The Australian Privacy Commissioner has published his report which finds Telstra in breach of two National Privacy Principles after 734,000 Telstra customers’ personal information (such as names, phone numbers, service holdings and order numbers, usernames, passwords and addresses, and in some cases drivers licence numbers and dates of birth) were made available online in December 2011.
The Commissioner took the view that the incident amounted to an unauthorised disclosure of customers’ personal information by Telstra, and therefore breached NPP 2.
The Commissioner also concluded that at the time of the incident, Telstra did not have adequate security measures in place to protect the personal information it held in the Visibility Tool from misuse and loss and from unauthorised access, modification or disclosure, resulting in a breach of NPP 4.
The Australian Communications and Media Authority separately found Telstra also breached the Telecommunications Consumer Protections Code which requires that a Carriage Service Provider must protect the privacy of each customer’s billing and related personal information.
The Privacy Commissioner’s investigation report found that a number of internal errors in Telstra’s reporting, monitoring and accountability systems occurred in the lead up to the incident in December 2011.
A number of Telstra staff knew about the security issues with the database but did not raise them with management.
The Commissioner closed the investigation after Telstra committed to the following remedial actions:
• an audit of all Telstra applications using technology based platforms that supported the Visibility Tool and that collect, store or use customers’ personal information
• revision of the Privacy Compliance Program, including reviewing training and compliance processes relating to customer data management, and reinforcing with staff the consequences of non-compliance with Telstra’s policies and procedures
• implementation of a new internal training program for using Telstra’s Enterprise Program Management Tool processes, including the completion of Compliance Questionnaires
• enhancement of the existing processes, including updated training material, a simplified risk register and templates that are easier to use
• establishment of a system where the Chief Privacy Officer is involved in the management of incidents concerning privacy. Where an incident involves a privacy risk, the Chief Privacy Officer will undertake a risk assessment and, where appropriate, notify the OAIC. This is consistent with the OAIC’s Data Breach Notification Guidelines, which encourage organisations to notify the affected individuals and the OAIC if there is a real risk of serious harm as a result of a data breach
• improvement of the Telstra employee privacy security training and updates to Telstra’s Information Security and Records Management course, deployed in February 2012
• updates, deployed on 16 December 2011, included in Telstra’s refresher privacy and security training modules
• implementation of a specific training program for all Telstra’s employees and contractors with access to customers’ credit card information, deployed by 1 March 2012.
