On 27 March 2015 the Privacy Commissioner accepted an enforceable undertaking (the EU) from Singtel Optus Pty Ltd (Optus) - the first of its kind since amendments to the Privacy Act 1988 (Cth) (the Privacy Act) and the Australian Privacy Principles (the APPs) came into effect on 12 March 2014. This article looks at the recent action taken by the Privacy Commissioner (the PC) against Optus, the factors that lead the PC to take action, and what your school can learn from the incident.
The APPs - a refresh
You should already be familiar with the APPs, which have been binding on non-government schools since last year. The APPs were introduced in Australia as part of broader reforms to the Privacy Act. CompliSpace has published a Briefing Paper for Non-Government Schools, which provides a plain English overview of the 13 APPs and outlines some of the key issues that schools should consider in developing their privacy programs. There is also a webinar presented by David Griffiths of CompliSpace, which walks you step by step through the issues.
What is an EU?
An EU is a written agreement by an organisation which is enforceable in the Federal Court, promising the PC that it will do certain things.
As explained on the Office of the Australian Information Commissioner (OAIC)
website, an EU is an enforcement tool for use in situations where there has been or appears to have been an interference with the privacy of an individual and where the PC considers an agreed change to future behaviour offers the most appropriate regulatory outcome. It is an alternative to civil penalties.
Generally, the terms of an EU include promises by an organisation to:
- modify its acts, practices, procedures or behaviour to ensure it complies with the law (for example, ceasing the practice that led to the breach or implementing new policies for handling personal information);
- remedy the damage any breach has caused (for example making an apology or making a payment to an individual or individuals to rectify damage); or
- commit to certain future compliance measures (for example regular reviews and audits, training for managers and staff and implementing a compliance monitoring and reporting framework).
Optus's breaches of the Privacy Act
Optus holds personal information provided to it by its customers, including their names, addresses and phone numbers. Like all organisations governed by the Privacy Act, Optus is required under the APPs to take reasonable steps to protect the personal information it holds ((APP 11) - see our previous article).
In April 2014 Optus became aware of three privacy incidents where in each case, more than 100,000 of its customers were affected. The incidents were:
- White Pages incident - due to a coding error, the names, addresses and mobile numbers of more than 122,000 customers were published in the White Pages online without the consent of those customers. Silent line numbers were also published. Optus became aware of the issue after a customer complaint.
- Modem incident - Optus changed its network and left the management ports of Netgear and Cisco modems open and also issued modems to customers with factory default settings in place including usernames and passwords. These issues meant that customers who did not change the default passwords were left vulnerable, potentially allowing a person to make and charge calls as though they were the Optus customer. Optus became aware of the issue after media reports.
- Voicemail incident - a flaw in Optus's security processes led to customer voicemail accounts being unprotected, making them vulnerable to unauthorised third party access and manipulation of their accounts. Optus was made aware of the issue by a third party.
All three incidents revealed that Optus did not have reasonable steps in place to safeguard the personal information it held, as required by APP 11. The fact that in each case Optus failed to detect the incidents itself meant that Optus experienced delay in taking action to contain each incident which prolonged the duration of the privacy security risk to affected individuals.
What Optus must do
As part of the EU, Optus agreed that it will take steps to improve its handling of personal information, including:
- appointing an independent auditor to conduct reviews and certifications of:
-
- the additional security measures Optus adopted after the incidents; and
-
- Optus' vulnerability detection processes across the organisation;
- giving the PC a project plan to implement any recommendations made by the auditor following its reviews (which will be recorded in a report given to the PC); and
- providing the PC with all documents and information requested by the OAIC for the purpose of assessing its compliance with the terms of the EU.
Lessons for schools
The measures Optus is required to take under the EU will require money and internal resources - two assets no organisation likes to waste. In this case the cooperation of Optus ultimately lead to an EU instead of a financial penalty. Other cases have turned out differently - see our article School’s privacy breach costs $7,500.
Schools should be proactive in ensuring that their internal policies and procedures are reasonable, in compliance with APP 11, to protect the personal information they hold.
This means also reviewing school software and computer systems to ensure they are not exposed to vunerabilities such as the 'Shellshock' security flawwhich was exposed in 2014.
The Optus EU, being the first one entered into by the PC, should be seen as a warning and an opportunity to learn how to improve privacy law compliance.
Over the coming weeks we will dig deeper into privacy laws in practice and provide commentary on what practical steps schools should be taking to ensure compliance.
Finally, CompliSpace will be hosting a live Webinar ‘Privacy in Practice: One Year On' which will provide a forum for you to ask any privacy related questions you may have. For more information and to reserve your webinar seat here click here.
