NSW Privacy Commissioner report into RailCorp sale of unclaimed USB data keys released
The Office of the NSW Privacy Commissioner releases report on own motion investigation of RailCorp sale of unclaimed USB Data keys under the Privacy and Personal Information Protection Act 1998 (the PPIP Act).
USB devices can contain data that includes personal and health information. NSW privacy law requires public sector agencies such as RailCorp to ensure that it does not disclose personal information without the consent of the person concerned. In the case of lost property this consent is difficult to obtain.
The investigation led by Deputy Privacy Commissioner John McAteer, commenced following reports alleging that third party personal information was accessible by persons who had purchased USB keys through public auction held by RailCorp in 2011. RailCorp responded “constructively and quickly once contacted by this office” said Deputy Commissioner McAteer. Of its own accord RailCorp ceased selling unclaimed USB keys and commenced a review of its approach to the auctioning of devices that may contain data capable of identifying individuals. “RailCorp is consulting the Office of the NSW Privacy Commissioner on this review” said Mr McAteer.
This investigation found that while RailCorp undertook a data cleansing process of USB keys prior to auction, this process did not prevent the recovery of cleansed data using off the shelf, inexpensive software and that the obligations under section 12 (c) of the PPIP Act were not met.
The NSW Privacy Commissioner Dr Elizabeth Coombs commended RailCorp’s proactive approach and the investigation undertaken by the Deputy Commissioner.
“Technology advances have meant that there are now many mobile devices that store data concerning individuals. We will continue to assist RailCorp in the development of its policy towards the auction or appropriate disposal of such devices,” Dr Coombs said.
The report can be accessed on the Office of the Privacy Commissioner website at www.privacy.nsw.gov.au.
For further information contact Mr John McAteer Deputy Privacy Commissioner.