The $10,200 fine is hardly going to send Telstra to the poor house, but the announcement by the Office of the Australian Information Commissioner (OAIC) that Telstra had breached the privacy of 15,775 customers has set the stage for a greater focus on ensuring Australian companies respect the privacy of their customers' data.
In an extensive report documenting its investigation into Telstra's practices, privacy commissioner Timothy Pilgrim found that Telstra had, between February 2012 and May 2013, breached National Privacy Principles 2.1 (disclosure of personal information other than for a permitted purpose), 4.1 (failure to take reasonable steps to ensure the security of the personal information it held), and 4.2 (failure to take reasonable steps to destroy or permanently de-identify the personal information it held).
The breaches related to Telstra's publication of personal information about 15,775 customers online, including details of 1257 active silent line customers. Upon investigation, Telstra admitted that the records had been downloaded by at least 166 unique users.
The OAIC report was accompanied by a second indictment, by telecoms regulator the ACMA, which found Telstra's actions had breached Clause 4.6.3 of the Telecommunications Consumer Protections Code (TCP Code) requiring the personal information of customers be protected from unauthorised use or disclosure.
"This incident is a timely reminder to all organisations that they should prioritise privacy," Pilgrim said in a statement. "All entities bound by the Privacy Act must have in place security measures to protect personal information."
The latest incident is not the first time Telstra has been caught out mishandling customer information: in December 2011, the company published the personal information of approximately 734,000 customers online. And, in October 2010, Telstra mailed out 220,000 letters with incorrect addresses.
"Telco providers are in a position of trust with respect to their customers' details," ACMA chairman Chris Chapman said, "and with it comes a weighty responsibility – a fact reflected in the outcomes mandated by the TCP Code."