24 May 2002

"From the evidence available, it appears that the activities of an ex-employee of Transurban resulted in the disclosure of customer information to people outside of the organisation," said Privacy Commissioner, Malcolm Crompton.

"As a result of the disclosure, the Office of the Privacy Commissioner conducted a review of Transurban's information handling practices. The review process found that Transurban needed to address certain areas to reduce the overall risk of further privacy breaches.

"It is important to note that addressing the privacy risks identified would not necessarily prevent a breach such as the one that occurred in this particular case, as the ex-employee had broad access rights to Transurban's databases," said Mr Crompton.

"Therefore, while I am of the view that this incident represents a significant privacy breach, I am satisfied that the policies and procedures Transurban had in place at the time were reasonable and given the particular circumstances surrounding this case it would have been difficult for Transurban to prevent such an unauthorised access and disclosure. Steps identified in the risk assessment should significantly reduce the risk of a further incident.

"I would also like to commend Transurban on its promptness and decisiveness, particularly in issuing a press release on 8 February 2002 and publishing in the Melbourne press an open letter to customers on 9 February 2002 in which Transurban apologised for the incident and set out the response it would be making in relation to the privacy breach. I do not propose to pursue the incident involving the ex-employee further as this is now a matter that is in the hands of the courts," he said.