When employee data does fall within the legal privacy net
By Cameron Abbott, Warwick Andersen and Georgia Mills
PageUp, a leading HR software support company has revealed it has fallen victim to a massive data breach, potentially compromising the personal details of thousands of Australians. Boasting over 2 million active users worldwide and counting a roll call of major Australian companies together with a number of government agencies as clients, the breach may be the largest since the introduction of mandatory data breach notification laws in February (which we blogged about here).
Some companies used PageUp’s software only for recruitment, while others used it for more expansive human resources information such as salary information, bank details, tax file numbers and other sensitive personal information.
The company released a statement saying it had notified the Australian Cyber Security Centre and is working with them to investigate the security breach. The Office of the Australian Information Commissioner has also been notified. It is believed the breach was caused by malicious code being executed within PageUp’s systems but PageUp is still determining what information has been accessed by the hackers.
Australian clients are suspending their careers portals and closing connections with PageUp’s systems in an effort to minimise the information that can be exposed. Some companies have reminded recent applicants to keep an eye on their financial activity and to report any suspicious activity to their bank.
This breach also highlights an interesting anomaly in Australian privacy laws. In the hands of an employer, employee information directly related to the employment relationship is exempt from the Privacy Act. However, the moment that information is held by a third party, the information again becomes subject to the Privacy Act in the hands of that third party, even if the third party is performing a function or holding data on behalf of the employer. It is worth noting in this case that candidate information is not employee information and is therefore still subject to the Privacy Act regardless of whether or not it is held by a potential employer.
Thus your service provider may need to notify your employees of the breach even if you don’t. Might be worth keeping that in mind next time you review the service providers terms and conditions?