ACMA takes action against SpinTel for privacy breach of silent line customers
November 8, 2015 |
The Australian Communications and Media Authority (“ACMA”) has taken action against Spin Tel Pty ltd (“Spin Tel”) for breaches of the Telecommunications Act 1997 (“the Act”).
FACTS
SpinTel is a carriage service provider (a “CSP”), within the meaning of the Act, which supplies fixed line, broadband, and mobile telecommunications services across Australia [3] It is a ‘Data Provider’ within the meaning of clause 2.2 of the IPND Code and a ‘Supplier’ within the meaning of clause 2.1 of the TCP Code [4]. The integrated Public Number Database (“the IPND”) is an industry wide database of all listed and unlisted public telephone numbers.
Clause 4.1 of the IPND Code provides that each CSP must provide its Customers with the choice of either a Listed Entry or an Unlisted Entry [6]. Under Section 276 of the Act it is an offence for a CSP to disclose, with a few exceptions, the affairs or personal particulars (including an unlisted telephone number) of another person, where this information comes into the CSP’s possession in connection with its business as a CSP.
Between 9 January 2014 and 3 February 2015 426 geographic unlisted telephone numbers, all held by individual residential customers [12], were classified as listed at various times. The bulk of the 426 customer records were affected from 9 January 2014 when it reloaded all of its existing customer records to the IPND Manager, but that the error also affected the uploads for new services. The error occurred because IT system changes introduced to its IPND data export system inadvertently caused all existing and new entries to be classified in the IPND as listed, irrespective of whether the customer had requested the customer’s number not to be so listed [9]. The problem was not fixed until 3 February 2015 [10]. All of the Spin Tel customers had their details published online by 4 public number directory publishers (“PNDPs”) for various periods between 9 January 2014 and 3 February 2015 [17]. Hard copies of the data was accessed Ballarat, Horsham, Shepparton, Newcastle, Wagga Wagga, Bathurst, Coffs Harbour, Maitland, Southern Highlands, Wollongong, Gosford, Toowoomba, Gold Coast, Caboolture, Bundaberg and the Sunshine Coast [18]. The unlisted number, name and locality of the complainant to the ACMA was published in the Wollongong 2014/15 Local Phone Directory [19]
DECISION
Subsection 101(1) of the Act requires that CSPs comply with the service provider rules and that subsection 98(1) provides that the service provider rules include the rules set out in Schedule 2 to the Act. Under clause 10 of Schedule 2 the service providers should give the IPND Manager such information as the IPND Manager reasonably requires to fulfil its obligation to provide and maintain an IPND [20]. Subclause 10(5) of the Telstra Licence Conditions requires that the IPND identify if a telephone number is an unlisted number. As such the IPND Manager requires information to enable it to indicate on the IPND whether a telephone number is an unlisted number. Clause 5.15 of the IPND Code provides that Data Providers must identify, in relation to each telephone number submitted to the IPND, whether the public number is to be a listed or unlisted entry. Clause 5.12 of the IPND Code explicitly states that the Data Provider must ensure that the information provided to the IPND Manager is accurate, complete, and up to date. The offence provisions in Part 13 of the Act (in particular, section 276 of the Act) also underscore the need to ensure that unlisted telephone numbers are treated confidentially and remain unpublished [22].
The ACMA was satisfied that the IPND Manager requires correct information about whether a telephone number is listed or unlisted in order to fulfil its obligations as IPND Manager. By uploading information that incorrectly indicated that some unlisted telephone numbers were listed, SpinTel did not give the IPND Manager the information it reasonably required to fulfil its obligation to maintain the IPND [23]. ACMA found that SpinTel contravened clause 10 of Schedule 2 to the Act in relation to the wrongly classified records of 426 customer records which appeared in the IPND at various periods between 9 January 2014 and 3 February 2015. As a result of the incorrect data uploaded by SpinTel it contravened subsection 101(1) of the Act as it failed to comply with the service provider rule in clause 10 of Schedule 2 [24].
IPND Code
SpinTel incorrectly classified a total of 426 unlisted telephone numbers as listed entries at various times in its uploads to the IPND Manager between 9 January 2014 and 3 February 2015. SpinTel has advised that the errors occurred due to a coding error performed by an IT developer (a third party contractor) which resulted in incorrect listing information being uploaded to the IPND. It was SpinTel’s responsibility to ensure that the information provided to the IPND Manager was accurate, complete, and up to date [27]. ACMA found that SpinTel contravened clause 5.12 of the IPND Code in relation to the uploads as it failed to ensure the accuracy of the information provided to the IPND Manager [28].
TCP Code
The TCP Code is an industry code registered under Part 6 of the Act which applies to CSPs in relation to residential and small business customers. The complainant is a residential customer within the meaning of clause 2.1 of the Code. The ACMA also noted that SpinTel has confirmed that all other numbers affected are the telephone numbers of residential customers [29].
Clause 4.6.3 of the TCP Code requires a CSP to ensure that a customer’s personal information is protected from unauthorised use or disclosure and dealt with by the provider in compliance with all applicable privacy laws [30].
As a direct result of SpinTel incorrectly classifying unlisted numbers in the IPND as listed, SpinTel caused those unlisted numbers and associated name and address details to be disclosed to PNDPs, and consequently to be published in PNDs. The personal information of 426 affected customers, who had requested that these details not be published, was not protected from unauthorised use (for the purpose of publishing a PND) or from unauthorised disclosure (in the published PND) for various periods between 9 January 2014 and 3 February 2015 [31]. All of the numbers that were incorrectly uploaded to the IPND as ‘listed’ were the geographic numbers of individual residential customers.
ACMA found that SpinTel contravened clause 4.6.3 of the TCP Code in relation to the unlisted numbers of the 426 affected residential customers, including the complainant to the ACMA.
FINDINGS
ACMA’s findings are that SpinTel Pty Ltd ACN 082 087 689 (SpinTel) has:
- contravened subsection 101(1) of the Telecommunications Act 1997 (the Act), which requires a carriage service provider (CSP) to comply with the service provider rules that apply to it, as it failed to give Telstra Corporation Limited, in its role as the IPND Manager, the information it reasonably required to provide and maintain the Integrated Public Number Database (IPND), thereby contravening the service provider rule in clause 10 of Schedule 2 to the Act;
- contravened clause 5.12 of the Integrated Public Number Database (IPND) Industry Code (C555:2008) (the IPND Code), which requires Data Providers to ensure that the information it provides to the IPND Manager is accurate, complete and up to date; and
- contravened clause 4.6.3 of the Telecommunications Consumer Protections Code (C628:2012) (the TCP Code), which requires a Supplier to ensure that a customer’s personal information is protected from unauthorised use or disclosure.
ACMA issued directions and Spin Tel entered into an enforceable undertaking under section 572B of the Act which will last for 2 years. The undertaking dealt with systems and process improvements, internal audits, system updates, reporting any future complaints, developing a training and education program, organising an independent audit within 6 months and appoint a compliance officer.
ISSUE
The terms of the enforceable undertaking are fairly standard in the structure. It is quite lenient all things considered. This is especially so given ACMA acknowledges there is an ongoing problem with telcos. The release of silent numbers into the public domain is a very serious matter. It can have very significant consequences. Spin Tel blamed the breach on IT problems and claimed the breach was inadvertent, no doubt to downplay its culpability. That really doesn’t matter. There was a significant failure of systems and protections.
An equivalent breach in the United States or the United Kingdom would have attracted a far more assertive response with the likelihood of a monetary penalty notice in the United Kingdom.
The ACMA media release provides:
An Australian Communications and Media Authority investigation has found SpinTel failed to protect the privacy of 426 silent line customers, resulting in their telephone numbers and associated name and address details being published in three Australia-wide online public number directories at various periods between 9 January 2014 and 3 February 2015.
The ACMA found that SpinTel Pty Ltd (SpinTel), by inadvertently removing the unlisted (silent) number classification from its customer records when uploading customer data to the Integrated Public Number Database (IPND), contravened:
- clause 5.12 of the IPND Industry Code (IPND Code)
- subsection 101(1) of the Telecommunications Act 1997
- clause 4.6.3 of the Telecommunications Consumer Protections Code (the TCP Code).
In addition, some of the affected customers also had their service details published in various regional hard copy directories. SpinTel notified all affected customers of the incident and offered customers the option of a new telephone number free of charge.
It is the second investigation the ACMA has conducted during the last six months about the handling of silent numbers by providers in information supplied to the IPND.
‘This is a clear reminder to industry that all telcos must honour a customer’s request for a silent number, particularly as these requests often arise from concerns over personal safety,’ said ACMA Deputy Chairman, Richard Bean.
The ACMA has now directed SpinTel to comply with the data accuracy clause of the IPND Code and accepted an enforceable undertaking offered by SpinTel.
The enforceable undertaking commits SpinTel to upgrade its data collection, engage an independent auditor to review its processes, instigate an education and training program, and comprehensively report to the ACMA. Failure to meet the enforceable undertaking exposes SpinTel to Federal Court action.
SpinTel has fully cooperated with the ACMA during the investigation and acknowledged the ACMA had reasonable grounds to make its findings.
The ACMA will closely monitor SpinTel’s compliance with the EU and direction.
In addition to the cost of dealing with the ACMA investigation and the cost of complying with the enforceable undertaking there is the reputational damage and the poor publicity that goes with such an undertaking. That is evidenced by the articles SpinTel in hot water with ACMA over privacy breach, SpinTel customers offered new phone number following privacy breach and SpinTel breaches privacy of 400 customers.
[…] ACMA takes action against SpinTel for privacy breach of silent line customers […]