The Privacy Commissioner has handed down a report which has
important implications for any business that stores personal
information, particularly where shared logins are used to access
data, and provides some guidance on what is required in order to
meet the obligations under National Privacy Principle
Call records and billing information compromised
The Australian Privacy Commissioner has issued his report into
the alleged breaches of privacy by Vodafone Hutchison Australia Pty
Ltd (VHA) that arose after complaints were made
that customer call records and billing information had been
compromised. The Commissioner has found that at the time of the
incident, VHA did not have "an adequate level of security in
place to protect the personal information it held in its...
However, the incident was not a breach of the principle that an
organisation must only use or disclose personal information for the
primary purpose for which it was collected, unless an exception
applies (NPP 2.1).
Implications for business
The report makes it clear that the question of whether the steps
taken to protect personal information are reasonable in the
circumstances is a subjective test based on particular risks within
the particular business concerned. There is no universal standard
that applies to all businesses holding personal information. This
means that every business must make its own risk assessment,
identifying the particular risks within the business and then
implement appropriate security measures in view of those risks.
Shared login identification
However, the report also notes that the use of shared login
identification rather than individual login identification
– for example, allocation of a single login to a
particular store - added to the underlying data security risk. This
increased the risk that anomalies may not be detected. Even
if an anomaly is detected, the issue may not be able to be
investigated fully if there are shared logins, as the actions are
not linked to an individual authorised user. Shared logins also
reduce the ability of audit trails to assist in investigations and
access control monitoring. These are important controls in
any organisation for protecting personal information in compliance
with the principle.
Speedy response to breach allegations
The report also acknowledges the importance of a speedy response
by any organisation that is faced with an allegation of a privacy
breach, noting that this is a key factor for mitigating damage. The
report accepts that VHA acted immediately to restrict access to
personal information, reviewed its data security practices and
launched an internal investigation.
VHA's response to the issue was immediate and was "a
Do you collect and store personal information?
If your business collects and stores personal information, this
report is a timely reminder to review the particular risks
associated with that storage and to ensure that your processes
adequately manage those risks. If you allow access to personal data
by means of any form of shared login, we strongly recommend that
you review that process immediately.
Swaab Attorneys was the highest ranking law firm and the
13th best place to work in Australia in the 2010 Business Review
Weekly Best Places to Work Awards. The firm was a finalist in the
2010 BRW Client Choice Awards for client service and was named the
winner in the 2009 Australasian Legal Business Employer of Choice
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
On 12th November 2016, new laws will commence to protect small businesses from unfair terms in standard form contracts.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).