Site Changes

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner and a new website established at www.oaic.gov.au.

Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.

Types

Topic(s): Compliance

Media Release: Investigation of GST-Assist Breach Concluded

16/10/2000

Investigation of GST-Assist Breach Concluded

The Federal Privacy Commissioner Malcolm Crompton, today confirmed that the absence of appropriate security measures in the Treasury Department's GST-Assist website, prior to 29 June 2000 was a breach of the Federal Privacy Act.

The GST-Assist website was developed to provide an electronic web-based supplier registration system as part of the introduction of the GST. In doing this, the website collected business, as well as some individuals' bank account numbers and other personal information.

In making his announcement, Mr Crompton said that the unauthorised accessing of the website in June by an Internet user illustrates the need for government departments and organisations to develop rigorous privacy protection measures as they move operations and services online.

"If government departments are to maintain community trust in the use of online technologies it is essential that they adequately protect the personal information they hold," Mr Crompton said.

"The individuals who applied for registered supplier status with GST-Assist rightly expected that their bank account details would not be generally accessible when they provided them.

"While the GST Start-Up Assistance Office took prompt action to improve security by placing the information behind the Department of Treasury's website firewall, this only happened after the unauthorised access occurred," Mr Crompton said.

"Although the person who accessed this personal information only circulated it to those named in the record, the potential for misuse of this information was considerable.

"A greater degree of effort must be put into protecting personal information in the online environment including the specific requirement that privacy be addressed in contracts with software and systems suppliers."

The Privacy Commissioner found that security testing of the GST-Assist website was limited and primarily concerned with business access requirements without adequately addressing the need to protect personal information in the database from unauthorised access.

"I am satisfied with the actions taken to secure the GST-Assist website since this incident but will conduct further inquiries if a complaint is received from an individual affected by the breach," Mr Crompton said.