On 27 October 2015, the Privacy Commissioner announced the
outcome of its investigation into telecommunications company
TeleChoice following a data breach discovered in April this year.
The Commissioner's office had issued its second enforceable
undertaking - the first undertaking also being issued against telco
provider (Optus) earlier this year (click
here to read an article on this).
It began with a 'newsflash'. In April a current affairs
program reported that shipping containers housing documents
belonging to TeleChoice were being stored on Victorian bushland,
apparently open and accessible to members of the public. The
personal information exposed included customer identification
documents such as copies of driver's licences and
The following day, the company made a voluntary report to the
Commissioner and provided details of their response to the
incident. Whilst the containers were locked, it was reported they
were broken into within a two-week period prior to the broadcast.
The company was not able to determine exactly whose information was
stored in the containers, only that it may have related to any
customer of TeleChoice prior to 31 March 2013 (affected
TeleChoice acknowledged the incident constituted a breach of
Australian Privacy Principle (APP) 11 which requires an
organization to take reasonable steps to protect the personal
information from misuse, interference and unauthorized access and
disclosure. It further requires an organization to take reasonable
steps to destroy, or de-identify information when it is no longer
Presumably, TeleChoice no longer required at least some of the
information for the purposes it collected it but was perhaps
awaiting a certain date to action the destruction of the
information. To the company this date may not have been arbitrary
but in fact the APPs require destruction as soon as it is no longer
required. This is an important reminder to other organisations, who
should ask themselves, in the unfortunate situation of a privacy
breach, should it actually have the information that could
potentially be exposed?
Further, it is worth considering the appropriateness of
retaining certain identification information beyond the initial
verification of that customer's identity. Ideally, companies
should have a way to sight this information only and not to have to
subsequently store it.
Like Optus' undertaking, the steps TeleChoice have been
required to undertake are no soft touch. Whilst the Commissioner
acknowledged the cooperation of TeleChoice, the undertakings agreed
to are comprehensive and no doubt expensive to implement. In
summary TeleChoice is required to:
contact affected individuals by providing information on its
offer to reimburse the cost of a 12- month credit monitoring
service for affected persons;
conduct a review of the personal information it holds;
establish written policies and procedures for destruction of
engage a third party to review aspects of its handling of
personal information and implement any recommendations;
develop and conduct privacy training for its staff to be
completed within six months of the undertaking and upon induction
of new staff and at least annually for existing staff; and
finalise and develop a data response plan
Again, there is great insight for all organisations subject to
the APPs, especially regarding the frequency of training and the
expectation that companies develop a data response plan. Whilst not
all privacy breaches can be avoided, it is best to ensure that your
company is as well prepared as possible.
This publication does not deal with every important topic or
change in law and is not intended to be relied upon as a substitute
for legal or other advice that may be relevant to the reader's
specific circumstances. If you have found this publication of
interest and would like to know more or wish to obtain legal advice
relevant to your circumstances please contact one of the named
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Privacy issues require a considered strategy where sets of big data come with ever-increasing regulatory obligations.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).