A joint investigation into the 22 September Optus data breach has started by the Office of the Australian Information Commissioner (OAIC) and the Australian Communications and Media Authority (ACMA) to look into how it handled customer information.
The OAIC said it will focus on whether Optus and related entities took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure. ACMA will also look into the data handling side, but with a focus on Optus’ obligations as a telecommunications service provider.
The OAIC will also determine if the information Optus collected and retained was necessary to carry out its business.
Also to be considered is if Optus took reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy principles (APPs), including enabling them to deal with related inquiries or complaints.
If the agency finds that the interference with the privacy of one or more individuals has occurred, the OAIC will explore steps for Optus to take, like additional safeguards the telco should take to ensure the breach doesn’t happen again, or to redress any loss or damage. If any serious or repeated privacy breaches were found, the OAIC will consider court action where Optus may face up to $2.2 million for each contravention.
Australian Information and Privacy Commissioner Angelene Falk said the co-ordination of investigations by the OAIC and ACMA was a positive example of regulatory co-operation that would lead to efficient regulatory outcomes. She added the widespread attention given to the Optus data breach had highlighted key privacy issues that corporate Australia should take heed of.
“If they have not done so already, I urge all organisations to review their personal information handling practices and data breach response plans to ensure that information is held securely, and that in the event of a data breach they can rapidly notify individuals so those affected can take steps to limit the risk of harm from their personal information being accessed,” Falk said.
“And collecting and storing personal information that is not reasonably necessary to your business breaches privacy and creates risk. Only collect what is reasonably necessary.”
ACMA said apart from the OAIC, it is also working alongside the Department of Home Affairs to ensure effective information-sharing across the respective jurisdictional investigations.
“When customers entrust their personal information to their telecommunications provider, they rightly expect that information will be properly safeguarded. Failure to do this has significant consequences for all involved,” ACMA chair Nerida O’Loughlin said.
“All telcos have obligations regarding how they acquire, retain, protect and dispose of the personal information of their customers. A key focus for the ACMA will be Optus’ compliance with these obligations.
“We look forward to full cooperation from Optus in this investigation.”
Commenting on the OAIC announcement, Optus vice president of regulatory and public affairs Andrew Sheridan said, "Optus is committed to working with governments and regulators as we respond to the impacts of the cyberattack.
"We will engage fully with the OAIC as it undertakes its inquiry."
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
