10/11/2025
Recently, the Privacy Commissioner, Carly Kind found that Vinomofo Pty Ltd, an online wine wholesaler, interfered with the privacy of individuals whose personal information it held in its database.
In December 2018, Vinomofo commenced a data migration project to update its system for managing customer data, which included migrating customers’ personal information to a temporary cloud-based database.
In September 2022, Vinomofo experienced a data breach, in which an unauthorised third party accessed and exfiltrated the data of nearly one million individuals from the database.
Following the data breach notification, the Office of the Australian Information Commissioner investigated Vinomofo’s privacy practices, particularly in relation to Australian Privacy Principle (APP) 11.1.
Vinomofo has been directed to cease the practices that led to the breach and given 90 days to implement further measures to improve its security and governance measures.
Key findings
The Privacy Commissioner found that the totality of steps taken by Vinomofo were not reasonable in the circumstances for the purpose of APP 11.1. Both the technical measures such as ICT and access security, as well as organisational measures such as governance, culture and internal practices in place at the time were not adequate.
This case provides useful guidance to entities about their obligations when using cloud infrastructure providers to house personal information as well as the technical and organisational steps entities should take to meet their APP 11.1 and APP 11.3 obligations.
Takeaways
APP 11.1 requires entities to take reasonable steps to protect the personal information they hold from unauthorised access, modification or disclosure. The recent introduction of APP 11.3 has made it clear that technical and organisational measures are to be considered in determining whether action constitutes a reasonable step (noting that APP 11.3 was not in force at the time of relevant data breach).
What constitutes ‘reasonable steps’ has not always been clear and depends on the circumstances. This recent decision provides further clarity on what constitutes reasonable steps for the purpose of APP 11.1.
The Privacy Commissioner found, by reference to Federal Court of Australia guidance in the context of corporations law matters, that identifying the steps that could have been taken but were not taken, can be helpful in determining whether the relevant steps were ‘reasonable’.
In particular we have learned:
- Entities must assess their privacy and information security practices against the risks they hold.
- A strong organisational culture that prioritises good privacy practice is essential; privacy cannot be treated as an afterthought. Practically, this includes implementing robust security policies and procedures as well as addressing a poor culture of security awareness and capability.
- Entities should document the internal practices, procedures and systems used to protect personal information.
- Data migration projects involving test environments or cloud infrastructure present a heightened risk and entities should undertake security measures that are proportionate to the level of risk presented by the use of cloud infrastructure. This includes adopting appropriate cloud infrastructure security controls and having an appropriate security logging capability.
- Security measures should have the ability to monitor, detect, or alert of unauthorised activity. Without detection or monitoring controls, unauthorised access may go unnoticed.
With the new era of tougher enforcement measures for privacy infringements, organisations must adopt a proactive, structured approach to privacy management, embedding privacy practices into the organisational culture and continually assessing and mitigating risks.
A mature privacy function ensures not only compliance with the Privacy Act 1988 but also builds trust with customers and stakeholders.
Now is the time to act—don’t let privacy be an afterthought. Contact Griffin Legal to help build your privacy resilience.
For more detailed information, the Privacy Commissioner’s decision is available here: Commissioner Initiated Investigation into Vinomofo Pty Ltd (Privacy) [2025] AICmr 175 (17 October 2025)