The Office of the Australian Information Commissioner is investigating whether Optus breached privacy law after the telco wrongly published customers’ personal details in the White Pages in 2019.
The investigation comes on the heels of a preliminary inquiry by the privacy regulator into the data breach, in which the personal details of 50,000 customers, including name, home addresses and mobile phone numbers, were mistakenly published in the Sensis-owned White Pages.
Optus, which is also facing a class action by Maurice Blackburn over the data breach, alerted affected customers to the mistake in October 2019.
“The public disclosure of personal information against the wishes of individuals may have the potential to cause harm,” the regulator said Friday.
“The OAIC’s investigations can determine whether such matters involve systematic issues that can be prevented by ensuring the right practices are in place. This can set a benchmark for all organisations and build trust in the community.”
The Maurice Blackburn class action complaint, which was filed with the OAIC in April 2020, alleges that Optus failed in its duties by disclosing the personal information of customers and by disclosing private information originally collected for the provision of services by Optus, without consent. Optus also failed to take steps to protect the privacy of its customers, the class action contends.
The class action is the first to seek compensation for customers under the Privacy Act, according to Maurice Blackburn, which has called the matter “an important test of Australia’s privacy laws”.
Lawyerly has reached out to Optus for comment on the OAIC investigation.
In a response released after the class action was filed, Optus said it took its privacy obligations seriously, and noted that the company had worked to remedy the data issue when it became aware of the error.
“Optus takes its privacy obligations seriously and we regularly review and audit our processes to ensure our customers’ information is managed securely,” an Optus spokesperson said at the time.
“When undertaking a review of our records against Sensis listings last year, we identified inconsistencies. We requested that Sensis remove the information from their online directory and we notified all customers who may have been affected.”
Companies that disclose personal information face penalties, including fines, under the Privacy Act.
The class action followed a settlement in December 2019 in Australia’s first privacy class action, which was brought against the NSW government over a data breach by a contractor who sold private details of 130 ambulance workers to personal injury law firms.
The federal government launched a review in December into a potential overhaul of the country’s privacy laws.
Copyright Lawyerly Media. Unauthorised reproduction or distribution of this article is prohibited.
A reprint licence is required to reproduce or distribute this article. Contact Us for a reprint licence.