Tim Lohman reports:
The Privacy Commissioner’s report into the alleged privacy breach of some four million Vodafone customers’ billing and call records has found failings on the telco’s behalf.
The report noted two key areas of the National Privacy Principles, NPP 2.1 and NPP 4.1, which applied to the incident.
NPP 2.1 states that organisations must only use or disclose personal information for the primary purpose for which it was collected, unless an exception under NPP 2.1 or otherwise applies.
NPP 4.1 states that an organisation collecting and holding personal information must take reasonable steps to protect that information from misuse and loss, and from unauthorised access, modification or disclosure.
“While the information available to the Privacy Commissioner showed that the reported incident was not a disclosure in breach of NPP 2.1, he considers that, at the time of the incident, Vodafone did not have an adequate level of security in place to protect the personal information it held in its Siebel system,” the report reads.
“For that reason, Vodafone did not meet its NPP 4.1 obligations.”
Read more on Computerworld Australia.