As we approach the mandatory breach reporting regime under the Privacy Act 1988 commencing in February in 2018, one of the preparatory steps is to review the contractual arrangements organisations have in place with various suppliers and other service providers that may have access to, hold or use, personal information about their clients.
It seems that in many breaches, including the most recent Dominos breach this month, there is a question mark around in whose system the information was held at the time of the breach, and accordingly who is responsible for investigating, reporting and remedying the breach. In a statement placed by Dominos on its website regarding unauthorised spam emails, Dominos said:
“There is no evidence to suggest that there has been any unauthorised access to Dominos systems. We are investigating a potential issue with a former supplier’s system that may have led to a number of customer email addresses, names and store suburbs (related to pizza orders) being accessed as a result.”
Similarly, in the September 2016 breach of the Australian Red Cross Blood Service the breach was determined to be caused by an employee of a third party provider to Red Cross saving a database file to a public facing website containing information on approximately 550,000 prospective blood donors.
These examples serve to illustrate that not only is it necessary to ensure that privacy compliance is dealt with as a contractual matter with the organisation’s suppliers, but also that there are audit and operational provisions to ensure security.
The new rules will require a potential breach incident to be assessed and for individuals affected to be notified within 30 days if there is a suspicion of serious harm. This means breached businesses will want the cooperation of their third party service providers to help them to investigate and manage customer relationships and reputations.
On this basis we consider that all organisations which allow third party service providers access to their data need to upgrade their current contractual arrangement to include specific mutual cooperation provisions to deal with the consequences of a breach.
Given that dealing with a breach is often a crisis management situation in its own right, having prepared responses, roles and liaison protocols in place both within the business and with business partners can make the difference between a well-managed breach and a reputational and public relations fiasco.
Our Data and Privacy professionals can assist you in preparing appropriate documentation for your circumstances and the various supplier relationships you hold.
Author: Lyn Nicholson
* On 30 November 2017, we will be delivering a seminar 'Key issues in data protection and privacy' in our Brisbane office. Please click here to register your interest.
Lyn Nicholson, General Counsel
T: +61 2 8083 0463
Dan Pearce, Partner
T: +61 3 9321 9840
Trent Taylor, Partner
T: +61 7 3135 0668
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this publication is accurate at the date it is received or that it will continue to be accurate in the future. We are not responsible for the information of any source to which a link is provided or reference is made and exclude all liability in connection with use of these sources.