The privacy commissioner’s decision closes out an investigation that began in 2021
Privacy commissioner Carly Kind has determined that telco company Optus violated individuals’ privacy by listing their personal information in the White Pages despite stated preferences or requests for numbers to remain unlisted.
Kind’s determination concludes an investigation that began in August 2021. The commissioner decided that Optus violated Australian Privacy Principle (APP) 11.1 by not taking reasonable steps to safeguard customers’ personal information from unauthorized disclosure in the period of 1 October 2015-27 September 2019.
“APP entities must value stewardship and privacy responsibilities, and the complex reality of implementing uplifts to legacy systems should not prevent an APP entity from implementing them as a priority”, Kind said. “Although it is some time since the matter happened, this determination provides further guidance on the application of APP 11.1 to the conduct of highly sophisticated regulated entities”.
Per the investigation, Optus had directly asked transferring or porting customers whether they wanted their numbers listed; thus, 41,728 porting customers who requested to be unlisted expected their preferences to be honoured.
However, these customers’ information remained available in the White Pages, subjecting them to possible harm. Kind noted that Optus stored customer directory details on its system and on the disclosing third party’s system; Optus controlled both systems and could amend details as instructed.
Kind indicated that Optus knew it was putting customers who had asked to be unlisted at risk during the period in question. It also knew that such mistakes impacted a considerable number of customers.
The commissioner determined that the risk mitigation steps Optus took were not aligned with the risk considering the organisation’s size, resources and business sophistication. It could have initiated efforts to lessen or eliminate the unauthorised disclosure risk, such as promoting privacy awareness, conducting regular system reconciliations and implementing processes for porting customers that ensured the accuracy and completeness of customer directory details.
Kind said she would apply her findings in the determination to the representative complaint about the same conduct. In due course, she said she would consider “reasonable and proportionate compensation” for class members impacted in any determination with respect to the representative complaint.
In September 2022, Optus was victimised in a major cyberattack that compromised the personal data of both existing and previous customers.
