Telstra has moved to re-assure customers that their phone conversations are kept private and would be only accessed if a police warrant was in place for a particular customer.
Speaking at the Gartner Security and Risk Management Summit in Sydney this week, Telstra CISO Mike Burgess told delegates that the Telecommunications Interception and Access Act means it has to provide interception capabilities for “lawful purposes" in Australia.
“Their conversations are not listened to by anyone unless there is a warrant in place. We will ensure our customer data remains private,” he said.
Telstra’s chief risk officer Kate Hughes added that the company has “very strict governance processes” in place so that it is not giving information to law enforcement that is incorrect or allowing authorities to go on a “fishing expedition”.
The comments come after a proposal was announced by the federal government in August 2014 to introduce data retention legislation.
Communications minister Malcolm Turnbull has said that the proposed data retention laws would require Internet service providers to retain records of the IP address used by customers of their service — not the IP addresses of websites visited by customers.
Turning to privacy, Mike Burgess acknowledged that the telco had “made mistakes” when it came to customer privacy in the past.
In May 2014, he told CIO Australia that Telstra had taken steps to tighten up security controls following three data breach investigations launched by Australian Privacy Commissioner Timothy Pilgrim since 2010.
Pilgrim’s last investigation occurred following an incident in May 2013 when it emerged that 15,775 phone numbers, names and home addresses contained in spreadsheets were found online via a Google search.
Burgess said that privacy is top of mind for everyone at Telstra.
“With regards to the privacy and security for customers who use our networks, that is frontline. My team’s objective is customer privacy but we are not perfect and do make mistakes.”
According to Burgess, Telstra is one of the largest credit card transactors in Australia. The telco holds a lot of personal information as it is delivering that credit card service to customers and the security team is responsible for keeping that data safe.
Turning to the Privacy Act changes, which came into effect in March 2014, Hughes said that the company had been preparing for the changes for about 15 months.
“It was certainly a view at the customer level we had disappointed some customers. [CEO] David Thodey has been really clear with every employee at Telstra- privacy is not negotiable,” she said.
Follow Hamish Barwick on Twitter: @HamishBarwick Follow CIO Australia on Twitter and Like us on Facebook… Twitter: @CIO_Australia, Facebook: CIO Australia, or take part in the CIO conversation on LinkedIn: CIO Australia