On 27 October 2015, the Privacy Commissioner announced the outcome of its investigation into telecommunications company TeleChoice following a data breach discovered in April this year. The Commissioner's office had issued its second enforceable undertaking - the first undertaking also being issued against telco provider (Optus) earlier this year (click here to read an article on this).

Background

It began with a 'newsflash'. In April a current affairs program reported that shipping containers housing documents belonging to TeleChoice were being stored on Victorian bushland, apparently open and accessible to members of the public. The personal information exposed included customer identification documents such as copies of driver's licences and passports.

The following day, the company made a voluntary report to the Commissioner and provided details of their response to the incident. Whilst the containers were locked, it was reported they were broken into within a two-week period prior to the broadcast. The company was not able to determine exactly whose information was stored in the containers, only that it may have related to any customer of TeleChoice prior to 31 March 2013 (affected persons).

Breach

TeleChoice acknowledged the incident constituted a breach of Australian Privacy Principle (APP) 11 which requires an organization to take reasonable steps to protect the personal information from misuse, interference and unauthorized access and disclosure. It further requires an organization to take reasonable steps to destroy, or de-identify information when it is no longer required.

Presumably, TeleChoice no longer required at least some of the information for the purposes it collected it but was perhaps awaiting a certain date to action the destruction of the information. To the company this date may not have been arbitrary but in fact the APPs require destruction as soon as it is no longer required. This is an important reminder to other organisations, who should ask themselves, in the unfortunate situation of a privacy breach, should it actually have the information that could potentially be exposed?

Further, it is worth considering the appropriateness of retaining certain identification information beyond the initial verification of that customer's identity. Ideally, companies should have a way to sight this information only and not to have to subsequently store it.

Undertaking

Like Optus' undertaking, the steps TeleChoice have been required to undertake are no soft touch. Whilst the Commissioner acknowledged the cooperation of TeleChoice, the undertakings agreed to are comprehensive and no doubt expensive to implement. In summary TeleChoice is required to:

  • contact affected individuals by providing information on its website;
  • offer to reimburse the cost of a 12- month credit monitoring service for affected persons;
  • conduct a review of the personal information it holds;
  • establish written policies and procedures for destruction of personal information;
  • engage a third party to review aspects of its handling of personal information and implement any recommendations;
  • develop and conduct privacy training for its staff to be completed within six months of the undertaking and upon induction of new staff and at least annually for existing staff; and
  • finalise and develop a data response plan

Again, there is great insight for all organisations subject to the APPs, especially regarding the frequency of training and the expectation that companies develop a data response plan. Whilst not all privacy breaches can be avoided, it is best to ensure that your company is as well prepared as possible.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.