Site Changes

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner and a new website established at www.oaic.gov.au.

Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.

Types

Topic(s): Data security / breach

Own Motion Investigation v Airline [2009] PrivCmrA 7

document icon pdf (79.54 KB)

Case Citation:

Own Motion Investigation v Airline [2009] PrivCmrA 7

Subject Heading:

Failure to keep personal information secure

Law:

National Privacy Principle 4.1 in Schedule 3 of the Privacy Act 1988 (Cth)

Facts:

An individual advised the Privacy Commissioner that an airline had failed to protect its passengers' privacy. The individual had accessed the airline's online flight check-in system using their personal booking number and flight number. When they entered this information the personal information of two other airline passengers was allegedly shown on the screen. The information included the other passengers' full names and contact telephone numbers, email addresses and their flight itineraries.

Issues:

National Privacy Principle 4.1 provides that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

Outcome:

The Commissioner commenced an own motion investigation under section 40(2) of the Privacy Act.

At the commencement of the investigation, the Commissioner found that the individual had also directly contacted the airline to advise them of the issue and that the airline had commenced its own investigation.

The airline's system administrator found an anomaly with the security coding in the online check-in system that allowed some passengers' details to be displayed on the check-in screen of other passengers. The administrator undertook a series of actions to prevent the problem recurring. This included installing a temporary code to prevent further inadvertent disclosures of passengers' information whilst working on an improved code to permanently remedy the issue. The new security code was developed, tested, and moved into production and the problem did not recur.

In considering the matter the Commissioner took into account that the respondent already had in place a number of processes intended to reduce the likelihood of unauthorised access or disclosure of passenger information. These included computer testing, audits and adherence to system guidelines. Additionally, the airline advised the Commissioner that the security of the check-in system was compliant with international regulations and subject to annual compliance audits.

This particular incident had occurred as a result of a coding fault in a secondary computer system which was remedied soon after the respondent was notified of the error.

Given the processes that the respondent already had in place and that the code problem which led to the disclosure was remedied soon after the respondent was notified of the error, the Commissioner took the view that the steps taken to respond to the error were adequate.

Having met the obligations imposed by NPP 4.1, the Commissioner ceased the own motion investigation into the matter.

OFFICE OF THE PRIVACY COMMISSIONER

August 2009