Australia’s Privacy Commissioner Carly Kind has found Optus interfered with the privacy of tens of thousands of customers whose details were incorrectly published in the White Pages despite requests for unlisted numbers. Added:
The Office of the Australian Information Commissioner (OAIC) said a determination issued by Kind finalises a long-running investigation first announced in August 2021. The Commissioner found Optus failed to take reasonable steps to protect customers’ personal information from unauthorised disclosure between 1 October 2015 and 27 September 2019, breaching Australian Privacy Principle (APP) 11.1.
The OAIC determination found Optus had asked porting customers whether they wanted their number listed or unlisted, creating an expectation the request would be implemented. However, during the relevant period, Optus did not take steps to unlist the affected numbers. The OAIC said 41,728 porting customers who indicated an unlisted preference remained published in the White Pages, exposing them to potential harm, “particularly those in vulnerable circumstances”.
The determination found Optus held customers’ directory details on its own systems and on a third party’s system used to disclose that information, while retaining control over the details because it could change or unlist them following customer instructions. The Commissioner also found Optus was aware throughout the period of the risk that customers requesting unlisted numbers could still be published in error, and that the errors affected a “not insignificant” number of customers.
The OAIC said the steps Optus took to mitigate the risk were not commensurate with the ongoing risk given the company’s size, resources and business sophistication, and that Optus could have taken steps to mitigate or eliminate the risk but did not. The determination cited potential measures including promoting a culture of privacy awareness, performing periodic system reconciliations or alignments, and putting in place processes to ensure directory details were accurate, current and complete, with unlisting requests promptly implemented.
Privacy Commissioner Carly Kind said, “APP entities must value stewardship and privacy responsibilities, and the complex reality of implementing uplifts to legacy systems should not prevent an APP entity from implementing them as a priority.”
“Although it is some time since the matter happened, this determination provides further guidance on the application of APP 11.1 to the conduct of highly sophisticated regulated entities.”
The OAIC said the Commissioner intends to apply the findings in the determination to a representative complaint about the same conduct, and will consider “reasonable and proportionate compensation” for affected class members in a future determination regarding that complaint.
The OAIC advised that individuals notified by Optus of the incident in October 2019 who wish to participate in the representative complaint can register via the Maurice Blackburn website.
