OPSM parent company loses $33.5 million ADF contract for privacy breach

The parent company of OPSM, Luxottica Retail Australia has lost a $33.5 million contract with the Australian Defence Force (ADF) by sending ADF medical records overseas.

Luxottica was awarded the contract by the ADF in 2012 under which it provided optical services to all ADF personnel.  At that time, Luxottica claimed that it would exclusively offer eye services to more than 80,000 ADF personnel each year primarily through its OPSM stores.

Earlier this month, the ADF’s service provider, Medibank Health Solutions (MHS) revealed that Luxottica had breached its contract with ADF by sending ADF medical records overseas, when the contract required ADF medical records be kept in Australia.

It is understood that the ADF medical records were sent to Luxottica’s own server located overseas and included personal information such as name, military unit and results of eye tests and prescriptions.

While the overseas country to which the ADF medical records were sent has not been identified, MHS stated there was no indication the personal information had been passed to any parties beyond those working for Luxottica, including Luxottica’s information technology partners.

The ADF is in the process of contacting the affected ADF personnel and also seeking an alternative optometry provider.

What does this mean for you?

If your business sends personal information to third parties located overseas or if your business stores personal information on servers located overseas, the new Australian Privacy Principles (APPs) require you to make certain disclosures in your privacy policy and privacy collection statement, including listing the countries to which your business is likely to disclose personal information.  Before sending personal information overseas, the APPs also require businesses to take reasonable steps to ensure that the overseas recipient of personal information does not breach the APPs.

In addition to complying with the APPs relating to the overseas disclosure of personal information, you should ensure that the contract your business enters into that governs the collection, use and disclosure of that personal information does not prohibit your business from sending that personal information overseas (as did the contract between Luxottica and the ADF).

To avoid breaching your privacy obligations under the APPs and contractual obligations, you should seek expert advice.  McCullough Robertson can provide you with advice about your privacy obligations under specific contracts and also in relation to the development of your own privacy compliance strategy in accordance with the APPs.