We use cookies to analyse traffic and to improve your browsing experience on our website. To find out more, read our privacy policy.

News Join our team Contact us
Published:  

Privacy Commissioner Carly Kind has accepted an enforceable undertaking (EU) offered by Oxfam Australia (Oxfam).

A data breach was experienced by the not-for-profit in January 2021, and reported to the OAIC in February 2021, following which, the Commissioner initiated an investigation. The data breach resulted in the loss of up to 1.7 million Oxfam records.

The Commissioner’s acceptance of the EU is not a finding that Oxfam has breached the Privacy Act nor the Australian Privacy Principles, but rather highlights the need for charities and not-for-profits to remain vigilant and follow responsible privacy practices.

Oxfam is undertaking a range of measures outlined in the EU, particularly in relation to not storing certain personal information longer than 7 years, avoiding the use of shared credentials, implementing password security controls, sharing staff guidance, procedures and training, and the use of privacy threshold assessments in relation to any project that involves handling personal information for testing purposes.

Oxfam has been working collaboratively with the OAIC across the investigation period, and since offering the enforceable undertaking has contributed to an awareness raising campaign directed at others in the not-for-profit sector in relation to the incident and its response to the incident.

The OAIC has used insights from its investigations into Oxfam’s experience, and the separate data breach which affected the telemarketing firm Pareto, to update its privacy guidance for not-for-profits. The guidance, updated in October 2024 (media release), includes expanded advice on security of information, and steps that not-for-profits can put in place to ensure compliance with their retention and destruction obligations.

Timeline

  • On 20 January 2021 an unknown user gained access to an Oxfam Australia (Oxfam) database.
  • The data breach resulted in the loss of up to 1.7 million Oxfam records.
  • Oxfam was alerted to the incident on 27 January 2021.
  • Oxfam notified the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre (ACSC) of the incident on 26 February 2021.
  • Oxfam Australia alerted its supporters of the potential risk on 4 February 2021.
  • On 1 March 2021 Oxfam began notifying their supporters about steps that they could take to protect personal information and provided access to IDCARE.
  • On 10 September 2021 the Australian Information Commissioner commenced an investigation into whether Oxfam’s acts and practices met its requirements under the Privacy Act.
  • Privacy Commissioner Carly Kind concluded the investigation in late 2024.
  • Following the conclusion of the investigation, Oxfam presented Privacy Commissioner Carly Kind with their enforceable undertaking on 18 December 2024.
  • Privacy Commissioner Carly Kind accepted the Oxfam enforceable undertaking on 20 December 2024.

Key privacy points for NFPs

  • NFPs may have obligations under the Privacy Act and Australian Privacy Principles when collecting and handling personal information.
  • Regardless of whether the Privacy Act applies to your NFP, good privacy practice can enable you to build trust and maintain stronger relationships with the community and reduce the risk of harm to your entity, staff and supporters which may result from a data breach.
  • It is important to ensure your NFP only collects personal information you need, stores that information securely and deletes the information when it is no longer required.
  • Your NFP should only retain personal information where there is an ongoing need to hold this information. You should make sure that your NFP has systems and processes in place for regularly reviewing whether the retention of information is still required, and destroying or de-identifying personal information that is no longer required.
  • Part of good privacy practice also means being prepared in case things go wrong. Ensuring you have a data breach response plan in place and are familiar with it, will enable you to respond quickly to a data breach.
  • When entering into arrangements with third parties, your NFP should take reasonable steps to ensure that the third party’s privacy practices meet the expectations of both your NFP and the wider community. Read the terms of your agreement carefully, conduct periodic reviews of arrangements, and ensure the third party deletes any personal information at the end of the contract term.
  • Refer to our privacy guidance for not-for-profits for advice on security of information, and steps your NFP should put in place to ensure compliance with retention and destruction obligations. The guidance also covers what to consider when engaging third-party providers, such as for fundraising, or software vendors.

Note: Commissioner Kind wishes to note that she previously undertook consultancy work for Oxfam Great Britain. Oxfam Australia and Oxfam Great Britain are separate legal entities. Commissioner Kind’s consultancy work was undertaken prior to her appointment as Privacy Commissioner.

You can read more about Privacy Commissioner Kind's thoughts on the enforceable undertaking and further guidance for NFPs in a blog post on the OAIC website.

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia