The Australian Privacy Commissioner (the Commissioner) has accepted an enforceable undertaking from Optus, following three significant privacy incidents where the security of personal information held by Optus was compromised. This is the first enforceable undertaking made under the reforms to the Privacy Act 1988 which came into effect on 12 March 2014.
The Commissioner, Timothy Pilgrim, accepted the undertaking offered by Optus that it would complete a wide ranging independent review of its information security systems, and implement any recommendations.
The enforceable undertaking finalises an investigation that the Commissioner commenced in July 2014 following a voluntary data breach notification by Optus of the three privacy incidents. Optus took steps to contain the incidents once it became aware of them, and cooperated with the Office of the Australian Information Commissioner (OAIC) during the OAIC’s investigation.
‘I appreciate the positive way in which Optus worked with our Office to address these incidents. I consider that the enforceable undertaking is an appropriate outcome that will ensure Optus takes steps to strengthen its privacy controls and meet its security obligations under the Privacy Act’, said Mr Pilgrim.
The Commissioner was concerned that Optus may not have taken reasonable steps to secure the personal information it held, as required by Australian Privacy Principle 11. ‘Organisations and agencies need to take reasonable steps to protect the personal information of customers. If personal information is compromised, I encourage organisations and agencies to notify affected individuals and the OAIC, where there is a real risk of serious harm to an individual. This can assist people to respond to the breach, and mitigate the potential harm’, said Mr Pilgrim.
‘Data breaches can pose a serious threat to individuals and to the reputation of organisations. For those reasons I recommend that all organisations and agencies develop a data breach response plan, as this will significantly improve their ability to respond to a breach.’
The reforms to the Privacy Act 1988 introduced a new power for the Australian Privacy Commissioner to accept an enforceable undertaking from an organisation or agency.
An enforceable undertaking is an agreement between the OAIC and an organisation or agency that creates a binding commitment to take steps to ensure privacy compliance. An enforceable undertaking can be enforced by the Commissioner in the Federal Court or Federal Circuit Court.
Background:
The Enforceable undertaking is available on the OAIC’s website: http://www.oaic.gov.au/privacy/applying-privacy-law/enforceable-undertakings/singtel-optus-enforceable-undertaking
The OAIC publishes a guide to assist organisations and agencies in planning for and responding to data breach incidents: Data breach notification — A guide to handling personal information security breaches.
The OAIC publishes a guide to assist organisations and agencies in assessing their personal information security requirements under Australian Privacy Principle 11: Guide to securing personal information.