Blood Service has stemmed privacy risks

The Australian Red Cross Blood Service has been given a clean bill of health in terms of its handling of last year’s data breach exposing the personal information of over 550,000 blood donors from the Office of the Australian Information Commissioner (OAIC).

An investigation by information commissioner Timothy Pilgrim confirmed the Blood Service’s account of the data breach, finding that third-party contractor Precedent Communications had inadvertently uploaded a database containing registration information for these donors on a publicly accessible portion of a web server managed by company.

Pilgrim said that, upon being notified, the Blood Service took immediate steps to contain the breach and notify affected donors.

“Data breaches can still happen in the best organisations — and I think Australians can be assured by how the Red Cross Blood Service responded to this event. They have been honest with the public, upfront with my office, and have taken full responsibility at every step of this process,” he said.

But the investigation found that while the Blood Service had put in place policies and practices to protect personal information as required by privacy legislation, there were two factors within its control that contributed to the breach.

“This incident is an important reminder that you cannot outsource privacy obligations. All organisations must put in place reasonable measures to ensure their third party providers’ compliance with appropriate privacy and data security practices and procedures,” Pilgrim said.

The Blood Service has improved its information handling practices and both it and Precedent Communications have provided enforceable undertakings to the OAIC in the wake of the breach.

Image credit: ©stock.adobe.com/au/sudok1

Follow us on Twitter and Facebook