Telstra Corporation Limited (Telstra): Own motion investigation report
On 28 October 2010, the Australian Privacy Commissioner commenced an own motion investigation under the Privacy Act 1988 (Cth) into an incident involving Telstra Corporation Limited (Telstra).
The investigation was opened in response to Telstra notifying the Office of the Australian Information Commissioner (the OAIC) that a mailing list error had resulted in approximately 220,000 letters with incorrect addresses being mailed out.
Telstra advised that this error may have caused the ‘personal information’ (including names and telephone details) of some of its customers to be improperly disclosed, including silent line telephone numbers for some customers.
This incident raised concerns that Telstra’s practices in this instance were inconsistent with the Privacy Act.
On becoming aware of the mailing list error, Telstra acted immediately to notify customers and commence a review of its data security practices. In particular, Telstra:
- immediately stopped the mail out
- commenced an investigation to determine the cause of the incident
- identified affected customers so it could alert them to the incident.
Telstra prioritised contacting affected customers with silent lines, and attempted to contact them by phone in the first instance. Telstra then proceeded to contact all potential affected customers.
Telstra’s internal investigation revealed that the incident resulted in 60,300 incorrectly addressed letters being sent out rather than the 220,000 initially reported to the OAIC. Of the 60,300 letters verified by Telstra to have been incorrectly addressed, 15,400 were returned to the mail house unopened. That is, approximately 26% of the incorrectly addressed letters were returned to the mail house.
Once these actions had been taken, and the error which caused the incident had been identified and resolved, Telstra recommenced its mail out.
For the provisions of the Privacy Act to apply in an incident such as this one, the information used or disclosed must be ‘personal information’ as defined in the Act. The definition of personal information in section 6 of the Privacy Act provides that ‘personal information means information or an opinion….about an individual whose identity is apparent, or can reasonably be ascertained, from the information…’.
In the context of this incident, the Privacy Commissioner considers that the mail campaign letters did include the personal information of Telstra customers. The incorrectly addressed letters sent out by Telstra included the names and telephone details of individuals. In the OAIC’s view, a person’s name is ‘personal information’ and does not have to be linked with other information to fall within the definition of personal information set out in the Act.
The Privacy Act contains 10 National Privacy Principles (NPPs) that regulate the way that Australian businesses handle ‘personal information’ about individuals.
NPP 2.1 prohibits organisations from disclosing personal information for a purpose other than the primary purpose of collection, unless one of a number of exceptions applies. These exceptions include that an individual:
- reasonably expected the organisation to use or disclose the information for another purpose
- consented to that use or disclosure of their personal information.
In this case, Telstra advised the OAIC that the purpose of the mail campaign was to contact customers about its Telstra fixed-line phone service. However, due to inaccurate address information being used in mail campaign, 60,300 incorrectly addressed letters were sent out to other Telstra customers involved in the mail campaign.
While Telstra has confirmed that 15,400 of these letters were returned unopened, it remains the case that the unopened letters disclosed the name of the individual being mailed to and the fact that they had an association with Telstra.
Telstra did not provide any information that showed that any of the exceptions under NPP 2.1 applied, including that the affected customers had a reasonable expectation that their information would be sent to a third party, or that they consented to their personal information being disclosed in this way. Further, Telstra did not claim that any other exception under NPP 2.1 applied to the disclosures that occurred.
Taking into consideration all the information available to the Privacy Commissioner, in his view, this incident was a breach of NPP 2.1.
NPP 4.1 states that an organisation must take ‘reasonable steps’ to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure. Determining what are ‘reasonable steps’ to secure personal information will depend on the organisation’s particular circumstances.
In response to the questions raised by the OAIC, Telstra advised that it had a range of security measures in place to protect customer personal information involved in mail campaigns. These include:
- having an agreement with the mail house engaged to assist with the mail out which includes, among other things, privacy and confidentiality obligations
- conducting privacy impact assessments at the outset of mail out initiatives which use personal information
- a series of approvals before a mail out process can begin
- procedures to ensure staff handle personal information appropriately during the mail campaign process, including quality control procedures for creating mailing lists.
In this case, despite these measures being in place, an employee inadvertently used the wrong data table, which resulted in inaccurate address information being recorded on a campaign mailing list.
Following his investigation into the matter, the Privacy Commissioner concluded that:
- Telstra had breached NPP 2 by disclosing the personal information of some of its customers to unauthorised third parties
- Telstra was not in breach of NPP 4 as the Commissioner was satisfied that this incident occurred due to human error rather than any systemic failure of Telstra’s processes or procedures.
While the Privacy Commissioner found Telstra had breached NPP 2, in light of the information provided and the steps taken by Telstra, he decided to cease the OAIC’s own motion investigation on the grounds that Telstra has adequately dealt with the matter. The investigation was closed on 16 May 2011.
The Privacy Commissioner noted the positive actions taken by Telstra on becoming aware of the incident. In particular, Telstra acted promptly to prevent further breaches by:
- immediately stopping the mail out,
- notifying customers and the Privacy Commissioner in accordance with the OAIC’s Guide to handling personal information security breaches
- issuing a Media Release alerting customers to the issue
- notifying other external stakeholders, such as the Australian Communication and Media Authority and consumer groups, in order to help them manage any customer enquiries
- commencing a review of its security practices
- counselling the staff involved in the incident.
These steps helped to ensure that the breach was contained and no further unauthorised disclosures occurred. In addition, by notifying affected customers, these individuals had an opportunity to take appropriate action, if necessary, to mitigate any harm they may suffer.
However, the Privacy Commissioner also noted that if the OAIC received an individual complaint about this matter, the complaint would be considered on its own merits, and may be investigated. Consideration of any future complaint into this matter would take into account the information already gathered under this own motion investigation.
 Under s40(2) of the Privacy Act, the Commissioner may investigate an act or practice if:
- The act or practice may be an interference with the privacy of an individual, and
- The Commissioner thinks it desirable that the act or practice be investigated.
 NPP 2.1(a).
 NPP 2.1(b).
 Guide to handling personal information security breaches, August 2008, http://www.privacy.gov.au/materials/types/download/8628/6478