Telstra breached the privacy of 15,775 customers, according to related investigations conducted by the Office of the Australian Information Commissioner (“OAIC”) and the Australian Communications and Media Authority (“ACMA”).
Between February 2012 and May 2013, the information of 15,775 Telstra customers (including the information of 1,257 active silent line customers) from 2009 and earlier was inadvertently accessible on the Internet.
An investigation by the OAIC found that Telstra had failed to comply with the National Privacy Principles by:
- failing to take reasonable steps to ensure the security of personal information it held;
- failing to take reasonable steps to destroy or permanently de-identify the personal information it held;
- disclosing personal information other than for a permitted purpose.
ACMA also found that Telstra had failed to comply with the Telecommunications Consumer Protections Code.
Following the breach, Telstra agreed to exit the software platform on which the incident had occurred and reviewing contracts with its suppliers relating to the handling of personal information. The Privacy Commissioner recommended that:
- Telstra engage an independent third party auditor to certify that Telstra had implemented the promised rectifications with certification to be provided to the OAIC by 30 June 2014; and
- Telstra review its document retention policy to ensure it meets the requirements of the new Australian Privacy Principles, which apply from 12 March 2014.
These breaches were covered by the former National Privacy Principles. Had Telstra been found to have breached the relevant Australian Privacy Principles, it could have been required to provide enforceable undertakings to the OAIC and been liable for fines of up to $1.7 million.
Organisations bound by the Privacy Act 1988 (Cth) have had 15 months to prepare for the new privacy laws. If you are bound by the new privacy laws, or you think you may be bound, and you have not yet prepared for the impact of these new laws, we are happy to help you avoid committing a breach of privacy laws like Telstra, and avoiding the negative press.