The Australian Communications and Media Authority (ACMA) has found that the Southern Phone Company Limited (SPC) breached various obligations by inadvertently removing the silent number classification from its customer records when uploading customer data to the Integrated Public Number Database (IPND).

An investigation into the conduct of SPC was commenced by the ACMA following complaints from two SPC customers alleging that their unlisted telephone numbers had been published online.

The ACMA's investigation concluded that SPC had failed to protect the unlisted numbers and associated name and address details of 3,854 residential SPC customers by incorrectly classifying them as listed numbers when it submitted data uploads to the IPND manager on 18 March and 15 April 2013. SPC's incorrect classification of customer's telephone numbers directly resulted in the personal information of those persons being published in the IPND and some regional directories. The IPND, a telecommunications industry wide database, stores information about Australian phone services including the phone numbers, names and addresses of telco customers. The IPND is a critical source of information for the emergency services, emergency alert system and law enforcement and national security agencies and as such the provision and maintenance of accurate IPND data is a paramount obligation of carriage service providers under the Telecommunications Act 1997 (Cth) (Act).

Upon becoming aware of the publication, SPC notified all affected customers and offered customers a free change of number, and assisted with the ACMA investigation.

The ACMA was satisfied that SPC's conduct contravened:

  • subsection 101(1) of the Act and clause 5.12 of the Integrate d Number Database (IPND) Industry Code, by failing to ensure the information provided to the IPND manager was accurate, complete and current.
  • clause 4.6.3 of the Telecommunications Consumer Protections Code (TCP Code), by failing to ensure that a customer's personal information is protected from unauthorised use or disclosure.

In response to its findings, the ACMA has issued a direction to SPC to comply with the TCP Code. In addition, SPC has given an enforceable undertaking to the ACMA to ensure that it complies with its obligations under the Act.

SPC's commitments pursuant to the undertaking include improving and updating its data collection, including how silent numbers are flagged in its system, instigating comprehensive internal and external audit of its processes, implementing comprehensive training and education programs for SPC staff in regards to collecting, storing and correcting client data and providing comprehensive reports to the ACMA.

Failure by SPC to comply with the enforceable undertaking exposes SPC to legal action in the Federal Court.

SPC is not the only telco found to have disclosed the silent numbers of its customers. In 2014, the Office of the Australian Information Commissioner (OAIC) and the ACMA found that Telstra had failed to adequately protect the personal information of its customers by allowing the information of 15,775 Telstra customers, including the information of 1,257 silent line customers, to be accessible on the internet. The information included full names, addresses and phone numbers. Optus also entered into an enforceable undertaking with the OAIC earlier this year relating to data breaches including the disclosure of approximately 122,000 silent numbers.

The ACMA notes that it had consulted with the OAIC during the SPC investigation.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.