The whistleblower was concerned about the poor protection of customer data inside Alinta and questioned the sale process of critical infrastructure to foreign companies.
Under privacy laws, companies must have the proper systems in place to protect customer and supplier information to mitigate the risk of a cyber attack that could result in identities being stolen or customer information misused.
One document, a June 2019 privacy compliance audit by its internal auditor EY, assigned Alinta a “red” or “significant” risk rating on key aspects of its privacy compliance. It said Alinta lacked proper oversight and structure to manage privacy and may not be adequately protecting personal information” and at times “doesn’t meet the requirements of privacy laws”.
The EY report said there was no framework to manage the company’s privacy obligations.
“This is likely to lead to personal information being inadvertently accessed or to the personal information data being used for a purpose other than the notified purpose (particularly in relation to the data analytics performed by the retail business intelligence team),” the report said.
Alinta declined an interview request but…
