Telcos make OAIC's 2010-11 top 10 privacy complaints list -- updated

Telstra, VHA and Optus have made the Office of the Australian Information Commissioner's list of organisations with the most privacy-related complaints
  • Tim Lohman (Computerworld)
  • 01 November, 2011 10:13


Vodafone has issued a statement in response to the OAIC's 2010-11 Annual Report.

"While we are concerned about any privacy complaints, the Office of the Australian Information Commissioner (OAIC) has confirmed that no breaches were recorded against Vodafone," the statement reads.

“We take our customers’ privacy extremely seriously and of the total 17 complaints received by the OAIC this financial year, none resulted in a finding against Vodafone,” VHA general counsel, Louise Sexton, said in the statement.

"Allegations in the media earlier this year that customer information had been disclosed by Vodafone without authorisation were investigated by the Australian Privacy Commissioner and found to be untrue," the statement reads, referring to the Privacy Commissioner’s report into the alleged privacy breach of some four million Vodafone customers’ billing and call records.

Original story

Telecommunications, finance and health companies, along with government agencies, have featured prominently in the complaints received by the Office of the Australian Information Commissioner (OAIC) during the past year.

Detailing the office’s activities in its 2010-11 Annual Report, the OAIC said that finance had topped its list of industries that are most complained about (189 privacy-related complaints), followed by the Australian Government with 150 complaints. Debt collectors, credit and tenancy database companies came in third with 131 complains while the telecommunications sector came in fourth with 127 complaints.

Health service providers topped the list of industries most enquired about by phone, at 1112 privacy-related enquiries, while telecommunications companies came in sixth at 527 enquiries.

Detailing the most complained about organisations during the year, the report said credit history company, Veda Advantage Information Services and Solutions, topped the list at 77 complaints, followed by Telstra with 54 and the Child Support Agency with 34.

The Commonwealth Bank received 25 complaints, followed by Singtel Optus with 22 and Vodafone Hutchison Australia with 17. Despite a number of privacy-related concerns during the year, Facebook formed the basis of just 12 complaints.

Detailing the issues which dominated own motion investigations (OMIs) by the office during the past year, the report said that of a total of 99 OMIs, 37 were for data security issues, 17 for improper use or disclosure and eight for unnecessary data collection.

“Overwhelmingly, the main compliance issues that arose related to data security and improper use and disclosure of personal information,” the report reads.

“It is often the case that these issues go hand in hand. That is, if organisations and agencies fail to have the appropriate data security measures in place, this deficiency can result in personal information being improperly used or disclosed.”

Specific allegations raised in OMIs included personal information of customers being accessible on the Interne, such as in the case of alleged privacy breaches at Vodafone Hutchison Australia, and system vulnerabilities resulting hacking incident, which in turn led to information about customers being stolen.

Commenting on data breach notifications (DBNs) the office said it received 56 voluntary DBNs during the year, representing an increase of 24 per cent over the previous year.

Specific incidents prompting the voluntary DBNs included emails containing personal information being sent to a public address, system errors allowing customers to access other customers’ accounts and computers containing customer records being stolen.

Earlier this year, the UNSW Cyberspace Law and Policy Centre called on the Federal Government to expand the OAIC’s powers to better protect personal information and privacy online.

“Providing safe guards for Australian Internet users, particularly about the enforceability of decisions and the power to impose fines on ISPs and others where there are unwarranted and unauthorised breaches of an Internet users’ privacy, without that and a number of other protections, even a revised version of the bill would not be suitable,” the centre’s executive director, David Vaille told a Joint Select Committee on Cybersafety in August.

In May, the Australian Information Commissioner, John McMillan, launched the government's eight principles on open public sector information. The principles — which have been developed by the OAIC through a process of public consultation — recognise government information as a national resource that should be published for community access and use.

In September, the Privacy Commissioner, as part of the OAIC, said Sony Computer Entertainment Australia should have acted more quickly to notify customers of the data breach from the hacking of the PlayStation Network and Qriocity platforms in April.

In its report into the hacking and possible breach of the Privacy Act, the office said that while the Privacy Commissioner found — albeit based on information provided by SCE Australia — 'reasonable steps' were taken to protect personal information at the time, the elapsed time between SCE Europe becoming aware of the incident and notifying consumers and the OAIC was too long.

In November last year, the OAIC warned that new in the Federal Government’s proposed Telecommunications Interception and Intelligence Services Legislation Amendment Bill 2010.

In October last year, the Privacy Commissioner told a Senate inquiry that any talks about a data retention regime from organisations or government needed to be consistent and accountable to stakeholders.

Follow Tim Lohman on Twitter: @Tlohman Follow Computerworld Australia on Twitter: @ComputerworldAU