14 DAY TRIAL // An official investigation into a customer data breach at Vodafone Australia concluded that the company did not meet some of its legal obligations to protect the data.
Back in January, a Sydney Morning Herald report claimed that employees from Vodafone dealerships were misusing their access to the company's customer management system.
The newspaper said that passwords to access Vodafone's Siebel system were leaked to unauthorized individuals who used them to look at customer call history and billing information.
Following the report, Vodafone launched an internal investigation which resulted in the dismissal of some employees who violated its data handling policies.
The largest Vodafone dealer, CommsDirect, whose management was accused of encouraging misuse of the system for unethical business practices, also fired some of its staff.
The Office of the Australian Information Commissioner (OAIC) just published [pdf] the findings of its own investigation into Vodafone's data handling practices.
It determined that the company did not violate National Privacy Principle (NPP) 2.1, which says that organizations must not use or disclose personal information for other purposes than the ones for which it was collected.
"Taking into consideration all the information available to the Privacy Commissioner, in his view, the allegation that personal information was disclosed contrary to NPP2.1 is unsubstantiated," the OAIC concluded.
However, the organization was found in breach of NPP 4.1, under which organizations must take reasonable steps to protect the personal information they collect.
"While Vodafone had a range of security safeguards in place to protect the personal information on its Siebel system at the time of the incident, the use of store logins and the wide availability of full identity information via Siebel caused an inherent data security risk in terms of how personal information was protected by Vodafone," said Privacy Commissioner Timothy Pilgrim.
But, even under these conditions, the law didn't allow him to impose a penalty on Vodafone. He acknowledged the company's immediate actions to tighten security and ordered it to report back with the conclusions of its IT security audit.