In brief – Vodafone in breach of NPP 4.1

The Privacy Commissioner has handed down a report which has important implications for any business that stores personal information, particularly where shared logins are used to access data, and provides some guidance on what is required in order to meet the obligations under National Privacy Principle (NPP) 4.1.

Call records and billing information compromised

The Australian Privacy Commissioner has issued his report into the alleged breaches of privacy by Vodafone Hutchison Australia Pty Ltd (VHA) that arose after complaints were made that customer call records and billing information had been compromised. The Commissioner has found that at the time of the incident, VHA did not have "an adequate level of security in place to protect the personal information it held in its... system".

However, the incident was not a breach of the principle that an organisation must only use or disclose personal information for the primary purpose for which it was collected, unless an exception applies (NPP 2.1).

Implications for business

The report makes it clear that the question of whether the steps taken to protect personal information are reasonable in the circumstances is a subjective test based on particular risks within the particular business concerned. There is no universal standard that applies to all businesses holding personal information. This means that every business must make its own risk assessment, identifying the particular risks within the business and then implement appropriate security measures in view of those risks.

Shared login identification

However, the report also notes that the use of shared login identification rather than individual login identification – for example, allocation of a single login to a particular store - added to the underlying data security risk. This increased the risk that anomalies may not be detected.  Even if an anomaly is detected, the issue may not be able to be investigated fully if there are shared logins, as the actions are not linked to an individual authorised user. Shared logins also reduce the ability of audit trails to assist in investigations and access control monitoring.  These are important controls in any organisation for protecting personal information in compliance with the principle.

Speedy response to breach allegations

The report also acknowledges the importance of a speedy response by any organisation that is faced with an allegation of a privacy breach, noting that this is a key factor for mitigating damage. The report accepts that VHA acted immediately to restrict access to personal information, reviewed its data security practices and launched an internal investigation.

VHA's response to the issue was immediate and was "a positive step".

Do you collect and store personal information?

If your business collects and stores personal information, this report is a timely reminder to review the particular risks associated with that storage and to ensure that your processes adequately manage those risks. If you allow access to personal data by means of any form of shared login, we strongly recommend that you review that process immediately.

Swaab Attorneys was the highest ranking law firm and the 13th best place to work in Australia in the 2010 Business Review Weekly Best Places to Work Awards. The firm was a finalist in the 2010 BRW Client Choice Awards for client service and was named the winner in the 2009 Australasian Legal Business Employer of Choice Awards.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.