Southern Phone Company's silent number privacy breaches | ACMA

Southern Phone Company's silent number privacy breaches

Woman on the phone

The Australian Communications and Media Authority has found that Southern Phone Company Limited (SPC), by inadvertently removing the silent number classification from its customer records when uploading customer data to the Integrated Public Number Database (IPND), contravened:

The ACMA has now directed SPC to comply with the privacy clauses of the TCP Code and accepted an enforceable undertaking offered by SPC.

The ACMA investigation found that SPC failed to protect the privacy of 3,854 silent line customers resulting in their telephone numbers and associated name and address details being published in three Australia-wide online public number directories between 18 March 2014 and 24 July 2014. In addition, some of the affected customers also had their service details published in various regional hard copy directories. SPC notified all affected customers of the incident and offered customers the option of a new telephone number free of charge.

‘Failure by a telco provider to honour a customer’s request for a silent number is an issue that the ACMA takes very seriously, particularly given that such requests often arise from concerns over personal safety,’ said ACMA Chairman, Chris Chapman.

The EU commits SPC to upgrade its data collection, engage an independent auditor to review its processes, instigate a comprehensive education and training program, and comprehensively report to the ACMA. Failure to meet the EU exposes SPC to Federal Court action.

SPC has fully cooperated with the ACMA during the investigation and acknowledged that the ACMA had reasonable grounds to make its findings.

The ACMA consulted with the Office of the Australian Information Commissioner during the investigation.

The ACMA will closely monitor SPC’s compliance with the EU and direction.

For more information, please see the Backgrounder below, or to arrange an interview, please contact: Emma Rossi, Media Manager, (02) 9334 7719 and 0434 652 063 or media@acma.gov.au.

Media release 30/2015 - 26 June

Backgrounder

The investigation

The ACMA began its investigation following:

  • the receipt of complaints from two SPC customers alleging that their unlisted (silent) numbers had been published in a public number directory;
  • an admission by SPC on 24 July 2014, in response to the ACMA’s preliminary inquiries, that it incorrectly classified unlisted (silent) telephone services as listed in information uploaded to the IPND Manager on 18 March 2014 and again on 15 April 2014.

The ACMA found that SPC contravened:

  • subsection 101(1) of the Telecommunications Act 1997, which requires a carriage service provider to comply with the service provider rules that apply to it, as it failed to give the IPND Manager the information it reasonably required to provide and maintain the IPND, thereby contravening the service provider rule in clause 10 of Schedule 2 to the Act;
  • clause 5.12 of the IPND Industry Code, which requires data providers to ensure that the information it provides to the IPND Manager is accurate, complete and up to date; and
  • clause 4.6.3 of the TCP Code, which requires a supplier to ensure that a customer’s personal information is protected from unauthorised use or disclosure.

The error did not affect White Pages®.

The IPND and IPND Scheme

The IPND is a telecommunications industry-wide database of all listed and unlisted public numbers and associated customer data. As well as being a key data source for responding to emergency calls, the telephone-based emergency alert system, and to assist law enforcement and national security agencies, the IPND is used by directory publishers authorised by the ACMA to produce public number directories.

The disclosure of personal information (including an unlisted telephone number) is prohibited under Part 13 of the Telecommunications Act, with only very limited exceptions. One such exception allows information in the IPND, about listed numbers only, to be used for the purpose of publishing and maintaining a public number directory.

Part 13 also provides for the ACMA to administer the IPND scheme, which allows for the assessment of applications for authorisation for public number directory publishers and people conducting research of a kind specified by the Minister as being in the public interest. At the time of the incident, there were six directory publishers authorised by the ACMA to use IPND data to produce public number directories across various regions of Australia—some hard copy and others online. No research authorisations were in place.

Enforcement

Where the ACMA finds a breach of an industry code registered under Part 6 of the Telecommunications Act, it can:

  • agree with the telecommunications provider on steps it will take to remedy the breach or improve compliance
  • give a formal warning
  • give a direction to comply with the code.

It cannot ‘fine’ the telecommunications provider at that stage. However, if a telecommunications provider who has been given a direction breaches that direction (for example, by contravening the TCP Code again), the ACMA can issue an infringement notice or commence proceedings in the Federal Court seeking a pecuniary penalty.

Since the TCP Code was registered in September 2012, the ACMA has:

  • issued 152 formal warnings
  • given 27 directions to comply
  • given one infringement notice for contravening a direction to comply.

The ACMA has also accepted two enforceable undertakings under section 572B of the Telecommunications Act to improve the accuracy of customer data provided to the IPND Manager.  

Last updated: 14 April 2016