On 5 September 2016, the unnamed Precedent employee who was tasked with enhancing a feature on the Donate Blood website created a database backup of the UAT database file (the data file) on the UAT environment before making changes to the system.
"The backup would have allowed for the restoration of data should an error occur during development work or database upgrades," the report stated. "The employee had intended to save the data file created to a secure location but, in error, saved the data file to a publicly accessible portion of the web server on which the UAT environment was implemented."
The data file in question contained registration information of the 550,000 prospective donors who requested an appointment to donate blood via the website between 2010 and 5 September 2016. It is understood that the breach potentially involved more than 1.28 million records.
The data file included the personal information of individuals who had expressed an interest in donating blood on the Donate Blood website.
It also included sensitive information about some of the individuals, including first and last name, gender, physical address, email address and phone number, and yes or no responses to donor eligibility questions such as whether or not the prospective donor had engaged in risky sexual behavior.
The investigation into the breach and the subsequent report by the OAIC concedes that the Precedent employee's mistake was the cause of the breach and that it did, indeed, constitute a "disclosure".
"The root cause of the data breach was an unforeseen one-off human error on the part of a Precedent employee," the report said. "However, the error was made in the course of that individual's duties, and as such the data breach was a 'disclosure' within the meaning of Australian Privacy Principle (APP) 6," - which outlines when an APP entity may use or disclose personal information.
According to the OAIC, Precedent breached the Privacy Act in respect of APP 6 and APP 11 - which requires an APP entity to take active measures to ensure the security of personal information it holds - by disclosing the personal information of individuals who had made an appointment on the Donate Blood website, and for failing to take reasonable steps to adequately mitigate against the risk of a data breach.
"Although Precedent had not met all the requirements of the Privacy Act, the Commissioner acknowledges Precedent's constructive and cooperative approach in working with the OAIC in this matter," the report stated.
In response to the incident and its fallout, Precedent has subsequently invested "significant effort" to improve its information handling practices, strengthen its information security, and ensure that it is now compliant with the Privacy Act.
Sign up for CIO Asia eNewsletters.