Notification to referees

Dear Madam/Sir

Your personal information

We note that you were one of a number of people who applied for a position with us or who were identified as a referee by a prospective employee applying for a position with The Whiddon Group. Consequently, your personal details (such as your telephone number and/or email address) were submitted using a particular page on The Whiddon Group’s website (Job Application Page).

For the purposes of the Privacy Act (Act), the information about you that was submitted to The Whiddon Group constitutes ‘personal information’.

Accordingly, pursuant to the Act, The Whiddon Group has obligations to:
1. Protect that personal information; and

2. In the event that there has been unauthorised access, disclosure, or loss of that information and a reasonable person would conclude that the access or disclosure would likely result in serious harm to you or others (an Eligible Data Breach), notify you and others who have been affected as well as the Privacy Commissioner.

The purpose of this letter is to notify you of the occurrence of an Eligible Data Breach and assure you that steps have been taken by The Whiddon Group to remedy the breach. We also set out some recommendations to assist in your management of the breach.

Details of Eligible Data Breach

The Eligible Data Breach arose in the following circumstances:
1. At approximately 9.30am on 18 May 2018, The Whiddon Group was alerted to personal information from the Job Application Page being accessible via the Google search engine. A further alert of the same concern arose shortly thereafter.

2. The Whiddon Group took steps to immediately commence an investigation and in doing so, concluded that:

a. Personal information was accessible via the Google search engine;
b. The accessibility arose due to an error made during the development of Job Application Page which was undertaken by The Whiddon Group’s then website management company (Website Provider);
c. Whilst the personal information was accessible, it was not extensively viewed or crawled. Indeed, The Whiddon Group estimates that of all personal information that was accessible, approximately only 8% was crawled. Given that low statistic, the likely conclusion is that such activity was mostly conducted by Google itself.

Steps taken by The Whiddon Group

The Whiddon Group concluded that the above circumstances gave rise to an Eligible Data Breach. In doing so, The Whiddon Group took the following steps:
1. By 11am on 18 May 2018, The Whiddon Group had caused all forms to be deleted from the Job Application Site;

2. By 1:30pm on 18 May 2018, all original files comprising personal information were removed from the Job Application Page’s data base, and accordingly, were no longer accessible;

3. Notwithstanding the removal of original files, some of the personal information had been cached by Google. Cache and deletion requests were made to Google and The Whiddon Group has since received confirmation that these requests have been actioned;

4. On 21 May 2018, The Whiddon Group notified the Privacy Commissioner of the Eligible Data Breach and has had further communication with the Commissioner since then.

In addition to the above, The Whiddon Group confirms that it no longer engages the Website Provider. That engagement had been terminated prior to discovery of the Eligible Data Breach.

Accordingly, The Whiddon Group has taken all reasonable steps to remedy the Eligible Data breach and ensure that none of your personal information (or others) is accessible to third parties.

Steps that can be taken by you

Whilst The Whiddon Group is of the view that the Eligible Data Breach has been addressed and further disclosure has been prevented, The Whiddon Group nonetheless recommends that you:
1. Monitor your phone to ensure that those details have not been hacked or otherwise exploited by third parties;

2. Monitor your email address to ensure that those details have not been hacked or otherwise exploited by third parties;

3. In the event that you have concerns regarding any misuse of your personal details, alert the relevant authorities including the police.

Further Queries

Should you have further queries regarding the matters raised in this letter, please contact:

Amiria MacKinnon, General Manager Marketing & Communications on 1300 738 388 or