ODRP: Treasury breached protection rules
An investigation into a data breach by the government’s income tax division says there were almost 2.3 million disclosures of personal data.
The Treasury has contacted those whose email addresses were revealed when it sent them a marketing message earlier this year.
It’s after an investigation by the Office of the Data Protection Registrar following the breach, blamed at the time on human error.
The ODPR, however, says Treasury did breach data protection regulations – and has asked the income tax division to make sure it doesn’t happen again.
In its email, Treasury admits it didn’t ask for permission to use email addresses for direct marketing, nor did it tell people their information might be used that way.
There was also no way to unsubscribe from the bulk email, and data protection bosses say the Twitter feed promoted isn’t a “similar product or service” which could have been offered under the rules.
The Treasury says it estimates more than two million personal disclosures were made – but that doesn’t include further breaches when it tried to recall the emails.
However, it says it’s agreed to make changes and so no further action will be taken by the data protection supervisor at this time.