A determination issued by the Australian Privacy Commissioner Carly Kind found Optus interfered with the privacy of individuals whose personal information was listed in the White Pages contrary to an expressed preference or request for an unlisted number.
The publication of this determination brings to an end a long-running investigation, which was first announced in August 2021.
The Privacy Commissioner found that Optus failed to take such steps as were reasonable in the circumstances to protect customers’ personal information from unauthorised disclosure between 1 October 2015 and 27 September 2019, representing a breach of Australian Privacy Principle (APP) 11.1.
The detailed investigation found that Optus had asked porting (or transferring) customers specifically whether they wanted an unlisted or listed number, leading them to expect that Optus would take steps to implement the request.
However, during the relevant period Optus did not take steps to unlist the relevant numbers. The outcome was that 41,728 porting customers who had indicated an unlist preference remained published in the White Pages, exposing them to potential harm, particularly those in vulnerable circumstances.
The determination’s findings include that:
- Optus held the Customer Directory Details of its customers on its system and on the disclosing third party’s system.
- Optus retained control over the Customer Directory Details on both systems as it had the ability to change or unlist those details subject to an instruction from the customers.
- Optus was aware, throughout the entire period, of the risk that customers who had requested an unlisted number may still be published in the White Pages in error.
- Optus was aware that those errors affected a not insignificant number of its customers.
- The steps taken to mitigate risk were not commensurate with the ongoing risk, given Optus’ size, resources and business sophistication.
The determination noted that Optus could have taken steps to mitigate or eliminate the risk of unauthorised disclosure, but did not.
These steps include promoting a culture of privacy awareness, performing periodic system reconciliations or alignments, and putting in place processes for porting customers that ensure Customer Directory Details are accurate, current and complete, with any unlist request being promptly implemented.
Privacy Commissioner Carly Kind said, “APP entities must value stewardship and privacy responsibilities, and the complex reality of implementing uplifts to legacy systems should not prevent an APP entity from implementing them as a priority.”
“Although it is some time since the matter happened, this determination provides further guidance on the application of APP 11.1 to the conduct of highly sophisticated regulated entities.”
The Privacy Commissioner intends to apply the findings in the determination to the representative complaint about the same conduct, and will consider reasonable and proportionate compensation for affected class members in any determination with respect to the representative complaint in due course.
Individuals notified by Optus of this incident in October 2019 who wish to participate in the 2019 Optus Data Breach representative complaint, should go to the Maurice Blackburn website via the following link to register: 2019 Optus Data Breach Representative Complaint
