OAIC finalises investigation into Telstra mailing list error

July 8, 2011 |

The Office of the Australian Information Commissioner (OAIC) yesterday released its findings into a mailing list error by Telstra  which resulted in approximately 60,300 Telstra customers’ personal information being sent to other customers.  It is found here.

Key issues

The investigation focused on National Privacy Principles 2.1 and 4.1

As to NPP 2.1 the findings were

NPP 2.1 prohibits organisations from disclosing personal information for a purpose other than the primary purpose of collection, unless one of a number of exceptions applies. These exceptions include that an individual:

  • reasonably expected the organisation to use or disclose the information for another purpose
  • consented to that use or disclosure of their personal information.


In this case, Telstra advised the OAIC that the purpose of the mail campaign was to contact customers about its Telstra fixed-line phone service. However, due to inaccurate address information being used in mail campaign, 60,300 incorrectly addressed letters were sent out to other Telstra customers involved in the mail campaign.

While Telstra has confirmed that 15,400 of these letters were returned unopened, it remains the case that the unopened letters disclosed the name of the individual being mailed to and the fact that they had an association with Telstra.

Telstra did not provide any information that showed that any of the exceptions under NPP 2.1 applied, including that the affected customers had a reasonable expectation that their information would be sent to a third party, or that they consented to their personal information being disclosed in this way. Further, Telstra did not claim that any other exception under NPP 2.1 applied to the disclosures that occurred.

Taking into consideration all the information available to the Privacy Commissioner, in his view, this incident was a breach of NPP 2.1.

As to NPP 4.1 the Commissioner provides:

NPP 4.1 states that an organisation must take ‘reasonable steps’ to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure. Determining what are ‘reasonable steps’ to secure personal information will depend on the organisation’s particular circumstances.

In response to the questions raised by the OAIC, Telstra advised that it had a range of security measures in place to protect customer personal information involved in mail campaigns. These include:

  • having an agreement with the mail house engaged to assist with the mail out which includes, among other things, privacy and confidentiality obligations
  • conducting privacy impact assessments at the outset of mail out initiatives which use personal information
  • a series of approvals before a mail out process can begin
  • procedures to ensure staff handle personal information appropriately during the mail campaign process, including quality control procedures for creating mailing lists.

In this case, despite these measures being in place, an employee inadvertently used the wrong data table, which resulted in inaccurate address information being recorded on a campaign mailing list.

The Privacy Commissioner found there was a breach of NPP2 but no breach of NPP 4, because the cause of the error was due to human error rather than a systemic failure.

Leave a Reply