"To assure the Commissioner and the Australian community that Precedent will address the issues identified in the investigation, Precedent offered, and the Commissioner accepted, an enforceable undertaking on 28 July 2017," it said.
At the same time, the OAIC found that the data breach occurred without the authorisation or direct involvement of the Blood Service, and was outside the scope of Precedent's contractual obligations to the Blood Service.
As such, there was no "disclosure" by the Blood Service of the data file.
"The steps the Blood Service had in place to protect personal information at the time of the breach were, for the most part, adequate," the investigation report into the Blood Service's involvement in the breach stated.
However, the OAIC found that the Blood Service had breached APP 11, "in respect of the information on the Donate Blood website by retaining the information indefinitely, and by not having appropriate measures in place to protect information concurrently held by third party contractors".
Regardless, the Australian Information and Privacy Commissioner, Timothy Pilgrim, has suggested that the community can have "confidence" in the Australian Red Cross Blood Service's commitment to the security of their personal information, following his investigation.
"Data breaches can still happen in the best organisations - and I think Australians can be assured by how the Red Cross Blood Service responded to this event," Pilgrim said. "They have been honest with the public, upfront with my office, and have taken full responsibility at every step of this process."
The Blood Service has enhanced its information handling practices since the incident, and has provided assurance to the Commissioner through an enforceable undertaking, as has Precedent Communications.
For its part, Precedent proposed a set of measures to enhance its protection of personal information, and the Commissioner accepted the enforceable undertaking from Precedent, formalising its commitment to implement the measures within a specified timeframe.
"Based on Precedent's ongoing implementation of the measures proposed to enhance its protection of personal information, the Commissioner considers this an appropriate conclusion to the investigation," the report stated.
Sign up for Computerworld eNewsletters.