ACMA fines Telstra $300,000 for privacy failures and customer safety breaches
December 4, 2023 |
Optus may have had an annus horribilis as far as data breaches go but Telstra has had anything but a good record in terms of protecting privacy. The latest iteration is Telstra being fined by ACMA for privacy and safety breaches. It has also issued an infringement notice and entered into an enforceable undertaking. This fine is on top of a $2.5 million fine in 2021 for breach of IPND rules.
Telstra’s media release provides:
Telstra has paid a $306,360 infringement notice issued by the Australian Communications and Media Authority (ACMA) for failing to provide accurate details of thousands of customers to the Integrated Public Number Database (IPND).
The IPND is used by Triple Zero to help locate people in an emergency, for the Emergency Alert Service to warn Australians of emergencies like flood or bushfire, and to assist law enforcement activities.
In 2021, an ACMA investigation found systemic issues with Telstra’s compliance with IPND rules. The ACMA penalised Telstra $2.5 million, finding it had failed to comply with the obligations on nearly 850,000 occasions. In addition, Telstra committed to a significant compliance uplift program of work to ensure future compliance.
In September 2022, Telstra notified the ACMA it had found further issues from the same period through monitoring arrangements put in place as part of its uplift program. ACMA’s investigation found Telstra failed to provide accurate customer information to the IPND on more than 19,000 occasions between October 2010 and August 2022, including around 600 occasions where silent numbers were incorrectly flagged for listing in directory services. Telstra also failed to provide over 200 consumers with a copy of their IPND information within the required time frame.
ACMA Chair Nerida O’Loughlin said that while Telstra has engaged in a compliance uplift program, these new breaches indicate it has more to do.
“Telstra needs to focus on completing the program and making sure it is fully compliant with these rules. The IPND is essential in a crisis when emergency services or police need to contact or locate people in harm’s way.
‘We will keep Telstra focused on fixing these longstanding issues and giving consumers confidence that their data is being accurately recorded,” said Ms O’Loughlin.
In addition to the financial penalty, the ACMA has accepted a court-enforceable undertaking from Telstra that requires an independent review of its IPND compliance uplift and to make further improvements where required. Telstra must also check the accuracy of its IPND data quarterly and report to the ACMA.
If Telstra fails to comply with its obligations or the enforceable undertaking in future, the ACMA can commence proceedings in the Federal Court.
“The ACMA expects all telcos to have and maintain effective processes to meet these critical obligations, especially as we head into the bushfire season in Australia,” Ms O’Loughlin said.
All telcos are required to upload accurate customer details to the IPND for each service using a public number that they provide under the
Act and the IPND industry code. Silent numbers must be accurately listed so they are not inadvertently published in directories. Consumers also have a right to request a copy of their IPND record and it must be provided within 20 business days.
This breach was reported by 9 News and the Australian, amongst others.The Australian article provides:
Australia’s largest telco has been fined $306,360 for failing to provide details correctly to a public database used by emergency services to locate people in the event of a natural disaster.
Telstra was also found on 600 occasions to have flagged the details of silent numbers – which could have include people escaping domestic violence situations or people under protective services – for listing in the database.
The fine, handed down from the Australian Communications and Media Authority on Wednesday, arrives after the telco self-reported issues related to its passing of customer information to the Integrated Public Number Database, a database which is used by federal departments including law enforcement and national security agencies to reach people who might be in danger or to pass along critical weather updates.
That database is also used for publishing public number directories and electoral, health and government policy research.
A Telstra spokeswoman said the company accepted ACMA’s findings, and through its own investigation the telco had discovered it had provided some inaccurate data.
“We’ve been working to improve our systems and processes that deliver data to the IPND. This work uncovered some data inaccuracies as well as an issue that held up processing some customer requests for a copy of their IPND data. We reported these issues to ACMA and took steps to correct them,” she said.
“People’s privacy and safety is paramount and we’re sorry this happened. We accept the ACMA’s findings and have also executed an enforceable undertaking which includes appointing an independent reviewer to report on the status of our improvement work program.”
ACMA, the nations’ telco watchdog, said Telstra had committed repeat offences in relation to sharing of key customer information to the database. Despite Telstra self-reporting the issues, the telco has some way to address longstanding issues relating to the IPND, said ACMA Chair Nerida O’Loughlin.
“The ACMA expects all telcos to have and maintain effective processes to meet these critical obligations, especially as we head into the bushfire season in Australia,” she said.
Telstra is the manger of the IPND database in Australia just as it is the provider which first takes emergency calls and passes them along to the correct service including fire departments, ambulances and police.
The $306,360 fine follows a $2.5m fine dished out to Telstra in 2021, when ACMA identified systemic issues with Telstra’s compliance with IPND rules.
In September last year Telstra told the regulator it had found further issues from the same period through its internal monitoring program, prompting the latest investigation.
ACMA found Telstra failed to provide accurate customer information to the IPND on more than 19,000 occasions between October 2010 and August 2022, including around 600 occasions where silent numbers were incorrectly flagged for listing in directory services.
Data passed along to the IPND includes the customer’s public number, their name, their service address, an alternate address, an alternate contact for the customer, the service status including private or listed, what the service is used for (government, business, charitable or residential purposes) and the type of service (fixed, mobile or data-only).
Telcos are required to comply with IPND rules and cross check records in the IPND against their own database every six months, under the Telecommunications Act 1997.
Telstra had also failed to provide consumers information related to their data within the IPND which telco’s must comply with and provide within 20 business days.
Ms O’Loughlin said the latest breaches showed Telstra had more work to do.
“Telstra needs to focus on completing the program and making sure it is fully compliant with these rules. The IPND is essential in a crisis when emergency services or police need to contact or locate people in harm’s way,” Ms O’Loughlin said.
‘We will keep Telstra focused on fixing these longstanding issues and giving consumers confidence that their data is being accurately recorded.
ACMA has also accepted a court-enforceable undertaking from Telstra that requires an independent review of its IPND compliance program and to make further improvements where required.
Telstra must also check the accuracy of its IPND data quarterly and report to the ACMA.