Pri­va­cy Com­mis­sion­er finds pri­va­cy breach by Vodafone

In brief – Voda­fone in breach of NPP 4.1

The Pri­va­cy Com­mis­sion­er has hand­ed down a report which has impor­tant impli­ca­tions for any busi­ness that stores per­son­al infor­ma­tion, par­tic­u­lar­ly where shared logins are used to access data, and pro­vides some guid­ance on what is required in order to meet the oblig­a­tions under Nation­al Pri­va­cy Prin­ci­ple (NPP) 4.1.

Call records and billing infor­ma­tion compromised

The Aus­tralian Pri­va­cy Com­mis­sion­er has issued his report into the alleged breach­es of pri­va­cy by Voda­fone Hutchi­son Aus­tralia Pty Ltd (VHA) that arose after com­plaints were made that cus­tomer call records and billing infor­ma­tion had been com­pro­mised. The Com­mis­sion­er has found that at the time of the inci­dent, VHA did not have ​“an ade­quate lev­el of secu­ri­ty in place to pro­tect the per­son­al infor­ma­tion it held in its… system”.

How­ev­er, the inci­dent was not a breach of the prin­ci­ple that an organ­i­sa­tion must only use or dis­close per­son­al infor­ma­tion for the pri­ma­ry pur­pose for which it was col­lect­ed, unless an excep­tion applies (NPP 2.1).

Impli­ca­tions for business

The report makes it clear that the ques­tion of whether the steps tak­en to pro­tect per­son­al infor­ma­tion are rea­son­able in the cir­cum­stances is a sub­jec­tive test based on par­tic­u­lar risks with­in the par­tic­u­lar busi­ness con­cerned. There is no uni­ver­sal stan­dard that applies to all busi­ness­es hold­ing per­son­al infor­ma­tion. This means that every busi­ness must make its own risk assess­ment, iden­ti­fy­ing the par­tic­u­lar risks with­in the busi­ness and then imple­ment appro­pri­ate secu­ri­ty mea­sures in view of those risks.

Shared login identification

How­ev­er, the report also notes that the use of shared login iden­ti­fi­ca­tion rather than indi­vid­ual login iden­ti­fi­ca­tion – for exam­ple, allo­ca­tion of a sin­gle login to a par­tic­u­lar store — added to the under­ly­ing data secu­ri­ty risk. This increased the risk that anom­alies may not be detect­ed. Even if an anom­aly is detect­ed, the issue may not be able to be inves­ti­gat­ed ful­ly if there are shared logins, as the actions are not linked to an indi­vid­ual autho­rised user. Shared logins also reduce the abil­i­ty of audit trails to assist in inves­ti­ga­tions and access con­trol mon­i­tor­ing. These are impor­tant con­trols in any organ­i­sa­tion for pro­tect­ing per­son­al infor­ma­tion in com­pli­ance with the principle.

Speedy response to breach allegations

The report also acknowl­edges the impor­tance of a speedy response by any organ­i­sa­tion that is faced with an alle­ga­tion of a pri­va­cy breach, not­ing that this is a key fac­tor for mit­i­gat­ing dam­age. The report accepts that VHA act­ed imme­di­ate­ly to restrict access to per­son­al infor­ma­tion, reviewed its data secu­ri­ty prac­tices and launched an inter­nal investigation.

VHA’s response to the issue was imme­di­ate and was ​“a pos­i­tive step”.

Do you col­lect and store per­son­al information?

If your busi­ness col­lects and stores per­son­al infor­ma­tion, this report is a time­ly reminder to review the par­tic­u­lar risks asso­ci­at­ed with that stor­age and to ensure that your process­es ade­quate­ly man­age those risks. If you allow access to per­son­al data by means of any form of shared login, we strong­ly rec­om­mend that you review that process immediately.

If you would like to know more, or have any ques­tions about your pri­va­cy com­pli­ance, please con­tact Swaab Attor­neys.

Authored by M Hall.