Privacy Commissioner Carly Kind has accepted an enforceable undertaking (EU) from Oxfam Australia following a significant data breach that took place in January 2021. The breach, discovered and reported to the Office of the Australian Information Commissioner (OAIC) by Oxfam in February 2021, resulted in the loss of up to 1.7 million records.
While the acceptance of the EU does not constitute a finding that Oxfam violated the Privacy Act or the Australian Privacy Principles, it underscores the imperative for charities and not-for-profits to maintain rigorous privacy practices.
Oxfam has outlined a comprehensive set of measures in the EU. These include not storing personal information for longer than seven years, implementing password security controls, avoiding the use of shared credentials, and enhancing staff training and procedures. The not-for-profit has also committed to using privacy threshold assessments for projects involving personal information.
Throughout the investigation period, Oxfam has collaborated closely with the OAIC and has launched an awareness campaign aimed at other organisations within the not-for-profit sector to share insights from the breach and its subsequent response.
The OAIC has leveraged lessons from its investigation into Oxfam’s experience, as well as a separate data breach involving telemarketing firm Pareto, to update its guidance for not-for-profits. The revised guidance, released in October 2024, provides expanded advice regarding information security and compliance with retention and destruction obligations.
A timeline of key events surrounding the data breach illustrates a series of immediate responses from Oxfam, including notifying the OAIC and the Australian Cyber Security Centre, as well as alerting supporters about the potential risks associated with their personal information.
The incident serves as a critical reminder for not-for-profits about their obligations under the Privacy Act. Key points highlighted in the guidance stress the importance of collecting only necessary personal information, ensuring its secure storage, and having a robust data breach response plan in place. Additionally, when engaging with third-party providers, not-for-profits are encouraged to ensure that those providers adhere to acceptable privacy practices.
For further insights and guidance specific to not-for-profits, Commissioner Kind has shared her perspectives in a blog post available on the OAIC website.
