Telstra retail staff are continuing to access commercially sensitive data on wholesale customers, breaching the telco's structural separation undertaking (SSU) for the third year in a row.
The ACCC accepted the telco's SSU in early 2012. The document outlines how Telstra will migrate its fixed-line voice and broadband customers to the NBN.
Under the SSU, Telstra is required to safeguard commercially-sensitive wholesale information from its retail business units.
But in its third report on Telstra's compliance with the SSU, made public today [pdf], the competition watchdog revealed the telco's retail staff were continuing to have access to sensitive wholesale data.
While Telstra had demonstrated a commitment to increasing its level of compliance with the SSU, the ACCC said, the most common issue over the last year remained Telstra’s failure to prevent unauthorised disclosure of sensitive data it receives from wholesale customers while supplying regulated services.
The ACCC said Telstra retail staff are able to access up to 30 shared IT systems containing wholesale customer data.
"Protected information was also disclosed to retail business unit staff by other Telstra employees on a small number of occasions, either through inadvertently sending the information to the recipient in error or not appreciating that the disclosure was not permitted under the SSU," the ACCC reported.
Telstra started a remediation process to ensure its IT systems complied with its SSU obligations last year. It said at the time the majority of its systems would properly segregate wholesale data from retail staff from 31 December 2014.
The ACCC today revealed that while Telstra had mostly met that deadline, an "additional information security issue" was identified in late 2014 which will mean more systems remediation work had to be undertaken through the first quarter.
"The ACCC considers that, when fully completed, Telstra’s IT system remediation program, as well as Telstra’s ongoing commitment to ensuring compliance with the SSU, will be capable of preventing the types of breaches that are outlined in this report from recurring," the watchdog said.
"However, the ACCC intends to test the solutions implemented by Telstra to ensure they operate correctly."
The remediations include removing wholesale customer data visibility in certain elements of a handful of systems; controls to safeguard the data; removing search functions and access to historical data; and controlling viewing and modification privileges.
Different levels of service
The competition watchdog also revealed the telco had breached its SSU by treating wholesale and retail customers differently in terms of service delivery.
Telstra's approach to testing basic telephone service faults made it more likely that wholesale faults would be closed without action than retail faults, the ACCC said.
Additionally, wholesale customers were being incorrectly advised that a service could not be supplied in respect of a small proportion of ADLS and LSS lines subject to excessive transmission loss.
"Telstra has dealt with each of these issues by way of formal rectification proposals that the ACCC accepted," the ACCC said.
"Whilst Telstra has demonstrated its commitment to improving its overall compliance with the SSU, through its remediation action and compliance programs, this report further demonstrates the benefits of achieving structural reform of the telecommunications sector in order to resolve the long-standing competition concerns arising from Telstra’s vertical integration."
It's the third year in a row Telstra has breached its obligations under the SSU.
In the ACCC's first report in 2013, it found Telstra retail staff had been cancelling wholesale service orders lodged by other internet service providers.
Last year the ACCC found that the misuse of wholesale data had continued despite efforts to limit the behaviour through system fixes.
A Telstra spokesperson said the telco had "proactively identified gaps in our systems where access to wholesale customers’ information could be better protected" and was investing to close them.
"There is no evidence to suggest Telstra staff have used wholesale customer information to gain an unfair commercial advantage."