15 May 2014 No 'set and forget' for privacy compliance


 In Brief

Recent changes to the Privacy Act 1988 (Cth) (Privacy Act) require entities to take reasonable steps to implement practices, procedures and systems that will ensure compliance with the new Australian Privacy Principles (APPs). This article looks at the Australian Privacy Commission's report on a privacy breach by Telstra and provides valuable insight into the Commissioner's expectations and the need for ongoing review and monitoring of compliance measures

Background and findings

The personal information of 15,775 Telstra customers was unlawfully disclosed when a Telstra contractor inadvertently turned off access control making the files in question accessible online from 24 February 2012 to 15 May 2013.  Google's Googlebot later indexed the files and they then became discoverable through Google search.

The Commissioner found that Telstra failed to take reasonable steps to secure personal information or to destroy personal information no longer needed, and that it unlawfully disclosed personal information.

Compliance lessons

The investigation concerned breaches of the National Privacy Principles, now replaced by the APPs, however the report still offers valuable insight into the Commissioner's expectations with regards to appropriate policies and procedures that may be required to comply with APP1, and APP 11 (security). Of particular note is the Commissioner's consideration of web configuration as well as vulnerability testing and monitoring.

Web configuration

The Commissioner found Telstra did not properly configure its website to request search bots not to index, archive or cache data on parts of the website not intended to be publicly accessible. Google indexing meant that the files became discoverable by a greater number of people. The Commissioner stated in his May 2014 report on the own motion investigation into a similar privacy breach by Multicard Pty Ltd (Pilgrim, Timothy Multicard Pty Limited: Own motion investigation report, May 2014) that this type of configuration is a 'basic element of website security'.

The lessons here are that basic security measures must be implemented and where, available, simple measures that might reduce the extent of a breach should a security measure fail should also be utilised.

Vulnerability testing and monitoring

Telstra submitted that once a security measure is implemented in a secure state there is no need for ongoing testing.  The Commissioner responded that:

"There is no 'set and forget' solution to security and privacy in the digital environment... what is secure at a particular point in time can become subject to vulnerability at a later date".

Pilgrim, Timothy, Telstra Corporation Limited: Own motion investigation report, March 2014

The Commissioner concluded that Telstra's failure to take reasonable steps to implement security monitoring resulted in the breach going undiscovered by Telstra for almost 15 months.  The take-away from this is that entities must take reasonable steps to undertake ongoing monitoring, testing and review of their security measures.


The Commissioner's report highlights the need for:

• ongoing review and monitoring of privacy practices, systems and procedures - do not 'set and forget';
• building measures into your privacy compliance framework to limit the extent of breaches (such as the web configuration measures in this case or appropriate monitoring to detect breaches, and responses to minimise their impact);
• exercising caution in relying on industry standards alone;
• care in selecting and monitoring contractors handling personal information, if necessary employing appropriate contractual controls and protections – their breach may be your breach.

The Commissioner's report is available on the Office of Australian Information Commissioner website. If you have not yet updated your privacy policy and compliance framework, or would like to know more about privacy compliance, please contact us.


If you would like to republish this article, it is generally approved, but prior to doing so please contact the Marketing team at

This article is not legal advice and the views and comments are of a general nature only. This article is not to be relied upon in substitution for detailed legal advice.

Back to publications
Association Memberships
Tristan Jepson Memorial Foundation
  • 2018 - Recommended Doyles Guide
  • 2018 - Recommended Doyles Guide
  • 2018 - Recommended Doyles Guide