Telstra IT system failings, human error endanger structural separation compliance

Telstra breached its SSU several times over the year, with instances where IT system failings and human error led to overlap between the telco's retail, wholesale, and network services arms.

Telstra's Structural Separation Undertaking (SSU) FY15 compliance report has been tabled in Parliament by the Australian Competition and Consumer Commission (ACCC), with the regulator finding that while Telstra has improved its level of compliance, several breaches did occur due to human error and failing IT systems.

Every year, the ACCC must look into whether Telstra has kept to its SSU commitments until the National Broadband Network (NBN) rollout is complete and all services have been migrated from the Telstra fixed-line network to the NBN.

The breaches recorded by the ACCC [PDF] for the most recent financial year related to disclosing to its retail business confidential or commercially sensitive wholesale customer information obtained while supplying regulated services; failing to maintain separation between its wholesale, retail, and network businesses; failing to comply with transparency reporting requirements; and blocking the process of service orders for migration to the NBN.

Most of the breaches were attributed by ACCC chair Rod Sims to failings in Telstra's old systems and manual processes, as well as to staff errors.

"These compliance issues largely arise due to Telstra's legacy systems not being designed to deliver the outcomes required by the SSU, or errors made by Telstra staff in performing their day-to-day work," Sims said on Friday.

"Telstra has made progress towards addressing key issues during the year, particularly in relation to its IT systems and processes to better safeguard against disclosure of protected wholesale customer information."

Specifically, one breach occurred due to "human error", when a retail business employee was included on a wholesale business chain email; one where a retail business employee called a network services business employee thanks to "individual error"; one where a Telstra employee moved from wholesale to retail but was kept on an email alias; four where Telstra found that wholesale information was visible in a retail business IT system, application, portal, or phone system; one where call centre staff members potentially had access to both retail and wholesale customer information; and one when Telstra retail staff inadvertently made use of a meeting room inside Telstra's wholesale business premises "without being appropriately escorted".

As a result of the SSU breaches, the ACCC has been working with Telstra to improve its IT systems and processes, ameliorating the impact of SSU breaches, and monitoring its progress. This included an independent review of Telstra's IT systems, which kicked off in March last year.

Telstra also reported several breaches of its Migration Assurance Policy, including on one occasion publishing a disconnection schedule for its customers less than five business days after being told by NBN, which was caused by "human error"; publishing disconnection notices for retail customers less than three months in advance due to IT system failings; experiencing a "small number of instances" where Telstra reconnected copper services after they had been permanently disconnected; reporting "some instances" when, due to "data quality issues and human error", Telstra connected services despite those premises being NBN serviceable; and missing by several days the disconnection dates for some premises.

"Telstra has further advised that five disconnection dates were passed during 2014-15, impacting 73 NBN Rollout Regions," the ACCC added.

The SSU, which governs how the telco's wholesale business is to function during the rollout of the NBN and commits it to structurally separating its wholesale and retail businesses by 2018, was accepted by the ACCC in February 2012 after the regulator rejected Telstra's first attempt at the document.

Four years after this, the Australian government released in February 2016 its final Migration Assurance Policy, detailing the process for customers to transition from Telstra's legacy copper network to the fixed-line NBN.

The final policy calls for migration data and information to be shared between Telstra Wholesale, NBN, retail service providers (RSPs), application service providers (ASPs), and other involved parties in a way that will promote efficiency "while respecting confidentiality and privacy".

Data to be shared includes the fixed-line footprint list, which outlines all premises that have been or will be passed by NBN's fixed-line network; the historical footprint list, which contains details on premises that can be served by the NBN; Telstra's disconnection list; service and location identification data; order information between Telstra and its customers, and between RSPs and NBN; and information on Telstra's active copper and hybrid fibre-coaxial (HFC) services.

Telstra is also required to provide its wholesale customers "on a best efforts basis" with information on which customers are close to reaching their disconnection date, so that they can be assisted in their transition to NBN services.

In September 2014, Communications Minister cum Prime Minister Malcolm Turnbull began consultation to modify the migration process after the original May 2014 deadline to get residents off the legacy copper had failed. Three months after that deadline, there were premises in the first 15 regions "still subject to the migration process" as a result of poor coordination and communication between NBN and RSPs, and inadequate construction that prevented premises that had been passed by the NBN to actually connect to it.