OAIC and ACMA open investigation into Optus data breach

The Office of the Australian Information Commissioner (OAIC) and the Australian Communications and Media Authority (ACMA) have opened investigation into the personal information handling practices at the Optus companies with regard to the data breach announced on September 22.

The OAIC’s investigation will focus on whether the Singtel-owned companies had taken reasonable steps to protect their customers’ personal information from “misuse, interference, loss, unauthorised access, modification or disclosure, and whether the information collected and retained was necessary to carry out their business”.

OAIC will also examine if the companies in question had in place practices, procedures and systems to ensure compliance with the Australian Privacy Principles (APPs), enabling the Optus companies to deal with inquiries or complaints.

Australian Information and Privacy Commissioner Angelene Falk said she expected the investigations by the OAIC and ACMA would have a positive example of regulatory co-operation and would lead to efficient regulatory outcomes.

“If the OAIC’s investigation satisfies the Commissioner that an interference with the privacy of one or more individuals has occurred the Commissioner may make a determination that can include requiring the Optus companies to take steps to ensure the act or practice is not repeated or continued, and to redress any loss or damage,” the OAIC said.

“If the investigation finds serious and/or repeated interferences with privacy in contravention of Australian privacy law, then the Commissioner has the power to seek civil penalties through the Federal Court of up to $2.2 million for each contravention.”

Commissioner Falk also said the data breach highlighted “key privacy issues that corporate Australia should take heed of”.

The OAIC, which is authorised to investigate an act or practice that may be a breach under the Privacy Act 1988, said it would await the conclusion of the investigation before commenting further.

ACMA’s investigation will focus on the data breach in regard to Optus’ obligations as a telecommunications service provider, which included the firm’s obligations relating to acquisition, authentication, retention, disposal and protection of personal information, and requirements to provide fraud mitigations protections.

ACMA will be working with both the OAIC and the Department of Home Affairs to ensure “information-sharing across the respective jurisdictional investigations”.

“When customers entrust their personal information to their telecommunications provider, they rightly expect that information will be properly safeguarded. Failure to do this has significant consequences for all involved,” ACMA chair, Nerida O’Loughlin, said.

“All telcos have obligations regarding how they acquire, retain, protect and dispose of the personal information of their customers. A key focus for the ACMA will be Optus’ compliance with these obligations.”

“We look forward to full cooperation from Optus in this investigation.”