01 July 2012

Regulatory Kabuki

Under the heading 'Privacy Commissioner Timothy Pilgrim will probe Telstra's culture in light of privacy breach' Andrew Coley in The Australian announces that "Federal Privacy Commissioner Timothy Pilgrim wants to delve into Telstra's operational culture to work out why it breached privacy law by making customer URLs visited available to a US company".
 PRIVACY tsar Timothy Pilgrim says he's on the lookout out for systemic privacy weaknesses in Telstra's operational culture after finding the telco had breached parts of the Privacy Act. 
Mr Pilgrim revealed his concerns today after handing down findings of his six-month investigation into a major privacy breach by the carrier last December when it left 734,000 customer records exposed on the internet. 
The Federal Privacy Commissioner found that Telstra breached parts of the Privacy Act requiring companies to protect customer information from unauthorised disclosures. 
 The Commissioner's heartfelt concern arguably wasn't quite clearly expressed in the OAIC media release noted earlier this week.

The article states that -
[Telstra] was again this week briefing the Commissioner after it admitted sending information about its Next G customers' web browsing habits to a computer security firm in the US. 
"In terms of this investigation, what we're saying is that we think there are some identifiable problems in how their privacy processes have been applied in the particular instance. 
"What I am considering with other issues that are ongoing is the question of whether there is a broader issue here. That's something I will consider in terms of this (breach) and the more recent allegations about the other system at the moment," Mr Pilgrim said.  
 "This breach certainly highlighted a problem with how the followed through their procedures to basically bolt in privacy and whether they did that in accordance with their policies. It doesn't look like they did," Mr Pilgrim said. 
"What I want to analyse now is whether this is an issue that's common to other matters that have been brought to my attention," he added.
It is unclear whether we'll see more than the standard regulation theatre - the OAIC indicates that he will "consider", Telstra expresses "regret" and indicates that yet another incident is unrepresentative, and no attention is paid to entities that are not currently under the spotlight. Telstra's commitment to privacy protection is debatable. So is that of its competitors.

The weak response by the Commissioner to the Vodafone data breach and to Telstra's performance suggests that we are not going to get much more than a rather lame version of kabuki ... the OAIC is "on the lookout" but nothing happens and a stated desire to "delve into Telstra's operational culture" results in no change?