Summary of OAIC assessment of telecommunication organisations’ information security practices when disclosing personal information under the Telecommunications (Interception and Access) Act 1979
In 2016-17, the Office of the Australian Information Commissioner (OAIC) assessed the information security practices of four telecommunications organisations when disclosing personal information under the Telecommunications (Interception and Access) Act 1979 (TIA Act).
Under sections 178, 179, 180(2), 180(3), 180A and 180B of the TIA Act, telecommunications organisations are obliged to disclose information to law enforcement agencies (LEAs) in certain circumstances. The practices implemented to comply with this legislation must be compliant with Australian Privacy Principle (APP) 11 of the Privacy Act 1988 (Privacy Act).
These assessments followed on from previous inspections, Summary of OAIC’s inspection of telecommunications organisations’ records of disclosure under the Telecommunications Act. Those inspections focussed on compliance by four telecommunication organisations with record-keeping requirements in ss 306 and 306A of the Telecommunications Act 1997.
Telstra Corporation Ltd (Telstra), Vodafone Hutchison Australia Pty Ltd (Vodafone), Singtel Optus Pty Ltd (Optus), and iiNet Limited (as a subsidiary of TPG Telecom Limited) (iiNet) were assessed.
These assessments considered the reasonableness of the security arrangements, when handling personal information in answering requests from LEAs, against the obligations of APP 11. The assessment was risk based, and focussed on identifying privacy risks to the secure handling of personal information. It involved review of documentation that set out the relevant policies and practices of these telecommunications organisations, site visits and interviews with key staff within the telecommunications organisations.
The assessors found that in general, the information security practices of these telecommunications organisations aligned with the obligations of APP 11. The key findings are summarised below.
Telstra had a strong privacy culture, supported by comprehensive privacy governance practices, appropriate ICT access and security control and an effective risk management regime. The OAIC did not identify any medium or high privacy risks in Telstra’s information security practices when disclosing personal information under the TIA Act, and offered a number of best practice suggestions to support these practices.
Vodafone had a positive privacy culture, with adequate physical security measures to protect personal information when responding to LEA requests. Vodafone also had appropriate processes for de-identification or destruction of personal information, responding to data breaches and management of third party providers. The OAIC made one recommendation to improve Vodafone’s database security and to further mitigate trusted insider threats and external extraction risks.
Optus staff had a sound understanding of the information security practices, which were supported by appropriate physical security, ICT and access controls. The OAIC made five recommendations to improve Optus’ practices and procedures. These recommendations were for Optus to:
- engage its Australian based senior management in privacy issues relating to handling of LEA requests
- develop a risk management plan for handling LEA requests under the TIA Act
- document all policies and practices for handling LEA requests under the TIA Act
- further enhance the monitoring of its IT systems
- review the arrangements for remote access to its systems.
iiNet had a positive privacy culture, with comprehensive process documents and an electronic document management system to assist staff with their operations. The OAIC noted that iiNet, as a retailer of telephony services, does not own or control telecommunications infrastructure, and therefore does not handle certain requests under the TIA Act. The OAIC made four recommendations to improve iiNet’s practices. These recommendations were for iiNet to:
- update its information management policies to formalise what is already understood by staff
- improve the security of communication with LEAs
- review and strengthen access controls
- document the appointment and roles of an internal security group.
The OAIC provided each telecommunications organisation with an individualised report. Each telecommunications organisation agreed to or noted the OAIC’s recommendations (where made) and indicated they would implement them or had started to implement them.
The OAIC will follow up with Vodafone, Optus and iiNet on the implementation of the above-mentioned recommendations in the 2018/19 financial year.
Background — legislative obligations relating to the security of personal information
In addition to the specific legislative requirements discussed in the introduction, the telecommunications organisations were assessed against APP 11 in the Privacy Act. Schedule 1 of the Privacy Act describes APP 11 and the privacy obligations regarding the security of personal information as follows:
Australian Privacy Principle 11 — security of personal information
11.1 If an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information:
(a) from misuse, interference and loss; and
(b) from unauthorised access, modification or disclosure.
(a) an APP entity holds personal information about an individual; and
(b) the entity no longer needs the information for any purpose for which the information may be used or disclosed by the entity under this Schedule; and
(c) the information is not contained in a Commonwealth record; and
(d) the entity is not required by or under an Australian law; or a court/tribunal order, to retain the information;
The entity must take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified.