Peter A Clarke

Today the Privacy Commissioner announced that she has entered into an enforceable undertaking with Oxfam Australia arising from a large data breach on 20 January 2021. What is clear from the undertaking and the Commissioner’s blog is that Oxfam had poor data handling practices and held data for long after they were needed.  This is a common problem and aggravates the damage associated with a data breach.

The term of the undertaking is 2 years. The key obligations are found at paragraph 6 setting out obligations within 3 months to set up a coherent system of using shared credentials, password controls and multi factor authentication and within 6 months to destroy personal information held by Oxfam for more than 7 years or in other specific categories.  Oxfam must undertake a review of the all current uses of personal information within 3 months.  And expert will review compliance in 12 months time and implement any recommendations.  It will also engage in “a a program of public engagement” with the Commissioner and provide to her documents or information she requests from time to time to determine compliance with Undertaking.  

It is a reasonably stringent Undertaking by Australian standards. It is quite lax compared to actions the UK Information Commissioner takes and very easy going compared to the Federal Trade Commission’s enforceable undertakings which often involve swingeing fines and a period of 10 – 20 years of compliance with regular reporting. 

The media release provides:

Privacy Commissioner Carly Kind has accepted an enforceable undertaking (EU) offered by Oxfam Australia (Oxfam).

A data breach was experienced by the not-for-profit in January 2021, and reported to the OAIC in February 2021, following which, the Commissioner initiated an investigation. The data breach resulted in the loss of up to 1.7 million Oxfam records.

The Commissioner’s acceptance of the EU is not a finding that Oxfam has breached the Privacy Act nor the Australian Privacy Principles, but rather highlights the need for charities and not-for-profits to remain vigilant and follow responsible privacy practices.

Oxfam is undertaking a range of measures outlined in the EU, particularly in relation to not storing certain personal information longer than 7 years, avoiding the use of shared credentials, implementing password security controls, sharing staff guidance, procedures and training, and the use of privacy threshold assessments in relation to any project that involves handling personal information for testing purposes.

Oxfam has been working collaboratively with the OAIC across the investigation period, and since offering the enforceable undertaking has contributed to an awareness raising campaign directed at others in the not-for-profit sector in relation to the incident and its response to the incident.

The OAIC has used insights from its investigations into Oxfam’s experience, and the separate data breach which affected the telemarketing firm Pareto, to update its privacy guidance for not-for-profits. The guidance, updated in October 2024 (media release), includes expanded advice on security of information, and steps that not-for-profits can put in place to ensure compliance with their retention and destruction obligations.

Timeline

• • On 20 January 2021 an unknown user gained access to an Oxfam Australia (Oxfam) database.
  • The data breach resulted in the loss of up to 1.7 million Oxfam records.
  • Oxfam was alerted to the incident on 27 January 2021.
  • Oxfam notified the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre (ACSC) of the incident on 26 February 2021.
  • Oxfam Australia alerted its supporters of the potential risk on 4 February 2021.
  • On 1 March 2021 Oxfam began notifying their supporters about steps that they could take to protect personal information and provided access to IDCARE.
  • On 10 September 2021 the Australian Information Commissioner commenced an investigation into whether Oxfam’s acts and practices met its requirements under the Privacy Act.
  • Privacy Commissioner Carly Kind concluded the investigation in late 2024.
  • Following the conclusion of the investigation, Oxfam presented Privacy Commissioner Carly Kind with their enforceable undertaking on 18 December 2024.
  • Privacy Commissioner Carly Kind accepted the Oxfam enforceable undertaking on 20 December 2024.

Key privacy points for NFPs

• • NFPs may have obligations under the Privacy Act and Australian Privacy Principles when collecting and handling personal information.
  • Regardless of whether the Privacy Act applies to your NFP, good privacy practice can enable you to build trust and maintain stronger relationships with the community and reduce the risk of harm to your entity, staff and supporters which may result from a data breach.
  • It is important to ensure your NFP only collects personal information you need, stores that information securely and deletes the information when it is no longer required.
  • Your NFP should only retain personal information where there is an ongoing need to hold this information. You should make sure that your NFP has systems and processes in place for regularly reviewing whether the retention of information is still required, and destroying or de-identifying personal information that is no longer required.
  • Part of good privacy practice also means being prepared in case things go wrong. Ensuring you have a data breach response plan in place and are familiar with it, will enable you to respond quickly to a data breach.
  • When entering into arrangements with third parties, your NFP should take reasonable steps to ensure that the third party’s privacy practices meet the expectations of both your NFP and the wider community. Read the terms of your agreement carefully, conduct periodic reviews of arrangements, and ensure the third party deletes any personal information at the end of the contract term.
  • Refer to our privacy guidance for not-for-profits for advice on security of information, and steps your NFP should put in place to ensure compliance with retention and destruction obligations. The guidance also covers what to consider when engaging third-party providers, such as for fundraising, or software vendors.

Note: Commissioner Kind wishes to note that she previously undertook consultancy work for Oxfam Great Britain. Oxfam Australia and Oxfam Great Britain are separate legal entities. Commissioner Kind’s consultancy work was undertaken prior to her appointment as Privacy Commissioner.

The Enforceable Undertaking provides:

This document is prepared as an enforceable undertaking under s 114(1) of the Regulatory Powers (Standard Provisions) Act 2014 (Cth) (the Regulatory Powers Act).

This undertaking is offered to the Privacy Commissioner (the Commissioner) by:

Oxfam Australia (ABN 18 055 208 636)

355 William Street, West Melbourne VIC 3003

Oxfam Australia (Oxfam) offers this enforceable undertaking under s 114(1) of the Regulatory Powers Act to address the matters within the scope of the investigation that the former Australian Information Commissioner (the Information Commissioner) commenced on 10 September 2021 under s 40(2) of the Privacy Act 1988 (Cth) ( Privacy Act).

The Commissioner’s acceptance of this enforceable undertaking is not a finding that Oxfam has breached the Privacy Act or the Australian Privacy Principles (APP).

1 Background

1.1 On 20 January 2021, an unknown IP address gained unauthorised access to Oxfam’s User Acceptance Testing database (UAT database) which contained the personal information of individuals, which was being used by Oxfam as part of its Customer Relationship Management (CRM) migration project (the incident).

1.2 To support testing, the UAT database contained a copy of production data which included personal information that Oxfam had collected about its supporters. This included some, or a combination, of the following information about supporters:

1.2.1. name, address and date of birth;

1.2.2. donation history, including the nature of the relevant campaign, donation date and donation amount; and

1.2.3. for a small subset of supporters, financial information, including account name, account number, financial institution and masked credit card details.

1.3 Oxfam had retained this information for over seven (7) years, for the purposes of communicating its work and its charitable causes to its supporters – helping assist those individuals in supporting the causes that resonate with them.

1.4 In late January 2021, Oxfam became aware that there was a post on RaidForums, an online marketplace for stolen data, advertising the sale of 1.7 million Oxfam records. The RaidForums seller posted 14 sample records which Oxfam analysed and verified as matching records it held within its UAT database.

1.5 Shortly after becoming aware of the RaidForums post, Oxfam made the Office of the Australian Information Commissioner (OAIC) and its supporters aware of the fact that it was investigating the incident.

1.6 On Friday 26 February 2021, Oxfam formally notified the OAIC that its investigations had confirmed an eligible data breach (NDB) had occurred within the meaning of s 26WE(2) of the Privacy Act.

1.7 Oxfam commenced notifying affected individuals from Monday 1 March 2021, and made the services of IDCARE available to those individuals who were at risk of serious harm as a result of the NDB.

2 Oxfam’s response to the incident

2.1 In response to the incident, Oxfam prioritised strengthening its information security framework and uplifting its operational procedures in relation to its handling of personal information. These activities included, but were not limited to:

2.1.1. undertaking detailed assessments and evaluations of its security systems and posture;

2.1.2. implementing IP whitelisting in the UAT database;

2.1.3. improved identity and access management by including multi-factor authentication and single sign-on for relevant applications;

2.1.4. implementing biometric authentication for devices, along with proactive monitoring and advanced identity monitoring on the Dark Web;

2.1.5. increasing Security Information and Event Management log retention periods to 18 months;

2.1.6. migrating to SOC-managed Endpoint Detection and Response software on its systems and end user machines;

2.1.7. conducting a security review of the website code interfacing with the UAT database;

2.1.8. overhauling its password management and controls policies, and including password security controls in addition to those proposed in guidance from the Australian Cyber Security Centre;

2.1.9. phasing out the use of shared credentials; and

2.1.10. updating and expanding its suite of mandatory privacy and cyber security training offerings for Oxfam staff.

2.2 Oxfam has also provided detailed information about the nature of the strengthened security measures that it has implemented since the incident, on a confidential basis to the OAIC in response to the OAIC’s investigation.

3 The Information Commissioner’s investigation

3.1 On 10 September 2021, the Information Commissioner commenced an investigation into whether Oxfam’s acts and practices met its requirements under the Privacy Act.

3.2 As a result of the investigation, Oxfam was notified that the Privacy Commissioner held concerns around its acts and practices in handling the personal information of its supporters.

3.3 In relation to APP 11.1, the Commissioner had concerns about:

3.3.1 Oxfam’s use of live supporter data in the UAT database; and

3.3.2 Oxfam’s use of shared credentials by those with access to the UAT database.

3.4 In relation to APP 11.2, the Commissioner had concerns about the period of time that Oxfam retained the personal information of its supporters in its databases. In particular, the Commissioner expressed concerns about the personal information of:

3.4.1 individuals whose information was stored in the UAT database and who had neither donated to nor been contacted by Oxfam since before 2013;

3.4.2 individuals for whom the date of last engagement with Oxfam was not expressed validly within Oxfam’s system; and

3.4.3 individuals who had made a Do Not Contact request of Oxfam and had not gone on to engage with Oxfam in the next seven (7) years.

4 Acknowledgement

4.1 Oxfam acknowledges the concerns arising out of the investigation. Accordingly, Oxfam offers the undertakings in sections 6 to 10 of this document to address these concerns.

5 Term

5.1 This undertaking comes into effect on the date it is accepted by the Commissioner (Commencement Date).

5.2 This undertaking ceases to have effect two (2) years from the Commencement Date.

6 Security and operational uplifts

6.1 Within three (3) months of the Commencement Date, Oxfam undertakes to:

6.1.1 in the case of shared credentials:

6.1.1.1 where the use of shared credentials is determined to be unavoidable in the circumstances, employ appropriate additional controls, training for staff using shared credentials, an audit framework and robust governance with procedures to manage the associated risks;

6.1.1.2 except where the use of shared credentials is unavoidable in the circumstances, implement individual credentials;

6.1.2 develop and implement a mandatory privacy and information security training program, which covers, among other issues, practical guidance for operational level personnel (including employees, contractors and volunteers);

6.1.3 enforce appropriate password security controls (including in relation to complexity, rotation and choice) on passwords used to access testing environments that contain personal information, having regard to industry standards and guidance published by the Australian Cyber Security Centre;

6.1.4 employ multi-factor authentication for all systems that may pose a higher security risk, such as for systems that can be remotely accessed or that contain sensitive/restricted information; and

6.1.5 require initial and regular refresher training in relation to the matters in paragraphs 6.1 and 6.2 for personnel with access to personal information, including employees, contractors and volunteers, to the extent it is relevant to their role and responsibilities.

6.2 Within six (6) months of the Commencement Date, Oxfam undertakes to:

6.2.1 destroy or de-identify the personal information of individuals:

6.2.1.1 who have not donated to or engaged with Oxfam for more than seven (7) years (except for those individuals who have affirmatively indicated that they intend to leave a bequest to Oxfam in their will, and where this is recorded in Oxfam’s systems);

6.2.1.2 for whom the date of last engagement with Oxfam is not expressed validly in Oxfam’s system; and

6.2.1.3 who have made a “Do Not Contact” request and have not gone on to donate or engage with Oxfam in the next 7 years, beyond what has been necessary for the purpose of preventing Oxfam from inadvertently resuming contact with them in the future;

6.2.2 develop and implement policies and procedures that provide clear guidance to Oxfam staff on:

6.2.2.1 the nature of maximum retention periods and processes for personal information it retains; and

6.2.2.2 destruction and de-identification of each type of supporter personal information collected by Oxfam (including personal information used for testing purposes);

6.2.3 require the preparation of a threshold assessment, and where necessary a privacy impact assessment, in relation to any project that involves the handling of personal information for testing purposes, addressing the quantity and kinds of personal information needed for testing and the practicability of potentially less-privacy intrusive options; and

6.2.4 put in place systems to flag personal information that may no longer be needed for a permissible purpose (including personal information held in test databases where not required for specific testing) and review such information with a view to determining which information should be destroyed or de-identified.

7 Review and assess testing processes

7.1 Within six (6) months of the Commencement Date, Oxfam undertakes to conduct a review of all current uses of personal information for testing purposes, whether such uses comply with APP 6 and whether the retention of personal information for that purpose is permitted by APP 11.2.

8 Independent review of compliance with Privacy Act

8.1 Oxfam undertakes to engage an independent expert with demonstrated expertise in assessing the requirements for compliance with the Privacy Act to review Oxfam’s practices 12 months after the Commencement Date and prepare a report (Expert Report) that:

8.1.1 specifies whether the steps in paragraphs 6.1 6.2 and 7.1 have been implemented and maintained in accordance with this undertaking; and

8.1.2 if the steps in paragraph 6.1 6.2 and 7.1 have not been implemented and maintained in accordance with this undertaking, recommends actions for Oxfam to complete to ensure such steps are implemented and maintained in accordance with this undertaking.

8.2 Oxfam undertakes to provide a copy of the Expert Report to the OAIC within 14 days of receiving the Expert Report.

9 Implementation of Expert Report recommendations

9.1 Oxfam undertakes to implement the independent expert’s recommendations as outlined within the Expert Report, if any, within the timeframes specified by the expert and in consultation with the OAIC.

9.2 Oxfam undertakes to provide the OAIC with written confirmation of its completion of implementing the independent expert’s recommendations, if any, within 14 days of implementation.

10 Engagement with the OAIC

10.1 Oxfam undertakes to participate in a program of public engagement with the OAIC in relation to the incident and its response to the incident.

11 Provision of information to the Commissioner

11.1 Oxfam will provide or make available to the Commissioner relevant documents and information requested by the Commissioner from time to time (save for any documents the subject of a claim for legal professional privilege) for the purpose of assessing Oxfam’s compliance with the terms of the Enforceable Undertaking.

12 Further acknowledgements

12.1 Oxfam acknowledges that the Commissioner:

12.1.1 may issue a statement on the execution of this undertaking referring to its terms and to the circumstances which led to the Commissioner’s acceptance of the undertaking;

12.1.2 may from time to time publicly refer to this undertaking; and

12.1.3 will publish this undertaking as well as a summary of the undertaking, on the OAIC website.

12.2 Oxfam acknowledges that:

12.2.1 the Commissioner’s acceptance of this undertaking does not affect the OAIC’s power to investigate or pursue other enforcement options available to the Commissioner in relation to any contravention that is outside the scope of the Information Commissioner’s investigation, or which is not related to the incident;

12.2.2 this undertaking in no way derogates from the rights and remedies available under the Privacy Act to any other person, arising from any conduct described in this undertaking or arising from future conduct; and

12.2.3 if the Commissioner considers that Oxfam has breached this enforceable undertaking, the Commissioner may apply to the Federal Court or Federal Circuit Court to enforce the undertaking under s 115 of the Regulatory Powers Act.

13 Confidentiality

13.1 The Commissioner and the OAIC acknowledge that information provided by Oxfam in accordance with this undertaking is likely to contain sensitive commercial information. The Commissioner acknowledges that this information is provided by Oxfam in confidence.

13.2 The Commissioner and the OAIC:

13.2.1 will only publish or otherwise disclose information provided in accordance with this undertaking with Oxfam’s written agreement; and

13.2.2 will only use this information for the Commissioner’s privacy regulatory activities.

The Privacy Commissioner’s blog states:

We’ve become accustomed to hearing and reading about the importance of protecting children’s privacy, especially online.

Less discussed, however, is the data privacy of older generations, who are even more precariously participating in the digital economy. They may be equipped with smart phones and Facebook accounts, but are often less digitally-savvy than their children or grandchildren. As a result, older people face significant risks in seeking to protect or control their personal information, especially when their data may be even more valuable to certain organisations. This is particularly the case when it comes to the world of charitable donations and inheritances.

Australia’s baby boomers are soon to reach their 80s and, having – generally speaking – accumulated much in the way of wealth and property during their lives, are set to make an estimated $3.5 trillion in gifts and inheritance in the next 20 years.

A deserving recipient of a portion of that wealth will hopefully be the charitable sector. Aging Australians lag behind their international peers in making charitable donations in their wills – only 1% of wealth transfer in Australia currently goes to charities – but this is a situation many in the charitable sector hope to change.

However, this well-intentioned hope may be driving practices that put Australians’ privacy at real risk.

Charities, eager to engage donors, are in some cases keeping the personal information of contributors for much longer than is sensible. Based on some cases that have come before the OAIC, a single donation to some charities or fundraisers can lead to your personal information being kept indefinitely, long past when you stop engaging with the charity’s emails, and even after submitting a ‘do not contact’ request.

Charities, many of which are under-supported when it comes to investment in IT systems and data security, are handling excessive amounts of personal information long past when it could be deemed necessary, both failing the “sensible” test, but also, for those charities subject to the Privacy Act – any charity with an annual turnover of more than $3 million – the test of lawfulness.

Having worked in the non-profit sector for much of my professional life, I am sympathetic to the challenging position in which charities are placed. Many run on a shoestring, staffed by committed staff who prioritise spending on beneficiaries and programs rather than operational infrastructure. Their ability to fundraise is a matter of sustainability, and any possibility to raise funds is vigorously pursued.

Nevertheless, good privacy practices are not only important from a legal and ethical perspective, but may also be critical to developing donor relationships. Our research demonstrates that 96% of Australians say that the privacy of their information is important when choosing a product or service. Older Australians are even more concerned about privacy than their younger counterparts. The transfer of wealth from Australia’s elders to charities is likely to occur in the context of a relationship of trust and transparency.

After all, the potential blowback of poor privacy practices is not only a further entrenchment of Australians’ loss of control over their personal information, but also a pronounced risk to the security and safety of that information.

It is not possible for an entity to lose data that they don’t have. Yet with each new data breach that my office investigates, we consistently see that regulated entities are holding onto data without a relevant business need. This practice is by no means confined to charities and non-profits either. Practices around destroying or de-identifying personal information are inconsistent, and in some cases worrying, across corporate Australia.

The risk for charities of holding onto data they no longer need is exemplified in the experience of Oxfam, which in 2021 was subject to a cyber attack that resulted in a loss of up to 1.7 million Oxfam records pertaining to the personal information of donors and supporters. Today we have published an Enforceable Undertaking (EU) offered by Oxfam in response to our concerns about practices that contributed to the data breach and its effects.

A key takeaway from the EU for regulated entities is the need to scrutinise whether requirements to destroy or de-identify data are being adhered to. In the EU, Oxfam undertakes to destroy or de-identify the personal information of donors where they haven’t donated or engaged for more than 7 years. This establishes a baseline for charities to assess their own data policies, and acts as clear threshold beyond which the question of compliance with the Privacy Act will be called into question.

In accepting the EU from Oxfam I was conscious of the impressive work that Oxfam has done to overhaul its security systems and processes already since the regrettable breach. I am hopeful that Oxfam’s experience will be instructive for all charities seeking to demonstrate good privacy practices, whether they’re subject to the Privacy Act or not.