Telstra Corporation Limited: own motion investigation report (2014)

<!doctype html> <html lang="en"> <head> <title>Telstra Corporation Limited: own motion investigation report (2014) | OAIC</title>  <meta charset="utf-8"> <meta name="mobile-web-app-capable" content="yes"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0"> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">  <meta name="dcterms.title" content="Telstra Corporation Limited: own motion investigation report (2014)"> <meta name="dcterms.creator" content="OAIC"> <meta name="dcterms.created" content="2022-08-10T15:17:26+10:00"> <meta name="dcterms.modified" content="2023-10-18T14:48:12+11:00"> <meta name="dcterms.issued" content="2023-03-10T16:32:11+11:00"> <meta name="dcterms.format" content="HTML"> <meta name="dcterms.identifier" content="https://www.oaic.gov.au/privacy/privacy-assessments-and-decisions/privacy-decisions/investigation-reports/telstra-corporation-limited-own-motion-investigation-report">    <meta name="publishedDate" content="1 March 2014"> <meta name="publishedDate_ISO" content="2014-03-01T00:00:00+11:00"> <meta name="description" content="Investigation into Telstra Corporation Limited after media reports that personal information of Telstra customers was accessible online, which Telstra confirmed" /> <meta name="pdISO" content="2014-03-01T00:00:00+11:00" /> <meta name="robots" content="" />  <meta name="chapter-nav" content="no" /> <meta name="chapter-nav-prev" content="" /> <meta name="chapter-nav-next" content="" /> <meta name="chapter-nav-prev-btn-text" content="Previous chapter" /> <meta name="chapter-nav-next-btn-text" content="Next chapter" /> <meta name="background_color" content="chapter-navigation__wrapper--white" />  <meta name="show-related-articles" content="no" /> <meta name="topic" content="" /> <meta name="contentType" content="" /> <meta name="featuredNews" content="no" /> <meta name="author-name" content="" /> <meta name="author-title" content="" /> <meta name="author-image" content="" />  <meta name="type" content="web" />  <meta name="showFeedbackWidget" content="yes" /> <meta name="showShareWidget" content="yes" />  <meta itemprop="name" content="Telstra Corporation Limited: own motion investigation report (2014)" /> <meta itemprop="description" content="Investigation into Telstra Corporation Limited after media reports that personal information of Telstra customers was accessible online, which Telstra confirmed" /> <meta itemprop="image" content="" />  <meta name="twitter:card" content="summary" /> <meta name="twitter:site" content="@OAICgov" /> <meta name="twitter:title" content="Telstra Corporation Limited: own motion investigation report (2014)" /> <meta name="twitter:description" content="Investigation into Telstra Corporation Limited after media reports that personal information of Telstra customers was accessible online, which Telstra confirmed" /> <meta name="twitter:image" content="" />  <meta property="og:title" content="Telstra Corporation Limited: own motion investigation report (2014)" /> <meta property="og:type" content="website" /> <meta property="og:url" content="https://www.oaic.gov.au/privacy/privacy-assessments-and-decisions/privacy-decisions/investigation-reports/telstra-corporation-limited-own-motion-investigation-report" /> <meta property="og:image" content="" /> <meta property="og:description" content="Investigation into Telstra Corporation Limited after media reports that personal information of Telstra customers was accessible online, which Telstra confirmed" /> <meta property="og:site_name" content="OAIC" /> <meta property="article:published_time" content="2023-03-10T16:32:11+11:00" /> <meta property="article:modified_time" content="2023-10-18T14:48:12+11:00" /> <meta property="article:tag" content="" /> <meta name="theme-color" content="#fafafa">  <script src="//cdn-oc.readspeaker.com/script/9755/webReader/webReader.js?pids=wr" type="text/javascript" id="rs_req_Init"></script>  <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-PTH9SP3B');</script>   <meta name="google-site-verification" content="sQVHBUKhjuCjBjithPialZYhGQ5SPKwjb1_rY8OqsjA" /> <link rel="stylesheet" href="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/main.css?h=06ed308"> <link rel="stylesheet" href="https://www.oaic.gov.au/__data/assets/css_file/0024/240585/custom.css?v=0.1.202">  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.11.3/font/bootstrap-icons.min.css"> <link rel="preconnect" href="https://fonts.googleapis.com"> <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> <link href="https://fonts.googleapis.com/css2?family=Source+Code+Pro:ital,wght@0,200;0,300;0,400;0,500;0,600;0,700;0,800;0,900;1,200;1,300;1,400;1,500;1,600;1,700;1,800;1,900&display=swap" rel="stylesheet">  <link rel="shortcut icon" href="https://www.oaic.gov.au/__data/assets/image/0016/14182/favicon-32x32.png"> <link rel="apple-touch-icon" href="https://www.oaic.gov.au/__data/assets/image/0015/14181/apple-touch-icon.png">  </head> <body class="inside">  <section class="cookie-banner" aria-labelledby="cookie-heading"> <h2 class="visuallyhidden" id="cookie-heading">We use cookies on this site</h2> <div class="cookie-banner__content"> <div> <p>We use cookies to analyse traffic and to improve your browsing experience on our website. To find out more, read our <a href="https://www.oaic.gov.au/about-the-OAIC/our-corporate-information/plans-policies-and-procedures/privacy-policy">privacy policy</a>.</p> </div> <button class="cookie-banner__close primary-button" id="close-cookie-banner" aria-label="Close and accept cookie policy">Close</button> </div> </section>   <div class="skip-to-content"> <a href="#main-content-area" class="skip-to-content__link visuallyhidden focusable">Skip to main content</a> </div>  <div class="page-wrapper">     <header class="site-header"> <div class="utility-nav"> <div class="utility-nav__wrapper"> <a href="/news" class="utility-nav__link ">News</a> <a href="/about-the-OAIC/join-our-team" class="utility-nav__link ">Join our team</a> <a href="/contact-us" class="utility-nav__link ">Contact us</a> </div> </div> <div class="header-content"> <a href="https://www.oaic.gov.au" class="header-logo"> <img src="https://www.oaic.gov.au/__data/assets/file/0020/13664/oaic-header-logo.svg" alt="OAIC - Australian Government - Office of the Australian Information Commissioner"> </a> <button class="mobile-menu" aria-controls="header-nav" aria-expanded="false"> <img class="menu-icon menu-icon--burger" src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/hamburger-menu.svg" alt="open menu"> <img class="menu-icon menu-icon--close" src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/cancel-icon-white.svg" alt="close menu"> </button> <div class="search-container search-container--header"> <form class="input-form" action="https://www.oaic.gov.au/search" data-action="https://www.oaic.gov.au/search?SQ_ASSET_CONTENTS_RAW"> <input name="query" autocomplete="off" id="autoComplete" placeholder="Search…" class="search-box" aria-label="Search input" data-autocomplete-endpoint="https://dxp-au-search.funnelback.squiz.cloud/s/suggest.json?collection=113e9365-ffcc-4320-a995-5c1b98bea3bb~sp-oaic-web-new&profile=auto-completion-global&fmt=json%2B%2B&alpha=0.5&show=10"> <input type="hidden" name="form" value="result"> <button type="button" id="clear-text-btn" class="cancel-logo" aria-label="Clear text"> <img src="https://www.oaic.gov.au/__data/assets/file/0022/13666/cancel-icon.svg" alt="clear text cancel icon"> </button> <button type="submit" aria-label="Submit search"> <img class="search-icon" src="https://www.oaic.gov.au/__data/assets/file/0023/13667/search-outline.svg" alt="search icon thst submits form"> </button> </form> </div> <div id="header-nav" class="header-nav"> <nav class="header-nav__nav"> <div class="header-nav__item"> <a href="https://www.oaic.gov.au" class="header-nav__link " > Home </a> </div> <div class="header-nav__item"> <button class="header-nav__button current" aria-expanded="false" > Privacy <div class="header-nav__mobile-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-plus" alt="expand menu"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-minus" alt="collapse menu"> </div> <div class="header-nav__desktop-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/chevron-down-white.svg" alt="expand menu"> </div> </button> <div class="header-nav__sub"> <div class="header-nav__sub-wrapper"> <div class="header-nav__sub-first"> <a href="https://www.oaic.gov.au/privacy" class="header-nav__sub-link"> Privacy </a> </div> <div class="header-nav__sub-grid"> <a href="https://www.oaic.gov.au/privacy/your-privacy-rights" class="header-nav__sub-link"> Your privacy rights </a> <a href="https://www.oaic.gov.au/privacy/privacy-complaints" class="header-nav__sub-link"> Privacy complaints </a> <a href="https://www.oaic.gov.au/privacy/australian-privacy-principles" class="header-nav__sub-link"> Australian Privacy Principles </a> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies" class="header-nav__sub-link"> Privacy guidance for organisations and government agencies </a> <a href="https://www.oaic.gov.au/privacy/notifiable-data-breaches" class="header-nav__sub-link"> Notifiable data breaches </a> <a href="https://www.oaic.gov.au/privacy/privacy-legislation" class="header-nav__sub-link"> Privacy legislation </a> <a href="https://www.oaic.gov.au/privacy/privacy-assessments-and-decisions" class="header-nav__sub-link"> Privacy assessments and decisions </a> <a href="https://www.oaic.gov.au/privacy/privacy-registers" class="header-nav__sub-link"> Privacy registers </a> </div> </div> </div> </div> <div class="header-nav__item"> <button class="header-nav__button " aria-expanded="false" > Freedom of information <div class="header-nav__mobile-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-plus" alt="expand menu"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-minus" alt="collapse menu"> </div> <div class="header-nav__desktop-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/chevron-down-white.svg" alt="expand menu"> </div> </button> <div class="header-nav__sub"> <div class="header-nav__sub-wrapper"> <div class="header-nav__sub-first"> <a href="https://www.oaic.gov.au/freedom-of-information" class="header-nav__sub-link"> Freedom of information </a> </div> <div class="header-nav__sub-grid"> <a href="https://www.oaic.gov.au/freedom-of-information/your-freedom-of-information-rights" class="header-nav__sub-link"> Your freedom of information rights </a> <a href="https://www.oaic.gov.au/freedom-of-information/how-to-access-government-information" class="header-nav__sub-link"> How to access government information </a> <a href="https://www.oaic.gov.au/freedom-of-information/freedom-of-information-guidance-for-government-agencies" class="header-nav__sub-link"> Freedom of information guidance for government agencies </a> <a href="https://www.oaic.gov.au/freedom-of-information/freedom-of-information-legislation-and-determinations" class="header-nav__sub-link"> Freedom of information legislation and determinations </a> <a href="https://www.oaic.gov.au/freedom-of-information/information-commissioner-decisions-and-reports" class="header-nav__sub-link"> Information Commissioner decisions and reports </a> <a href="https://www.oaic.gov.au/freedom-of-information/freedom-of-information-statistics-for-the-oaic" class="header-nav__sub-link"> Freedom of information statistics for the OAIC </a> </div> </div> </div> </div> <div class="header-nav__item"> <button class="header-nav__button " aria-expanded="false" > Consumer Data Right <div class="header-nav__mobile-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-plus" alt="expand menu"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-minus" alt="collapse menu"> </div> <div class="header-nav__desktop-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/chevron-down-white.svg" alt="expand menu"> </div> </button> <div class="header-nav__sub"> <div class="header-nav__sub-wrapper"> <div class="header-nav__sub-first"> <a href="https://www.oaic.gov.au/consumer-data-right" class="header-nav__sub-link"> Consumer Data Right </a> </div> <div class="header-nav__sub-grid"> <a href="https://www.oaic.gov.au/consumer-data-right/information-for-consumers" class="header-nav__sub-link"> Information for consumers </a> <a href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-complaints" class="header-nav__sub-link"> Consumer Data Right complaints </a> <a href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-guidance-for-business" class="header-nav__sub-link"> Consumer Data Right guidance for business </a> <a href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-legislation,-regulation-and-definitions" class="header-nav__sub-link"> Consumer Data Right legislation, regulation and definitions </a> <a href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-assessments" class="header-nav__sub-link"> Consumer Data Right assessments </a> </div> </div> </div> </div> <div class="header-nav__item"> <a href="https://www.oaic.gov.au/digital-id" class="header-nav__link " > Digital ID </a> </div> <div class="header-nav__item"> <button class="header-nav__button " aria-expanded="false" > Engage with us <div class="header-nav__mobile-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-plus" alt="expand menu"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-minus" alt="collapse menu"> </div> <div class="header-nav__desktop-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/chevron-down-white.svg" alt="expand menu"> </div> </button> <div class="header-nav__sub"> <div class="header-nav__sub-wrapper"> <div class="header-nav__sub-first"> <a href="https://www.oaic.gov.au/engage-with-us" class="header-nav__sub-link"> Engage with us </a> </div> <div class="header-nav__sub-grid"> <a href="https://www.oaic.gov.au/engage-with-us/consultations" class="header-nav__sub-link"> Consultations </a> <a href="https://www.oaic.gov.au/engage-with-us/submissions" class="header-nav__sub-link"> Submissions </a> <a href="https://www.oaic.gov.au/engage-with-us/translations" class="header-nav__sub-link"> Translations </a> <a href="https://www.oaic.gov.au/engage-with-us/events" class="header-nav__sub-link"> Events </a> <a href="https://www.oaic.gov.au/engage-with-us/networks" class="header-nav__sub-link"> Networks </a> <a href="https://www.oaic.gov.au/engage-with-us/research-and-training-resources" class="header-nav__sub-link"> Research and training resources </a> </div> </div> </div> </div> <div class="header-nav__item"> <button class="header-nav__button " aria-expanded="false" > About the OAIC <div class="header-nav__mobile-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-plus" alt="expand menu"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-minus" alt="collapse menu"> </div> <div class="header-nav__desktop-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/chevron-down-white.svg" alt="expand menu"> </div> </button> <div class="header-nav__sub"> <div class="header-nav__sub-wrapper"> <div class="header-nav__sub-first"> <a href="https://www.oaic.gov.au/about-the-OAIC" class="header-nav__sub-link"> About the OAIC </a> </div> <div class="header-nav__sub-grid"> <a href="https://www.oaic.gov.au/about-the-OAIC/what-we-do" class="header-nav__sub-link"> What we do </a> <a href="https://www.oaic.gov.au/about-the-OAIC/who-we-are" class="header-nav__sub-link"> Who we are </a> <a href="https://www.oaic.gov.au/about-the-OAIC/join-our-team" class="header-nav__sub-link"> Join our team </a> <a href="https://www.oaic.gov.au/about-the-OAIC/access-our-information" class="header-nav__sub-link"> Access our information </a> <a href="https://www.oaic.gov.au/about-the-OAIC/our-regulatory-approach" class="header-nav__sub-link"> Our regulatory approach </a> <a href="https://www.oaic.gov.au/about-the-OAIC/our-corporate-information" class="header-nav__sub-link"> Our corporate information </a> <a href="https://www.oaic.gov.au/about-the-OAIC/information-policy" class="header-nav__sub-link"> Information policy </a> <a href="https://www.oaic.gov.au/about-the-OAIC/serving-legal-documents-on-the-australian-information-commissioner" class="header-nav__sub-link"> Serving legal documents on the Australian Information Commissioner </a> </div> </div> </div> </div> <div class="header-nav__item header-nav__item--mobile-only"> <a href="/news" class="header-nav__link">News</a> </div> <div class="header-nav__item header-nav__item--mobile-only"> <a href="/about-the-OAIC/join-our-team" class="header-nav__link">Join our team</a> </div> <div class="header-nav__item header-nav__item--mobile-only"> <a href="/contact-us" class="header-nav__link">Contact us</a> </div> </nav> </div> </div> </header> <div class="nav-close-overlay"></div>   <main class="main"> <div class="breadcrumb__wrapper"> <div class="section "> <div class="section-item flex-box "> <div class="breadcrumb breadcrumb--separator-chevron"> <nav class="breadcrumb__nav" aria-label="Breadcrumb"> <ul class="breadcrumb__list"> <span class="breadcrumb__list-item"><a href="https://www.oaic.gov.au" class="breadcrumb__list-item-link" aria-label="Go to home page"><svg xmlns="http://www.w3.org/2000/svg" version="1.0" viewBox="0 0 50 50" height="24" width="24"><path d="M25 9.0937 7.281 25.3747h5.563v15.531h24.312v-15.531h5.563L25 9.0937z" fill="currentColor"></path></svg></a></span> <li class="breadcrumb__list-item"> <a class="breadcrumb__list-item-link" href="https://www.oaic.gov.au/privacy">Privacy</a> </li> <li class="breadcrumb__list-item"> <a class="breadcrumb__list-item-link" href="https://www.oaic.gov.au/privacy/privacy-assessments-and-decisions">Privacy assessments and decisions</a> </li> <li class="breadcrumb__list-item"> <a class="breadcrumb__list-item-link" href="https://www.oaic.gov.au/privacy/privacy-assessments-and-decisions/privacy-decisions">Privacy decisions</a> </li> <li class="breadcrumb__list-item"> <a class="breadcrumb__list-item-link" href="https://www.oaic.gov.au/privacy/privacy-assessments-and-decisions/privacy-decisions/investigation-reports">Investigation reports</a> </li> <li class="breadcrumb__list-item"> <a class="breadcrumb__list-item-link" href="https://www.oaic.gov.au/privacy/privacy-assessments-and-decisions/privacy-decisions/investigation-reports/telstra-corporation-limited-own-motion-investigation-report">Telstra Corporation Limited: own motion investigation report (2014)</a> </li> </ul> </nav> </div> </div> </div> </div>  <div id="main-content-area" class="page-content"> <div class="toc"> <ul class="toc__list"> <li class="toc__heading"> <h2 class="toc-exclude">On this page</h2> </li> </ul> </div> <section class="banner-grey-newsroom__wrapper"> <div class="banner-grey-newsroom__content"> <h1 class="banner-grey-newsroom__title">Telstra Corporation Limited: own motion investigation report (2014)</h1> </div> </section>  <script> if(document.querySelector('.banner-grey-newsroom__wrapper .banner-grey-newsroom__content')) { document.querySelector('.breadcrumb__wrapper').insertAdjacentElement('afterend',document.querySelector('.banner-grey-newsroom__wrapper .banner-grey-newsroom__content').closest(' .banner-grey-newsroom__wrapper')) } </script> <div class="gov-numbered-paragraphs" id="component_19975"> <div><div><div><div>Publication date: 1 March 2014</div></div></div><div><div id="page-content"><h2 id="overview">Overview</h2><p>On 24 May 2013, the Australian Privacy Commissioner (the Commissioner) opened an own motion investigation into Telstra Corporation Limited (Telstra). This was in response to media allegations that personal information of Telstra customers was accessible online, which Telstra confirmed.</p><p>The Commissioner’s investigation focused on whether Telstra took reasonable steps to protect customer information from misuse, loss, unauthorised access, modification or disclosure.<a id="_ftnref1" href="https://www.oaic.gov.au/privacy/privacy-assessments-and-decisions/privacy-decisions/investigation-reports/telstra-corporation-limited-own-motion-investigation-report#_ftn1">[1]</a></p><p>After considering the facts of the case, submissions from Telstra and the relevant provisions of the <em><a href="https://www.legislation.gov.au/Series/C2004A03712">Privacy Act 1988</a></em> (Cth), the Commissioner came to the view that Telstra had breached the Privacy Act, by failing to take reasonable steps to secure personal information it held. The Commissioner also found that Telstra had unlawfully disclosed personal information.</p><p>The <a href="https://www.acma.gov.au/theACMA/acma-telecommunications-investigation-reports">Australian Communications and Media Authority (the ACMA) also carried out an investigation</a> into the incident in relation to Telstra’s compliance with clause 4.6.3 of the Telecommunications Consumer Protections Code C628:2012 (the Code). The ACMA found that Telstra contravened clause 4.6.3 of the Code by failing to protect the privacy of customers’ personal information. The ACMA also found that Telstra’s conduct contravened the direction given to Telstra by the ACMA on 3 September 2012 under subsection 121(1) of the <em><a href="https://www.legislation.gov.au/Series/C2004A05145">Telecommunications Act 1997</a></em>. The Office of the Australian Information Commissioner (OAIC) and the ACMA communicated regarding their respective investigations.</p><h2 id="background">Background</h2><p>On 15 May 2013, the Commissioner received information that spreadsheet files containing personal information about Telstra customers (the source files) were publicly accessible online (the data breach). Telstra was also notified of the data breach on 15 May 2013 and took immediate steps to respond to the breach.</p><p>The following events led to the data breach:</p><ol type="a"><li>source files were hosted on the platform that was the subject of the data breach (platform) by a third party service provider (third party provider) on behalf of Telstra</li><li>Telstra requested its third party provider to extend an access control to enable authorised partners to access Telstra’s retail information via the platform</li><li>the third party provider deployed the requested solution on 24 February 2012; this inadvertently turned off the access control, making the source files publicly accessible online</li><li>Google indexed the source files on and from 23 June 2012, making the source files discoverable via Google search between 23 June 2012 and 15 May 2013, and</li><li>the source files were discovered and accessed by an internet user who conducted a Google search for ‘Telstra’ and two other specific search criteria; that individual alerted the media.</li></ol><p>The data breach resulted in the personal information of approximately 15,775 Telstra customers being compromised, including full names, addresses and phone numbers. This included 1,257 customer accounts with active silent line services. Through its internal investigation, Telstra identified that there had been at least 166 unique downloads of the source files.</p><p>Personal information held on the platform was the subject of a previous data breach by Telstra in December 2011, where the personal information of approximately 734,000 customers was made publicly available online (the 2011 breach).<a id="_ftnref2" href="https://www.oaic.gov.au/privacy/privacy-assessments-and-decisions/privacy-decisions/investigation-reports/telstra-corporation-limited-own-motion-investigation-report#_ftn2">[2]</a> At the time of the data breach, Telstra was taking remedial steps in response to the 2011 breach.</p><h2 id="relevant-provisions-of-the-privacy-act">Relevant provisions of the Privacy Act</h2><p>Organisations covered by the Privacy Act must comply with ten National Privacy Principles (NPPs) contained in Schedule 3 to the Act. The NPPs apply to the handling of ‘personal information’ which the Privacy Act defines as:</p><div class="block-quote">information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.</div><p>The Privacy Act applies to all private sector organisations with an annual turnover of more than $3 million and some small businesses. Telstra is subject to the Privacy Act and the NPPs.</p><p>NPP 4 (Data security) and NPP 2 (Use and disclosure) are the Privacy Act provisions relevant to this data breach. In particular:</p><ul><li>NPP 4.1 requires organisations to take reasonable steps to protect the personal information they hold from misuse and loss and from unauthorised access, modification or disclosure</li><li>NPP 4.2 states that, if an organisation no longer needs personal information for any purpose under NPP 2, then the organisation must take reasonable steps to destroy or permanently de-identify it</li><li>NPP 2.1 provides that an organisation may only use or disclose personal information for the primary purpose of collection, unless an exception applies.</li></ul><h2 id="findings">Findings</h2><h3 id="security-of-personal-information-npp-4-1">Security of personal information (NPP 4.1)</h3><p>In assessing whether Telstra took reasonable steps to comply with NPP 4.1, the Commissioner considered information from Telstra about the security safeguards in place relating to the platform prior to the data breach, and what steps would have been reasonable in the circumstances to protect the personal information held. This included considering the nature of the personal information, Telstra’s risk environment, implementation of security processes, website configuration, vulnerability testing and monitoring, and industry practice. The Commissioner also had regard to the guidance set out in the OAIC’s Guide to information security.<a id="_ftnref3" href="https://www.oaic.gov.au/privacy/privacy-assessments-and-decisions/privacy-decisions/investigation-reports/telstra-corporation-limited-own-motion-investigation-report#_ftn3">[3]</a></p><h3 id="nature-of-personal-information">Nature of personal information</h3><p>Telstra stated that it considered the data breach ‘low risk from a privacy perspective’ because, among other things, the information available was limited to a customer’s name, phone number and address.</p><p>However, the Commissioner noted that a breach of this type of personal information for the 1,257 Telstra customers with silent line services was not low risk. Further, the Commissioner noted that varying risk levels may require an entity to take varying security precautions in order to meet the requirements of NPP 4.1.</p><h3 id="risk-environment">Risk environment</h3><p>At the time of the data breach, Telstra was undertaking a remediation program in response to the 2011 breach involving the platform. The remediation program included decommissioning the third-party provided platform to an internal solution and remedying deficiencies in Telstra’s data management and security governance framework.</p><p>In this regard, the Commissioner found that Telstra was operating in a heightened risk environment, and that Telstra was required to take steps that were reasonable in light of that risk environment.</p><h3 id="implementation-of-security-processes">Implementation of security processes</h3><p>Following the 2011 breach, Telstra implemented an interim process using a ‘Security Approval mailbox’, to ensure that any changes to the platform would be reviewed by Telstra’s security team in order to mitigate the known risks. However, this process was not followed. Information from Telstra indicated that this was a key contributing factor to the data breach.</p><h3 id="web-configuration">Web configuration</h3><p>The Commissioner found the indexing of personal information by Google indicated that Telstra (or the third party provider, on Telstra’s behalf) did not effectively configure its website to request search robots such as Googlebot (via the robots.txt file) not to index, archive or cache the data on parts of the website not intended to be publicly accessible. Correctly implementing the robots.txt command would have significantly limited the discoverability of the compromised personal information, and may have prevented access by unauthorised persons.<a id="_ftnref4" href="https://www.oaic.gov.au/privacy/privacy-assessments-and-decisions/privacy-decisions/investigation-reports/telstra-corporation-limited-own-motion-investigation-report#_ftn4">[4]</a></p><h3 id="vulnerability-testing-and-monitoring">Vulnerability testing and monitoring</h3><p>Compliance with NPP 4.1 requires entities to take reasonable steps to secure personal information, which generally includes implementing clear policies and procedures to maintain the security of personal information, such as establishing:</p><ul><li>the frequency at which testing will be conducted, given the nature of the personal information held</li><li>who is responsible for conducting testing (for example the entity who holds the data or a third party service provider who deals with the data on the entity’s behalf)</li><li>what sort of testing may be suitable, given the nature of the personal information held and the way that information is stored and processed, and</li><li>if testing identifies weaknesses, how this will be reported and addressed.</li></ul><p>During the investigation, Telstra indicated that it plans to implement certain strategies that may include privacy policies and procedures (see ‘Rectification’ below). However, Telstra also stated that once a particular access control is implemented in a secure state, there is no need to undertake on-going testing.</p><p>The Commissioner disagreed on the basis that there is no ‘set and forget’ solution to security and privacy in the digital environment. As network and other vulnerabilities arise, and as programs and platforms are amended or updated, what is secure at a particular point in time can become subject to a vulnerability at a later date. The Commissioner also noted that routine testing of website security and access control settings may be a reasonable security step as required under NPP 4.1.</p><p>Unknown to Telstra, the source files remained accessible between February 2012 and the date of the data breach in May 2013. The Commissioner found that this indicated a failure by Telstra (or the third party provider on Telstra’s behalf) to take reasonable steps to monitor the security of personal information held by Telstra. Telstra asserted that ‘the duration of potential accessibility [was] an irrelevant consideration in assessing whether or not [Telstra] took reasonable steps’ to secure personal information, as NPP 4.1 makes no reference to duration.</p><p>The Commissioner considered duration of potential accessibility to be a relevant consideration. This is particularly the case in the networked digital environment, where accessible data is easily copied, transferred and disseminated. While personal information is accessible, there continues to be a risk that it will be accessed. The Commissioner considered that where personal information is inadvertently or mistakenly made accessible to the public, it will generally be a reasonable security step to limit the duration of that accessibility as much as possible.</p><p>In response to the data breach, Telstra established a Security Exploration Team tasked with proactively searching for any Telstra customer data that may be accessible publicly or through search robots (see ‘Rectification’ below). The Commissioner noted that if such processes had been in place prior to the data breach, they may have detected the access control failure and the incorrect implementation of the ‘robots.txt’ file. This would have enabled Telstra to prevent or limit the impact of the data breach.</p><h3 id="industry-practice">Industry practice</h3><p>In relation to Software as a Service (SaaS) testing, Telstra told the OAIC that it complied with industry practice.</p><p>The Commissioner noted that adherence to industry practice is not, in of itself, an alternative to an entity meeting its regulatory and legal obligations.<a id="_ftnref5" href="https://www.oaic.gov.au/privacy/privacy-assessments-and-decisions/privacy-decisions/investigation-reports/telstra-corporation-limited-own-motion-investigation-report#_ftn5">[5]</a> If an entity engages in what it considers to be industry practice, and that practice falls short of the requirements of the Privacy Act, the Commissioner may consider that entity non-compliant.</p><h3 id="npp-4-1-conclusion-whether-reasonable-steps-were-taken-to-secure-the-personal-information">NPP 4.1 conclusion — whether reasonable steps were taken to secure the personal information</h3><p>The Commissioner found that Telstra had:</p><ul><li>made personal information publicly accessible online, and</li><li>failed to properly configure its website (via the robots.txt file) to prevent the unwanted indexation of content by search robots including Googlebot.</li></ul><p>Once the source files were made publicly accessible online, this resulted in Google indexing the source files allowing greater discoverability. The Commissioner determined that the source files were accessible for 14 months and discoverable via a Google search for almost 11 months.</p><p>The Commissioner was also satisfied that:</p><ul><li>following the 2011 breach, Telstra was aware of particular security risks with Telstra’s management of the platform</li><li>it was a reasonable step to implement security processes and procedures to address the heightened risk environment</li><li>had Telstra followed its own processes, it may have prevented or mitigated the effects of the breach, and</li><li>in order to satisfy the requirements of NPP 4.1, ‘reasonable steps’ in the circumstances required both the implementation of reasonable security procedures and adherence to them.</li></ul><p>Further, Telstra failed to take steps such as vulnerability testing and monitoring despite its awareness of the heightened risk environment.</p><p>Based on the considerations set out above, the Commissioner found that Telstra contravened NPP 4.1, by failing to take reasonable security steps to protect the personal information it held from misuse and loss and from unauthorised access, modification or disclosure.</p><h3 id="secure-destruction-or-permanent-de-identification-of-personal-information-that-is-no-longer-required-npp-4-2">Secure destruction or permanent de-identification of personal information that is no longer required (NPP 4.2)</h3><p>NPP 4.2 requires organisations to take reasonable steps to destroy or permanently de-identify personal information that is not being used or disclosed for any purpose under NPP 2 (in other words, where the personal information is no longer required). To comply with this obligation, an organisation must have systems or procedures in place to identify information the organisation no longer needs, and a process for how the destruction or de-identification of the information will occur.</p><p>The source files compromised in the data breach contained information from 2009 and earlier. Telstra was unable to initially determine the purpose of the compromised data and subsequently stated that it was retained in accordance with its document retention policy (a copy of that policy was provided to the Commissioner). However Telstra did not identify any particular provisions in the document retention policy that required the source files to be retained on the platform.</p><p>Telstra also advised that because the information in the source files was between four and seven years old, it did not have an immediate commercial need for the data.</p><p>The Commissioner noted that information that is not current may still cause harm in the event that it is compromised, for example, it may be used for identity theft purposes.</p><p>Telstra did not demonstrate that in this instance it had systems in place to identify personal information that was not being used or disclosed for a purpose under NPP 2. Further, the Commissioner did not consider any of the information provided by Telstra to indicate that Telstra had adequate processes in place to destroy or de-identify information that was no longer in use.</p><p>Therefore, the Commissioner found that Telstra failed to take reasonable steps to destroy or permanently de-identify the personal information held on the platform that was no longer needed for any lawful purpose, in contravention of NPP 4.2.</p><h2 id="disclosure-of-personal-information-npp-2-1">Disclosure of personal information (NPP 2.1)</h2><p>As part of the investigation, the Commissioner considered whether there had been a breach of NPP 2.1 in relation to the publication of customer information online by Telstra. NPP 2.1 regulates the use and disclosure of personal information and states that organisations may only use or disclose personal information for the primary purpose of collection, unless an exception applies.</p><p>In general terms an organisation ‘discloses’ personal information when it releases information, whether purposely or accidentally, to others outside the organisation.</p><p>Telstra is aware of at least 166 unique downloads of the source files by IP addresses that are not associated with Telstra or its affiliates. The Commissioner found that this occurred as a result of Telstra allowing the source files to be made publicly accessible online, following implementation of the incorrect access control setting.</p><p>Therefore, the Commissioner found that the external accessibility of customers’ personal information held on the platform was a disclosure in breach of NPP 2.1.</p><h2 id="rectification">Rectification</h2><p>The Commissioner found that Telstra acted appropriately in responding to the data breach. After being notified of the breach, Telstra:</p><ol type="a"><li>disabled all public access links to the source files containing the customer data, and requested Google to clear all relevant caches</li><li>reported the incident to the ACMA and the Telecommunications Industry Ombudsman</li><li>requested that the third party provider commence an internal investigation and report back to Telstra, and</li><li>notified affected customers, and developed a process to enable resellers’ end users to change their number as required.</li></ol><p>To prevent future data breaches, Telstra also conducted internal reorganisation to support the central management of software and platforms by Telstra IT, increased security controls, recommended an internal review into Telstra’s use of SaaS solutions (including monitoring and ensuring that solutions employ reasonable security steps), and established a Security Exploration Team tasked with searching for any Telstra customer data that may be accessible publicly or through search robots.</p><p>As of 31 December 2013, Telstra decommissioned all instances of the platform and migrated to an internal platform managed by Telstra IT.</p><p>Telstra will also establish a clear policy for central software management (including information security arrangements), review contracts relating to personal information handling (including by enhancing Telstra’s control over third party providers), implement a data loss prevention program, adopt a Privacy by Design strategy, and exit its contract with the third party provider.</p><h2 id="recommendations">Recommendations</h2><p>Telstra is responsible for the personal information of millions of Australians. It has both a legal and corporate responsibility to take all reasonable steps to ensure personal information is protected.</p><p>The Commissioner has requested and Telstra has agreed that Telstra engage an independent third party auditor by 12 March 2014 to certify that Telstra has implemented the planned rectification, and that the certification be provided to the Commissioner by 30 June 2014. This will help ensure Telstra is well placed to comply with the reforms to the Privacy Act that apply from 12 March 2014.<a id="_ftnref6" href="https://www.oaic.gov.au/privacy/privacy-assessments-and-decisions/privacy-decisions/investigation-reports/telstra-corporation-limited-own-motion-investigation-report#_ftn6">[6]</a></p><p>The Commissioner has also recommended that Telstra review its Document Retention Policy to ensure it meets the requirements of the Australian Privacy Principles.</p><h2 id="conclusion">Conclusion</h2><p>The Commissioner found that Telstra:</p><ul><li>failed to take reasonable steps to ensure the security of the personal information that it held, in contravention of NPP 4.1</li><li>failed to take reasonable steps to destroy or permanently de-identify the personal information it held in contravention of NPP 4.2, and</li><li>disclosed personal information other than for a permitted purpose, in contravention of NPP 2.1.</li></ul><p>Telstra acted appropriately in response to the data breach by immediately disabling all public access links to the source files containing the customer data.</p><p>Since the data breach, Telstra has undertaken an appropriate review of the incident and data involved, and taken appropriate steps to notify potentially affected customers. Telstra has also partially addressed the OAIC’s recommendations and is in the process of addressing those remaining.</p><p>Based on the information from Telstra about its review and remediation of the data breach and Telstra’s ongoing implementation of recommendations made by the OAIC, the Commissioner decided to close the investigation.</p><h2 id="acronyms-and-abbreviations">Acronyms and abbreviations</h2><p>Commissioner — Australian Privacy Commissioner</p><p>NPPs — National Privacy Principles (contained in Schedule 3 of the <em>Privacy Act 1988</em> (Cth))</p><p>OAIC — Office of the Australian Information Commissioner</p><p>Privacy Act — <em>Privacy Act 1988</em> (Cth)</p></div><div class="sidebar col--md-3 last" id="content-sidebar" role="complementary" aria-label="Sidebar"></div></div></div> </div> <div class="footnotes"><h2 id="footnotes">Footnotes</h2><p><a id="_ftn1" href="https://www.oaic.gov.au/privacy/privacy-assessments-and-decisions/privacy-decisions/investigation-reports/telstra-corporation-limited-own-motion-investigation-report#_ftnref1">[1]</a> As required under National Privacy Principle (NPP) 4.1.</p><p><a id="_ftn2" href="https://www.oaic.gov.au/privacy/privacy-assessments-and-decisions/privacy-decisions/investigation-reports/telstra-corporation-limited-own-motion-investigation-report#_ftnref2">[2]</a> The 2011 breach was also the subject of an <a href="https://www.oaic.gov.au/_old/privacy/privacy-decisions/investigation-reports/telstra-corporation-limited-telstra-own-motion-investigation-report-2011">own motion investigation report by the Commissioner</a>.</p><p><a id="_ftn3" href="https://www.oaic.gov.au/privacy/privacy-assessments-and-decisions/privacy-decisions/investigation-reports/telstra-corporation-limited-own-motion-investigation-report#_ftnref3">[3]</a> See <a href="https://www.oaic.gov.au/_old/privacy/guidance-and-advice/guide-to-securing-personal-information">Guide to securing personal information</a>.</p><p><a id="_ftn4" href="https://www.oaic.gov.au/privacy/privacy-assessments-and-decisions/privacy-decisions/investigation-reports/telstra-corporation-limited-own-motion-investigation-report#_ftnref4">[4]</a> ‘Robots.txt’ is a request-based string which search engines comply with voluntarily, and the Commissioner noted that most search engines comply with ‘robots.txt’, including Google, Bing, and Yahoo! Together, these comprise the vast majority of search engine market share in Australia (over 98% at the time of the data breach: source — Michael David, Internetrix Research, <a href="http://www.internetrix.com.au/assets/Research-Papers/SEO-FINAL-White-Paper-web.pdf">Search Engine Optimization in 2013</a>, www.internetrix.com.au/assets/Research-Papers/SEO-FINAL-White-Paper-web.pdf, 1 May 2013).</p><p><a id="_ftn5" href="https://www.oaic.gov.au/privacy/privacy-assessments-and-decisions/privacy-decisions/investigation-reports/telstra-corporation-limited-own-motion-investigation-report#_ftnref5">[5]</a> See the OAIC’s Guide to information security for further details. Complying with an industry practice does not absolve the entity of taking further steps to protect its holdings of personal information. However adopting an industry standard as part of broader risk assessment can supplement compliance regimes and provide entities some confidence regarding their security practices.</p><p><a id="_ftn6" href="https://www.oaic.gov.au/privacy/privacy-assessments-and-decisions/privacy-decisions/investigation-reports/telstra-corporation-limited-own-motion-investigation-report#_ftnref6">[6]</a> See <a href="https://www.oaic.gov.au/_old/privacy/australian-privacy-principles">Privacy fact sheet 17: Australian Privacy Principles</a>.</p></div> </div>  </main>   <div class="footer"> <div class="footer__upper"> <div class="footer__upper--wrapper"> <div class="back-to-top__wrapper"> <button class="back-to-top" aria-label="Back to top"> <svg class="back-to-top__icon" aria-hidden="true" focusable="false" width="28" height="47" viewBox="0 0 28 47" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M6 8.82715L14 1.00106" stroke="white" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/><path d="M22 8.82715L14 1.00106" stroke="white" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/><path d="M14 21L14 1" stroke="white" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/><path d="M2.94 41V33.41H0.36V31.25H8.1V33.41H5.52V41H2.94ZM13.2027 41.18C12.5227 41.18 11.9027 41.065 11.3427 40.835C10.7927 40.605 10.3177 40.275 9.9177 39.845C9.5277 39.405 9.2227 38.87 9.0027 38.24C8.7827 37.6 8.6727 36.88 8.6727 36.08C8.6727 35.28 8.7827 34.57 9.0027 33.95C9.2227 33.32 9.5277 32.795 9.9177 32.375C10.3177 31.945 10.7927 31.62 11.3427 31.4C11.9027 31.18 12.5227 31.07 13.2027 31.07C13.8727 31.07 14.4877 31.18 15.0477 31.4C15.6077 31.62 16.0827 31.945 16.4727 32.375C16.8727 32.805 17.1827 33.33 17.4027 33.95C17.6227 34.57 17.7327 35.28 17.7327 36.08C17.7327 36.88 17.6227 37.6 17.4027 38.24C17.1827 38.87 16.8727 39.405 16.4727 39.845C16.0827 40.275 15.6077 40.605 15.0477 40.835C14.4877 41.065 13.8727 41.18 13.2027 41.18ZM13.2027 38.96C13.7927 38.96 14.2527 38.705 14.5827 38.195C14.9227 37.675 15.0927 36.97 15.0927 36.08C15.0927 35.19 14.9227 34.505 14.5827 34.025C14.2527 33.535 13.7927 33.29 13.2027 33.29C12.6127 33.29 12.1477 33.535 11.8077 34.025C11.4777 34.505 11.3127 35.19 11.3127 36.08C11.3127 36.97 11.4777 37.675 11.8077 38.195C12.1477 38.705 12.6127 38.96 13.2027 38.96ZM19.4784 41V31.25H23.0484C23.5784 31.25 24.0834 31.305 24.5634 31.415C25.0434 31.515 25.4634 31.695 25.8234 31.955C26.1834 32.205 26.4684 32.54 26.6784 32.96C26.8984 33.37 27.0084 33.88 27.0084 34.49C27.0084 35.09 26.8984 35.605 26.6784 36.035C26.4684 36.465 26.1834 36.82 25.8234 37.1C25.4634 37.37 25.0484 37.575 24.5784 37.715C24.1084 37.845 23.6184 37.91 23.1084 37.91H22.0584V41H19.4784ZM22.0584 35.87H22.9884C23.4984 35.87 23.8734 35.75 24.1134 35.51C24.3634 35.27 24.4884 34.93 24.4884 34.49C24.4884 34.05 24.3534 33.74 24.0834 33.56C23.8134 33.38 23.4284 33.29 22.9284 33.29H22.0584V35.87Z" fill="white"/></svg> </button> </div> <div class="footer__logo-group"> <img src="https://www.oaic.gov.au/__data/assets/file/0020/12962/logo.svg" class="logo--main" alt="OAIC logo"> <a href="https://www.oaic.gov.au/about-the-OAIC/access-our-information/freedom-of-information-requests-to-the-oaic" class="footer-logo" aria-label="OAIC sub-logo"> <img src="https://www.oaic.gov.au/__data/assets/file/0021/12963/logo2.svg" class="logo--sub" alt="OAIC sub logo"> </a> <a href="https://www.oaic.gov.au/about-the-OAIC/access-our-information/our-information-publication-scheme" class="footer-logo" aria-label="OAIC Information Publication Scheme"> <img src="https://www.oaic.gov.au/__data/assets/image/0026/91385/ips_white_text.png" class="logo--sub" width="120px" alt="Information Publication Scheme"> </a> </div><div class="footer__link-group"> <ul class="link-list"> <li><a href="https://www.oaic.gov.au/sitemap" class="footer-link" aria-label="Site map">Site map</a></li><li><a href="https://www.oaic.gov.au/about-the-OAIC/copyright" class="footer-link" aria-label="Copyright">Copyright</a></li><li><a href="https://www.oaic.gov.au/about-the-OAIC/terms-and-conditions" class="footer-link" aria-label="Terms and conditions">Terms and conditions</a></li><li><a href="https://www.oaic.gov.au/about-the-OAIC/our-corporate-information/plans-policies-and-procedures/privacy-policy" class="footer-link" aria-label="Privacy policy">Privacy policy</a></li><li><a href="https://www.oaic.gov.au/about-the-OAIC/accessibility" class="footer-link" aria-label="Accessibility">Accessibility</a></li> </ul> </div> </div> </div> <div class="footer__lower"> <div class="footer__util-group"> <div class="footer__contact"> <a href="https://www.oaic.gov.au/contact-us" class="contact--link" aria-label="Contact us">Contact us</a> <a href="tel:1300 363 992" class="contact--phone" aria-label="Call 1300 363 992">1300 363 992</a> <p class="contact--hours">Monday to Thursday 10 am to 4 pm (AEST/AEDT)</p> </div> <div id="footer_language_listing_13517"> <div class="footer__language-list"> <label for="languages">Translations</label> <select name="languages" id="languages" onChange="if (this.value.startsWith('https://www.oaic.gov.au')) window.location = this.value;"> <option value="">Please select…</option> <option lang="ar" value="https://www.oaic.gov.au/engage-with-us/translations/arabic">العربية</option><option lang="zh" value="https://www.oaic.gov.au/engage-with-us/translations/chinese">中文</option><option lang="el" value="https://www.oaic.gov.au/engage-with-us/translations/greek">ελληνικός</option><option lang="it" value="https://www.oaic.gov.au/engage-with-us/translations/italian">Italiano</option><option lang="es" value="https://www.oaic.gov.au/engage-with-us/translations/spanish">Español</option><option lang="th" value="https://www.oaic.gov.au/engage-with-us/translations/thai">ไทย</option><option lang="vi" value="https://www.oaic.gov.au/engage-with-us/translations/vietnamese">Tiếng Việt</option><option lang="EN" value="https://www.oaic.gov.au/engage-with-us/translations/easy-english">Easy English</option> </select> </div> </div> <div class="footer__social"> <p class="social--header">Follow us</p> <ul class="social-list"> <li> <a href="https://www.facebook.com/OAICgov" class="social-link social-link--facebook" aria-label="OAIC on Facebook"> <img class="social-icon" src="https://www.oaic.gov.au/__data/assets/file/0025/12958/facebook.svg" alt="OAIC on Facebook"> </a> </li> <li> <a href="https://twitter.com/OAICgov" class="social-link social-link--twitter" aria-label="OAIC on Twitter" > <img class="social-icon" src="https://www.oaic.gov.au/__data/assets/file/0026/12959/x-logo.svg" alt="OAIC on Twitter"> </a> </li> <li> <a href="https://www.youtube.com/user/oaicgov" class="social-link social-link--youtube" aria-label="OAIC on Youtube" > <img class="social-icon" src="https://www.oaic.gov.au/__data/assets/file/0018/12960/youtube.svg" alt="OAIC on Youtube"> </a> </li> <li> <a href="https://au.linkedin.com/company/office-of-the-australian-information-commissioner" class="social-link social-link--linkedin" aria-label="OAIC on Linkedin"> <img class="social-icon" src="https://www.oaic.gov.au/__data/assets/file/0019/12961/linkedin.svg" alt="OAIC on Linkedin"> </a> </li> <li> <a href="https://www.instagram.com/oaicgov/" class="social-link social-link--Instagram" aria-label="OAIC on Instagram" > <img class="social-icon" src="https://www.oaic.gov.au/__data/assets/file/0023/91364/Instagram_Glyph_White.svg" alt="OAIC on Instagram"> </a> </li> </ul> </div> </div> <div class="footer__content-group"> <p class="footer__content-header">Acknowledgement of Country</p> <p class="footer__content-text">The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.</p> <p class="footer__content-copyright">© Commonwealth of Australia</p> </div> </div> </div>   </div>   <div id="footer_js" style="display: none !important;"> <script src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/js/runtime.js?h=06ed308"></script> <script src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/js/main.js?h=06ed308"></script> <script src="https://www.oaic.gov.au/__data/assets/js_file/0025/242791/custom.js"></script> <script> var lhsWrapper = document.querySelector('.lhs-wrapper'); if(lhsWrapper) { lhsWrapper.innerHTML.trim() === '' ? lhsWrapper.style.display='none' : ''; } //Readpeaker function readSpeaker() { var readButtonContent = ` <div id="readspeaker_button1" class="rs_skip rsbtn rs_preserve"> <a rel="nofollow" class="rsbtn_play" accesskey="L" title="Listen to this page using ReadSpeaker webReader" href="//app-oc.readspeaker.com/cgi-bin/rsent?customerid=9755&lang=en_au&readclass=page-content&url=https%3A%2F%2Fwww.oaic.gov.au%2Fprivacy%2Fprivacy-assessments-and-decisions%2Fprivacy-decisions%2Finvestigation-reports%2Ftelstra-corporation-limited-own-motion-investigation-report"> <span class="rsbtn_left rsimg rspart"><span class="rsbtn_text"><span>Listen</span></span></span> <span class="rsbtn_right rsimg rsplay rspart"></span> </a> </div>`; var readButtonSearch = ` <div id="readspeaker_button2" class="rs_skip rsbtn rs_preserve"> <a rel="nofollow" class="rsbtn_play" accesskey="L" title="Listen to this page using ReadSpeaker webReader" href="//app-oc.readspeaker.com/cgi-bin/rsent?customerid=9755&lang=en_au&readclass=search-content&url=https%3A%2F%2Fwww.oaic.gov.au%2Fprivacy%2Fprivacy-assessments-and-decisions%2Fprivacy-decisions%2Finvestigation-reports%2Ftelstra-corporation-limited-own-motion-investigation-report"> <span class="rsbtn_left rsimg rspart"><span class="rsbtn_text"><span>Listen</span></span></span> <span class="rsbtn_right rsimg rsplay rspart"></span> </a> </div>`; //for content pages var pageContent = document.querySelector('.page-content'); //for search pages var pageSearch = document.querySelector('.search-content'); if(pageContent) pageContent.insertAdjacentHTML('afterbegin', readButtonContent); if(pageSearch) pageSearch.insertAdjacentHTML('afterbegin', readButtonSearch); } readSpeaker(); </script> <script> function feedbackGrepCallback(response) { if (response.length > 0) { document.querySelector(".feedback__submit input").disabled = false } } function feedbackGrepExpiredCallback(response) { if (!response) { document.querySelector(".feedback__submit input").disabled = true } } </script> </div> <style> .page-content section.banner-grey-newsroom__wrapper, .page-content section.landing-page { display: none; } </style>   </body> </html>

CINXE.COM

Telstra Corporation Limited: own motion investigation report (2014) | OAIC