In an own motion investigation following media allegations that billing and call records for up to four million Vodafone customers were available on a publicly accessible website protected only by passwords that change every three months (see here), the Australian Privacy Commissioner has concluded that he could not substantiate the claim that Vodafone customers’ personal information was available on a publically accessible website.

However, he did conclude that Vodafone did not have appropriate security measures in place to protect customer’s personal information at the time. Consequently Vodafone was in breach of their obligations under the Privacy Act.

The Privacy Commissioner has no power to impose a penalty following an own motion investigation but Vodafone has undertaken to improve its data security measures.

The full investigation report is a useful example of how the Privacy Commissioner approaches this type of matter and his expectations for compliance with information security obligations.