The Office of the Australian Information Commissioner (OAIC) is investigating the personal information handling practices of Optus following the data breach which was made public last month (22 October).
Australian Information and Privacy Commissioner Angelene Falk said the investigation would focus on whether the Optus companies took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure, and whether the information collected and retained was necessary to carry out their business.
“The investigation will also consider whether the Optus companies took reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy principles (APPs), including enabling them to deal with related inquiries or complaints,” Commissioner Falk said.
“If the OAIC’s investigation satisfies the Commissioner that an interference with the privacy of one or more individuals has occurred the Commissioner may make a determination that can include requiring the Optus companies to take steps to ensure the act or practice is not repeated or continued, and to redress any loss or damage,” she said.
“If the investigation finds serious and/or repeated interferences with privacy in contravention of Australian privacy law, then the Commissioner has the power to seek civil penalties through the Federal Court of up to $2.2 million for each contravention.”
Commissioner Falk said the widespread attention given to the Optus data breach had highlighted key privacy issues that corporate Australia should take heed of.
“I urge all organisations to review their personal information handling practices and data breach response plans to ensure that information is held securely, and that in the event of a data breach they can rapidly notify individuals so those affected can take steps to limit the risk of harm from their personal information being accessed,” she said.
“And collecting and storing personal information that is not reasonably necessary to your business breaches privacy and creates risk.
“Only collect what is reasonably necessary.”
Commissioner Falk said the OAIC’s investigation would be co-ordinated with that of the Australian Communications and Media Authority (ACMA).
