DEBACLE LABELLED A CASE OF SOMEONE DROPPING THE BALL
GEELONG council failed to recognise the seriousness of its plan to move data offshore, Ratepayers Geelong president Peter Mitchell believes.
The Geelong Advertiser revealed council had backflipped on a plan to transfer the personal data of up to 25,000 leisure members to a company overseas.
In an email sent to members last week, council said it would be using a third-party provider for all Swim Sport and Leisure member communications from January 28.
The city said the data was likely to be stored in the USA, but possibly other countries, saying “these countries may have privacy laws that are less protective than Victoria’s and the information may be subject to mandatory disclosure in accordance with the law of the jurisdiction in which it is held”.
Professor Matt Warren, deputy director of the Deakin University Centre for Cyber Security Research and Innovation, said he was “horrified” by the email.
Mr Mitchell, who works in IT, said he believed someone had “dropped the ball” in the process and council had failed to recognise the significance of the plan.
“From a ratepayer’s point of view, this is wrong, this is bad, but I’d guess it’s not a deliberate breach. I’d guess somebody doesn’t know what they’re doing,” he said.
“If whoever has done this hasn’t thought of security, that is a major shortfall.
“My take on it is nobody thought it was significant and that’s why councillors weren’t told. They should certainly have been briefed on this.”
The council has confirmed that each member’s name, address, email address, phone number and member number would be shared with the external provider, but that no credit card or medical details would be accessed, under the original plan.
Members were given until January 27 to opt out but were warned that opting out meant they would no longer receive “upgrades, events, competitions, offers and general Swim Sport & Leisure updates”.