The report said that the “data cleansing process” used by RailCorp prior to auctioning off unclaimed USB keys was inadequate because it “did not prevent the recovery of cleansed data using off the shelf, inexpensive software”. As a result, RailCorp did not meet its legal obligations under the Australian state’s Privacy and Personal Information Protection (PPIP) Act.
The investigation was prompted by the purchase of 57 USB keys containing 4,400 files by a team lead by Paul Ducklin, head of technology, Asia Pacific, at Sophos. The analysis of the USB keys revealed unencrypted personal information about former owners of the devices, their family, friends, and colleagues.
In response to the privacy commissioner’s investigation, RailCorp announced that it would not longer sell unclaimed USB keys and began a review of its approach to auctioning off other electronic devices that could contain personal information of the users.
RailCorp responded “constructively and quickly once contacted by this office”, said Deputy Privacy Commissioner John McAteer.
“No evidence was uncovered which established the actual disclosure of personal information, tied with a complaint by an individual who had standing to assert that their privacy rights under the PPIP Act had been breached. In this regard the Privacy Commissioner makes no findings in respect of a breach of section 12 of the PPIP Act”, the report concluded.