Site Changes

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner and a new website established at www.oaic.gov.au.

Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.

Types

Topic(s): Technologies | Telecommunications

Own Motion Investigation v Telecommunications Company [2010] PrivCmrA 16

document icon pdf (147 KB)

Case Citation:

Own Motion Investigation v Telecommunications Company [2010] PrivCmrA 16

Subject Heading:

Security of personal information

Law:

National Privacy Principle 4.1 in Schedule 3 of the Privacy Act 1988 (Cth).

The following case was decided by the Privacy Commissioner prior to 1 November 2010. On 1 November 2010 all the powers of the Privacy Commissioner under the Privacy Act were conferred on the Australian Information Commissioner.

Facts:

A telecommunications company allowed individuals to access their mobile phone account information by calling a 1800 number, following the voice prompts and keying in the relevant mobile phone number.

The account information available to the caller was the credit balance and transaction details of the last payment.

Issues:

National Privacy Principle 4.1 requires an organisation to take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification and disclosure.

Outcome:

The Commissioner commenced an own motion investigation under section 40(2) of the Privacy Act.

The Commissioner took the view that a mobile phone was a personal communication device. That is, whilst a landline is synonymous with a household or place of business, a mobile number is usually synonymous with an individual.

Individuals freely provide their mobile phone number to other people and organisations for a vast range of personal and professional reasons. Therefore, a mobile phone number is easily accessible by many parties.

The Commissioner formed the view that the telecommunications company was not adequately protecting account holders' personal information from unauthorised access as required under NPP 4.1. This is because anyone who knew an individual's mobile phone number and mobile carrier could call the 1800 number and access the individual's account balance without their authority.

In response to the Commissioner's view, the telecommunications company proposed various changes. In particular, the telecommunication company system would now only authenticate and process the incoming call when the calling number was the number of the account.

This meant that a caller dialling from another phone number could no longer access the account information, without satisfying other criteria. Customers could register other phone numbers from which they could call. Customers could also ask the telecommunications company to place additional security measures on their account, including the requirement for a date of birth and/or a pin number to be keyed in.

The Commissioner was satisfied that the changes the telecommunications company was implementing would enable it to meet its obligations under NPP 4.1. The Commissioner therefore ceased the own motion investigation into the matter.

Office of the Australian Information Commissioner
December 2010