11 October 2022

The Office of the Australian Information Commissioner (OAIC) today commenced an investigation into the personal information handling practices of Singtel Optus Pty Ltd, Optus Mobile Pty Ltd and Optus Internet Pty Ltd (the Optus companies) in regard to the data breach made public by Optus on Thursday, 22 September 2022.

The OAIC’s investigation will focus on whether the Optus companies took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure, and whether the information collected and retained was necessary to carry out their business.

The investigation will also consider whether the Optus companies took reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy principles (APPs), including enabling them to deal with related inquiries or complaints.

The OAIC’s investigation will be co-ordinated with that of the Australian Communications and Media Authority (ACMA), also announced today.

Australian Information and Privacy Commissioner Angelene Falk said the co-ordination of investigations by the OAIC and ACMA was a positive example of regulatory co-operation that would lead to efficient regulatory outcomes.

If the OAIC’s investigation satisfies the Commissioner that an interference with the privacy of one or more individuals has occurred the Commissioner may make a determination that can include requiring the Optus companies to take steps to ensure the act or practice is not repeated or continued, and to redress any loss or damage. If the investigation finds serious and/or repeated interferences with privacy in contravention of Australian privacy law, then the Commissioner has the power to seek civil penalties through the Federal Court of up to $2.2 million for each contravention.

While not commenting on the specific investigation, Commissioner Falk said the widespread attention given to the Optus data breach had highlighted key privacy issues that corporate Australia should take heed of.

“If they have not done so already, I urge all organisations to review their personal information handling practices and data breach response plans to ensure that information is held securely, and that in the event of a data breach they can rapidly notify individuals so those affected can take steps to limit the risk of harm from their personal information being accessed,” she said.

“And collecting and storing personal information that is not reasonably necessary to your business breaches privacy and creates risk. Only collect what is reasonably necessary.”

In line with the OAIC’s Privacy Regulatory Action Policy, the OAIC will await the conclusion of the investigation before commenting further.

About Commissioner-initiated investigations

The Commissioner is authorised to investigate an act or practice that may be an interference with the privacy of an individual or a breach of Australian Privacy Principle 1 under section 40(2) of the Privacy Act 1988.

Preliminary inquiries will continue with the Optus companies to ensure compliance with the Notifiable Data Breaches scheme.