Australia’s privacy commissioner earlier this month launched an investigation into the Optus data breach that saw the personal data of thousands of people leak into the wild. The OAIC investigation is going to probe, among other things, the data handling practices of Optus and its parent company, Singtel.
After signalling its intention to look into the matter, the Office of the Australian Information Commissioner (OAIC) officially commenced an investigation on October 11 into the personal information handling practices of Singtel Optus Pty Ltd, Optus Mobile Pty Ltd and Optus Internet Pty Ltd.
According to a statement, the OAIC’s investigation will focus on whether the Optus companies took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure, and whether the information collected and retained was necessary to carry out their business.
It is understood the OAIC investigation will also consider whether the Optus companies took reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles (APPs).
The APPs exist to ensure companies, like Optus, adhere to a set of standards, rights and obligations around the collection, use and disclosure of personal information, an organisation or agency’s governance and accountability, integrity and correction of personal information and the rights of individuals to access their personal information, including enabling them to deal with related inquiries or complaints.
On Tuesday night, as part of the 2023 federal Budget, it was announced that the OAIC would be receiving $5.5 million over two years (from now) to investigate and respond to the Optus data breach. Details were scant on what exactly the OAIC will be spending its nearly $6 million on, but it would be logical to assume it’s for more staff to help with the magnitude of the investigation.
As is the case with every OAIC-led investigation, Optus will be probed against the 13 APPs.
Australian Information and Privacy Commissioner Angelene Falk then needs to determine if an interference with the privacy of one or more individuals has occurred (obvious, yes, but this is an official investigation let’s not forget), she will then hand down a determination. This determination could require the Optus companies to take steps to ensure it doesn’t happen again, but, Falk could also seek civil penalties through the Federal Court of up to $2.2 million for each contravention.
In the wake of the OAIC Optus investigation, Falk took the opportunity to warn other organisations that deal with the personal information of Australians about the ramifications of an incident like a data breach.
“If they have not done so already, I urge all organisations to review their personal information handling practices and data breach response plans to ensure that information is held securely, and that in the event of a data breach they can rapidly notify individuals so those affected can take steps to limit the risk of harm from their personal information being accessed,” she said.
“And collecting and storing personal information that is not reasonably necessary to your business breaches privacy and creates risk. Only collect what is reasonably necessary.”
On September 22, Optus disclosed it had fallen victim to a cyber attack. Click through for a full explainer on the Optus data breach.
This article has been updated since it was first published.