Privacy Commissioner finds privacy breach by Vodafone
In brief – Vodafone in breach of NPP 4.1
The Privacy Commissioner has handed down a report which has important implications for any business that stores personal information, particularly where shared logins are used to access data, and provides some guidance on what is required in order to meet the obligations under National Privacy Principle (NPP) 4.1.
Call records and billing information compromised
The Australian Privacy Commissioner has issued his report into the alleged breaches of privacy by Vodafone Hutchison Australia Pty Ltd (VHA) that arose after complaints were made that customer call records and billing information had been compromised. The Commissioner has found that at the time of the incident, VHA did not have “an adequate level of security in place to protect the personal information it held in its… system”.
However, the incident was not a breach of the principle that an organisation must only use or disclose personal information for the primary purpose for which it was collected, unless an exception applies (NPP 2.1).
Implications for business
The report makes it clear that the question of whether the steps taken to protect personal information are reasonable in the circumstances is a subjective test based on particular risks within the particular business concerned. There is no universal standard that applies to all businesses holding personal information. This means that every business must make its own risk assessment, identifying the particular risks within the business and then implement appropriate security measures in view of those risks.
Shared login identification
However, the report also notes that the use of shared login identification rather than individual login identification – for example, allocation of a single login to a particular store — added to the underlying data security risk. This increased the risk that anomalies may not be detected. Even if an anomaly is detected, the issue may not be able to be investigated fully if there are shared logins, as the actions are not linked to an individual authorised user. Shared logins also reduce the ability of audit trails to assist in investigations and access control monitoring. These are important controls in any organisation for protecting personal information in compliance with the principle.
Speedy response to breach allegations
The report also acknowledges the importance of a speedy response by any organisation that is faced with an allegation of a privacy breach, noting that this is a key factor for mitigating damage. The report accepts that VHA acted immediately to restrict access to personal information, reviewed its data security practices and launched an internal investigation.
VHA’s response to the issue was immediate and was “a positive step”.
Do you collect and store personal information?
If your business collects and stores personal information, this report is a timely reminder to review the particular risks associated with that storage and to ensure that your processes adequately manage those risks. If you allow access to personal data by means of any form of shared login, we strongly recommend that you review that process immediately.
If you would like to know more, or have any questions about your privacy compliance, please contact Swaab Attorneys.
Authored by M Hall.