Telstra breached privacy laws

Telstra breached privacy laws when information on its customers was accessible from the internet in 2012 and 2013, according to the Office of the Australian Information Commissioner (OAIC).

A statement from the OAIC said that between February 2012 and May 2013, information of 15,775 Telstra customers - including the information of 1257 active silent line customers - was accessible from the internet.

An OAIC investigation focused on whether the telco "took reasonable steps to protect customer information from misuse, loss, unauthorised access, modification or disclosure", the statement said.

Privacy Commissioner Timothy Pilgrim found Telstra breached the following National Privacy Principles (NPP):

• 4.1 - failure to take reasonable steps to ensure the security of the personal information it held.
• 4.2 - failure to take reasonable steps to destroy or permanently de-identify the personal information it held.
• 2.1 - disclosure of personal information other than for a permitted purpose.

"This incident is a timely reminder to all organisations that they should prioritise privacy. All entities bound by the Privacy Act must have in place security measures to protect personal information," said Pilgrim.

Following the breach, Telstra agreed to undertake several actions related to software management and personal information handling.

Pilgrim recommended Telstra:

• engage an independent third-party auditor to certify that Telstra has implemented planned rectifications, and that the certification be provided to the Commissioner by 30 June 2014; and
• review its Document Retention Policy to ensure it meets the requirements of the Australian Privacy Principles, which apply from 12 March 2014.