AU: Railcorp blunder as personal details offered in rail sale (updated)
Finders, keepers? Can you just auction off lost USB drives left on trains without regard to whether they contain sensitive information? Maureen Shelley reports:
A bunch of USB memory sticks, which hold private photos and data, left by passengers on Sydney trains were sold by Railcorp at a lost property auction.
Computer security company Sophos, which bought the sticks, said they contained thousands of photographs, work projects, minutes of meetings and university assignments as well as a job application and resum aac (sic).
NSW Information and Privacy deputy commissioner John McAteer said that his office was investigating a possible breach of the Privacy Act by RailCorp and whether it had kept passengers’ private data safeguarded.
Read more on The Daily Telegraph.
Updated 12-14-11: RailCorp isn’t saying whether it erased any data before selling devices, leading to concerns about what they’ve done in previous auctions. Read more on The Sydney Morning Herald
David - December 9, 2011
It is quite possible that once an item like a USB stick is lost, there is no statutory obligation on the finder to protect the privacy of the contents.
At best, it’s difficult to see how such an obligation could ever be enforceable.