This document is prepared as an enforceable undertaking under s 114(1) of the Regulatory Powers (Standard Provisions) Act 2014 (Cth) (the Regulatory Powers Act).
This undertaking is offered to the Privacy Commissioner (the Commissioner) by:
Oxfam Australia (ABN 18 055 208 636)
355 William Street, West Melbourne VIC 3003Oxfam Australia (Oxfam) offers this enforceable undertaking under s 114(1) of the Regulatory Powers Act to address the matters within the scope of the investigation that the former Australian Information Commissioner (the Information Commissioner) commenced on 10 September 2021 under s 40(2) of the Privacy Act 1988 (Cth) ( Privacy Act).
The Commissioner’s acceptance of this enforceable undertaking is not a finding that Oxfam has breached the Privacy Act or the Australian Privacy Principles (APP).
1 Background
1.1 On 20 January 2021, an unknown IP address gained unauthorised access to Oxfam's User Acceptance Testing database (UAT database) which contained the personal information of individuals, which was being used by Oxfam as part of its Customer Relationship Management (CRM) migration project (the incident).
1.2 To support testing, the UAT database contained a copy of production data which included personal information that Oxfam had collected about its supporters. This included some, or a combination, of the following information about supporters:
1.2.1. name, address and date of birth;
1.2.2. donation history, including the nature of the relevant campaign, donation date and donation amount; and
1.2.3. for a small subset of supporters, financial information, including account name, account number, financial institution and masked credit card details.
1.3 Oxfam had retained this information for over seven (7) years, for the purposes of communicating its work and its charitable causes to its supporters – helping assist those individuals in supporting the causes that resonate with them.
1.4 In late January 2021, Oxfam became aware that there was a post on RaidForums, an online marketplace for stolen data, advertising the sale of 1.7 million Oxfam records. The RaidForums seller posted 14 sample records which Oxfam analysed and verified as matching records it held within its UAT database.
1.5 Shortly after becoming aware of the RaidForums post, Oxfam made the Office of the Australian Information Commissioner (OAIC) and its supporters aware of the fact that it was investigating the incident.
1.6 On Friday 26 February 2021, Oxfam formally notified the OAIC that its investigations had confirmed an eligible data breach (NDB) had occurred within the meaning of s 26WE(2) of the Privacy Act.
1.7 Oxfam commenced notifying affected individuals from Monday 1 March 2021, and made the services of IDCARE available to those individuals who were at risk of serious harm as a result of the NDB.
2 Oxfam’s response to the incident
2.1 In response to the incident, Oxfam prioritised strengthening its information security framework and uplifting its operational procedures in relation to its handling of personal information. These activities included, but were not limited to:
2.1.1. undertaking detailed assessments and evaluations of its security systems and posture;
2.1.2. implementing IP whitelisting in the UAT database;
2.1.3. improved identity and access management by including multi-factor authentication and single sign-on for relevant applications;
2.1.4. implementing biometric authentication for devices, along with proactive monitoring and advanced identity monitoring on the Dark Web;
2.1.5. increasing Security Information and Event Management log retention periods to 18 months;
2.1.6. migrating to SOC-managed Endpoint Detection and Response software on its systems and end user machines;
2.1.7. conducting a security review of the website code interfacing with the UAT database;
2.1.8. overhauling its password management and controls policies, and including password security controls in addition to those proposed in guidance from the Australian Cyber Security Centre;
2.1.9. phasing out the use of shared credentials; and
2.1.10. updating and expanding its suite of mandatory privacy and cyber security training offerings for Oxfam staff.
2.2 Oxfam has also provided detailed information about the nature of the strengthened security measures that it has implemented since the incident, on a confidential basis to the OAIC in response to the OAIC’s investigation.
3 The Information Commissioner’s investigation
3.1 On 10 September 2021, the Information Commissioner commenced an investigation into whether Oxfam’s acts and practices met its requirements under the Privacy Act.
3.2 As a result of the investigation, Oxfam was notified that the Privacy Commissioner held concerns around its acts and practices in handling the personal information of its supporters.
3.3 In relation to APP 11.1, the Commissioner had concerns about:
3.3.1 Oxfam’s use of live supporter data in the UAT database; and
3.3.2 Oxfam’s use of shared credentials by those with access to the UAT database.
3.4 In relation to APP 11.2, the Commissioner had concerns about the period of time that Oxfam retained the personal information of its supporters in its databases. In particular, the Commissioner expressed concerns about the personal information of:
3.4.1 individuals whose information was stored in the UAT database and who had neither donated to nor been contacted by Oxfam since before 2013;
3.4.2 individuals for whom the date of last engagement with Oxfam was not expressed validly within Oxfam’s system; and
3.4.3 individuals who had made a Do Not Contact request of Oxfam and had not gone on to engage with Oxfam in the next seven (7) years.
4 Acknowledgement
4.1 Oxfam acknowledges the concerns arising out of the investigation. Accordingly, Oxfam offers the undertakings in sections 6 to 10 of this document to address these concerns.
5 Term
5.1 This undertaking comes into effect on the date it is accepted by the Commissioner (Commencement Date).
5.2 This undertaking ceases to have effect two (2) years from the Commencement Date.
6 Security and operational uplifts
6.1 Within three (3) months of the Commencement Date, Oxfam undertakes to:
6.1.1 in the case of shared credentials:
6.1.1.1 where the use of shared credentials is determined to be unavoidable in the circumstances, employ appropriate additional controls, training for staff using shared credentials, an audit framework and robust governance with procedures to manage the associated risks;
6.1.1.2 except where the use of shared credentials is unavoidable in the circumstances, implement individual credentials;
6.1.2 develop and implement a mandatory privacy and information security training program, which covers, among other issues, practical guidance for operational level personnel (including employees, contractors and volunteers);
6.1.3 enforce appropriate password security controls (including in relation to complexity, rotation and choice) on passwords used to access testing environments that contain personal information, having regard to industry standards and guidance published by the Australian Cyber Security Centre;
6.1.4 employ multi-factor authentication for all systems that may pose a higher security risk, such as for systems that can be remotely accessed or that contain sensitive/restricted information; and
6.1.5 require initial and regular refresher training in relation to the matters in paragraphs 6.1 and 6.2 for personnel with access to personal information, including employees, contractors and volunteers, to the extent it is relevant to their role and responsibilities.
6.2 Within six (6) months of the Commencement Date, Oxfam undertakes to:
6.2.1 destroy or de-identify the personal information of individuals:
6.2.1.1 who have not donated to or engaged with Oxfam for more than seven (7) years (except for those individuals who have affirmatively indicated that they intend to leave a bequest to Oxfam in their will, and where this is recorded in Oxfam’s systems);
6.2.1.2 for whom the date of last engagement with Oxfam is not expressed validly in Oxfam’s system; and
6.2.1.3 who have made a “Do Not Contact” request and have not gone on to donate or engage with Oxfam in the next 7 years, beyond what has been necessary for the purpose of preventing Oxfam from inadvertently resuming contact with them in the future;
6.2.2 develop and implement policies and procedures that provide clear guidance to Oxfam staff on:
6.2.2.1 the nature of maximum retention periods and processes for personal information it retains; and
6.2.2.2 destruction and de-identification of each type of supporter personal information collected by Oxfam (including personal information used for testing purposes);
6.2.3 require the preparation of a threshold assessment, and where necessary a privacy impact assessment, in relation to any project that involves the handling of personal information for testing purposes, addressing the quantity and kinds of personal information needed for testing and the practicability of potentially less-privacy intrusive options; and
6.2.4 put in place systems to flag personal information that may no longer be needed for a permissible purpose (including personal information held in test databases where not required for specific testing) and review such information with a view to determining which information should be destroyed or de-identified.
7 Review and assess testing processes
7.1 Within six (6) months of the Commencement Date, Oxfam undertakes to conduct a review of all current uses of personal information for testing purposes, whether such uses comply with APP 6 and whether the retention of personal information for that purpose is permitted by APP 11.2.
8 Independent review of compliance with Privacy Act
8.1 Oxfam undertakes to engage an independent expert with demonstrated expertise in assessing the requirements for compliance with the Privacy Act to review Oxfam’s practices 12 months after the Commencement Date and prepare a report (Expert Report) that:
8.1.1 specifies whether the steps in paragraphs 6.1 6.2 and 7.1 have been implemented and maintained in accordance with this undertaking; and
8.1.2 if the steps in paragraph 6.1 6.2 and 7.1 have not been implemented and maintained in accordance with this undertaking, recommends actions for Oxfam to complete to ensure such steps are implemented and maintained in accordance with this undertaking.
8.2 Oxfam undertakes to provide a copy of the Expert Report to the OAIC within 14 days of receiving the Expert Report.
9 Implementation of Expert Report recommendations
9.1 Oxfam undertakes to implement the independent expert's recommendations as outlined within the Expert Report, if any, within the timeframes specified by the expert and in consultation with the OAIC.
9.2 Oxfam undertakes to provide the OAIC with written confirmation of its completion of implementing the independent expert’s recommendations, if any, within 14 days of implementation.
10 Engagement with the OAIC
10.1 Oxfam undertakes to participate in a program of public engagement with the OAIC in relation to the incident and its response to the incident.
11 Provision of information to the Commissioner
11.1 Oxfam will provide or make available to the Commissioner relevant documents and information requested by the Commissioner from time to time (save for any documents the subject of a claim for legal professional privilege) for the purpose of assessing Oxfam’s compliance with the terms of the Enforceable Undertaking.
12 Further acknowledgements
12.1 Oxfam acknowledges that the Commissioner:
12.1.1 may issue a statement on the execution of this undertaking referring to its terms and to the circumstances which led to the Commissioner’s acceptance of the undertaking;
12.1.2 may from time to time publicly refer to this undertaking; and
12.1.3 will publish this undertaking as well as a summary of the undertaking, on the OAIC website.
12.2 Oxfam acknowledges that:
12.2.1 the Commissioner’s acceptance of this undertaking does not affect the OAIC’s power to investigate or pursue other enforcement options available to the Commissioner in relation to any contravention that is outside the scope of the Information Commissioner’s investigation, or which is not related to the incident;
12.2.2 this undertaking in no way derogates from the rights and remedies available under the Privacy Act to any other person, arising from any conduct described in this undertaking or arising from future conduct; and
12.2.3 if the Commissioner considers that Oxfam has breached this enforceable undertaking, the Commissioner may apply to the Federal Court or Federal Circuit Court to enforce the undertaking under s 115 of the Regulatory Powers Act.
13 Confidentiality
13.1 The Commissioner and the OAIC acknowledge that information provided by Oxfam in accordance with this undertaking is likely to contain sensitive commercial information. The Commissioner acknowledges that this information is provided by Oxfam in confidence.
13.2 The Commissioner and the OAIC:
13.2.1 will only publish or otherwise disclose information provided in accordance with this undertaking with Oxfam’s written agreement; and
13.2.2 will only use this information for the Commissioner’s privacy regulatory activities.
Note: Commissioner Kind wishes to note that she previously undertook consultancy work for Oxfam Great Britain. Oxfam Australia and Oxfam Great Britain are separate legal entities. Commissioner Kind’s consultancy work was undertaken prior to her appointment as Privacy Commissioner.
