Australia’s largest chain of travel agencies, Flight Centre, was found to have released the personal information of nearly 7,000 customers during a 2017 ‘design jam’ in which it provided the data to 16 teams who were tasked with using it to create innovative solutions for travel agents.
The data was supposed to have been deidentified before distribution, but after 36 hours its personal nature was revealed and the company was eventually referred to the privacy regulator Office of the Australian Information Commissioner (OAIC).
An investigation into the incident, whose results were released this month, found that the company had not taken reasonable steps to implement practices for ensuring compliance with the Australian privacy principles.
Flight Centre had also disclosed the personal information of the individuals without their consent, and it failed to “take reasonable steps to appropriately secure the personal information”, privacy commissioner Angelene Falk said.
“This determination is a strong reminder for organisations to build privacy by design into new projects involving personal information handling, particularly where large data sets will be shared with third-party suppliers for analysis,” she said.