When news emerged late last year that the private information of more than 550,000 Australians who’d donated blood to the Australian Red Cross Blood Service was readily available on a public-facing website late last year, it no doubt sent shudders down the spines of privacy officers around the country.
As the organisation leapt into action to rectify the problem, it was revealed that the data breach, happened after the company’s web developer accidently placed the information, including names, gender, addresses, blood type, and phone numbers, on the Red Cross’s website.
The importance of trust
How businesses handle and protect customers’ private information is more important than ever, with the recent Deloitte Australian Privacy Index 2016 finding that 94% of consumers believe trust, including how a business manages personal information, is more important than convenience.
The survey also found that more than 67% of respondents are concerned with organisations sending personal information outside Australia, 21% of consumers want detailed information if organisations send their information to third parties, including to whom and why, and 14% want to know how their personal information is protected.
Transparency is the best policy
How organisations with an annual turnover of more than $3 million (and some small businesses) handle, use and manage personal information is governed by Australian Privacy Principles (APPs)
"Things to consider include how personal information collected by your organisation can be used and disclosed (including disclosure overseas, whether overtly or simply via your IT servers and cloud based storage facilities), whether you use information for the purpose of direct marketing, maintaining the quality of personal information, keeping personal information secure and the right for individuals to access and correct their personal information. You may also need to consider the extent to which customer consent is required for use or disclosure in certain circumstances."
More stringent obligations apply to organisations which handle information deemed to be “sensitive” such as information about a person’s health, racial or ethnic origin, political opinions, religious beliefs or affiliations, criminal record, or sexual orientation or practices.