during 2017 evidence of its compliance with the undertaking including providing an independent compliance report, and details of the steps it has taken to ensure compliance.