Privacy rules bite

1 April lead image

Telecommunications company Optus has entered into an enforceable undertaking with the privacy regulator after it was found to have breached tough new laws which came into effect last year.

It is the first time such an undertaking has been made under the new laws and highlights the issues that directors need to take into account when assessing their organisations' capacity to protect personal information.

The enforceable undertaking is the result of an investigation that commenced in July last year after Optus notified the privacy regulator that three breaches of privacy had occurred within its organisation.

Optus had taken steps to contain the incidents once it became aware of them, and cooperated with the regulator’s investigation.

The Australian privacy commissioner was concerned that Optus may not have taken reasonable steps to secure the personal information it held, as required by so-called privacy principle 11 (which relates to the security of personal information).

The Australian Privacy Principles came into force on 12 March last year and significantly raised the bar on how businesses and federal government agencies collect, store and handle individuals’ personal information. The privacy regulator is able to levy penalties of up to $1.7 million or impose enforceable undertakings on organisations that breach the principles.

The issues at Optus related to information contained in the White Pages directory; the settings on modems used by its customers; and the password security on voicemail information retrieved from outside the Optus network.

The undertaking requires Optus to complete certain reviews and certifications and implement any recommendations from these activities. It must also provide a report by an independent third party to the regulator certifying that the specified actions have been completed.

Full details of the incidents at Optus and the enforceable undertaking can be found here

The Australian Institute of Company Directors has published a book, Privacy Governance: A Guide to Privacy Risk and Governance for Directors and Boards, to help directors comply with the Australian Privacy Principles. Go to our online bookstore to purchase the print or electronic version.