Telstra security exonerated in mailing list error

The Australian Privacy Commissioner has cleared Telstra’s security measures from blame following a botched mail campaign involving 60,300 incorrectly addressed letters last October.

Telstra had sent a total of 220,000 letters to customers in a mail campaign about its fixed-line phone service, containing names and telephone details – including ‘silent numbers’ – of customers.

Of the incorrectly addressed letters, 15,400 were returned to Telstra unopened. However, unintended recipients still learned customer names and the fact that they had an association with Telstra.

The telco proactively referred the incident to the Office of the Information Commissioner, which commenced an own motion investigation on 28 October, 2010.

Privacy Commissioner Timothy Pilgrim today concluded that Telstra had breached National Privacy Principle 2 (NPP 2) by disclosing customer information to unauthorised third parties.

However, he said Telstra was not in breach of NPP 4, having fulfilled its obligation to “take reasonable steps to protect the personal information of its customers”.

Pilgrim highlighted Telstra’s inclusion of privacy obligations in its outsourced mailing agreements, privacy impact assessments at the outset of mail out initiatives, and procedures to ensure staff handle data appropriately during mail campaigns.

“Our investigation has confirmed that while Telstra breached the Privacy Act when the personal information of a number of its customers was disclosed to third parties, this incident was caused by a one-off human error,” Pilgrim stated.

“It was not a result of Telstra failing to have reasonable steps in place to protect the personal information of its customers, as required by the Privacy Act.”

The Privacy Commissioner noted that Telstra “acted immediately” to notify customers and commence a review of its data security practices on becoming aware of the mail merger problem.

Telstra immediately stopped the mail out, commenced an investigation, and identified and alerted customers to the incident, prioritising those with silent lines (pdf).