Bethany Alvaro 
Announced initially in 2021, the OAIC investigation sought to uncover whether Optus took all appropriate steps to protect customer personal information listed in the White Pages.
The Privacy Commissioner determined that the company did not adhere to operational procedures that would protect the privacy of unknowing customers, saying that Optus did not unlist personal phone numbers when requested.
The OAIC findings said that Optus failed to remove 41,278 customers who requested their numbers be unlisted from public access.
“APP [Australian Privacy Principle] entities must value stewardship and privacy responsibilities, and the complex reality of implementing uplifts to legacy systems should not prevent an APP entity from implementing them as a priority,” privacy commissioner Carly Kind said.
“Although it is some time since the matter happened, this determination provides further guidance on the application of APP 11.1 to the conduct of highly sophisticated regulated entities.”
The OAIC added that the investigation also found that Optus was “aware, throughout the entire period” of the potential risks posed by customers who had published numbers, and that “potential harm, particularly [for] those in vulnerable circumstances” was present.
“Optus could have taken steps to mitigate or eliminate the risk of unauthorised disclosure, but did not,” it said.
Such steps include privacy awareness training, more diligent processes and internal operations, and greater compliance with customer requests.
The Privacy Commissioner said that “reasonable and proportionate” compensation may be considered.
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.