Office of the Privacy Commissioner | Case Note 204348 [2009] NZPrivCmr 6 : Mobile phone on-sold without deleting previous owner's information
A woman bought a mobile phone for her teenage daughter, but the phone stopped working shortly afterwards. She returned the phone to the mobile phone retailer and received a replacement. She waited in the store while the retailer supposedly erased her daughter's information from the phone.
Around two months later, the woman's daughter received a text message from a friend. The friend said that a stranger had been sending her text messages asking about the daughter. The woman discovered that the mobile phone retailer had repaired her daughter's original mobile phone and had then on-sold it to the stranger. The phone still contained the daughter's contact list and photographs, and the stranger was using this information to try to find out more about the daughter. The woman was very concerned for her daughter's safety, and the daughter was upset that her details were in the hands of a stranger.
We contacted the retailer, and informed it that the woman's complaint raised issues under rule 5 of the Telecommunications Information Privacy Code 2003. This rule states that:
A telecommunications agency that holds telecommunications information must ensure:
(a) that the information is protected, by such security safeguards as it is reasonable in the circumstances to take, against:
(i) loss;
(ii) access, use, modification, or disclosure, except with the authority of the agency; and
(iii) other misuse; ...
The retailer unreservedly apologised for the incident. Its policy was to make every attempt to ensure that personal information was deleted when customers had phones swapped as part of the warranty process. However, this had not occurred here.
The retailer recovered the phone from the second owner, deleted the daughter's information and then destroyed the phone. It sent a message to all staff stressing that they must protect their customers' privacy by checking all phones and clearing all stored information. In addition, the retailer learned that the daughter was shortly to travel overseas. It gave her a new, more expensive, mobile phone that would work in the places she was to visit.
The mother was satisfied with the steps that the retailer had taken to address her concerns, and appreciated the way our staff had facilitated this resolution.
March 2009
Storage and security - mobile phone retailer - failure to delete original owner's personal information - settlement - Telecommunications Information Privacy Code 2003, rule 5