The Commissioner’s decision:

Privacy Commissioner Carly Kind found that Vinomofo failed to take steps that were reasonable in the circumstances to protect personal information it held for the purposes of Australian Privacy Principle (APP) 11.1.

In reaching this conclusion, the Commissioner considered circumstances such as the amount of personal information held by Vinomofo, the nature of Vinomofo as a ‘reasonably well-resourced entity’, and the possible adverse consequences for the affected individuals of a data breach.

Takeaways for other APP entities:

The Commissioner identified several privacy risks that Vinomofo failed to appropriately address. These included limited security threat detection and monitoring, inadequate cloud security, as well as an insufficient cultural approach to privacy as exemplified by failures in policies, training and procedures.

This Commissioner initiated investigation serves as a good reminder that technical controls alone will not be sufficient, and organisational controls such as privacy governance, culture and training are important steps to take for the purposes of APP 11.1.

Background:

In 2022, a temporary database used by Vinomofo to migrate data from legacy systems to upgraded platforms was accessed by an unauthorised party. The breach resulted in the personal information of 928,760 customers and members being accessed and exfiltrated by the unauthorised third party.

APP 11.1 requires that APP entities must take reasonable steps in the circumstances to protect personal information it holds from misuse, interference and loss, and unauthorised access, modification or disclosure. The principle requires organisations to employ both organisational and technical measures to protect personal information.

The Information Commissioner’s guidelines make it clear that in all cases, taking reasonable steps should include taking steps and implementing strategies in relation to:

• governance, culture and training

• internal policies, procedures and systems

• ICT security

• access security

• third party providers (including cloud computing)

• data breaches

• physical security

• destruction and de-identification, and

• standards

If your agency or organisation needs assistance with managing APP 11.1 compliance for existing systems or new projects, please reach out to our information law experts James Pratt (james.pratt@adaptbl.com.au or 0423 368 823) or Geoff Adams (geoff.adams@adaptbl.com.au or 0404 608 231) to discuss.

A special thanks to Jemima Thomas, Paralegal, in our Information Law Team for her input to this article.