Alinta senior executive Daniel McLelland replied: “That’s correct, Senator.”
The Senate committee, chaired by Senator O’Neill, called Alinta, EY, Electricity Monster and the privacy commissioner, in response to a series of media articles written by The Age and The Sydney Morning Herald that revealed serious deficiencies in Alinta’s protection of the personal information of its customers.
It also revealed that some FIRB conditions still hadn’t been met and that Alinta’s relationship with EY didn’t pass the pub test when it came to independence.
Those conditions include that data – including bulk customer data, personal information or electricity or gas data – must be stored within Australia, can only be accessed within Australia and not be taken outside of the country. Third-party providers must also comply with the FIRB conditions.
The articles included a leaked June 30 internal audit by EY which said Alinta’s internal privacy controls and systems for protecting the personal information of its customers remained deficient, Alinta’s privacy wasn’t managed in a co-ordinated way, collection and consent of personal information was lacking in key areas, access to personal information wasn’t adequately monitored and controlled and at times “doesn’t meet the requirements of privacy laws”.
Alinta collects names, addresses, birth dates, mobile numbers, Medicare and passport numbers, credit card details and in some cases individual health information of more than 1.1 million customers.
The privacy commissioner told the Senate an investigation into the allegations continued.
When this is put into the context that Alinta made a net profit of $196 million in 2019 and pays out 70 per cent of that in profit to its owners, more pressure should have been brought to bear on the company to fast track these conditions.
At the time the articles were written Alinta said customer data was stored in secure data centres in Australia. It repeated that at the Senate hearing on Friday.
The articles had quoted an email from Alinta’s legal department in October 2019 that contradicted this. The email flagged potential issues with one of FIRB’s conditions that requires Alinta – and third party contractors – to store Alinta data in Australia. The email said Electricity Monster signed up retail customers, stored customer information in New Zealand and backed it up in Singapore. Electricity Monster was a third party contractor for Alinta, supplying them with retail customers.
The email said, “Electricity Monster does not currently have plans to provide an onshore data storage solution”.
However, Electricity Monster’s David Fitzgerald told Senator O’Neill that after the articles were published Alinta suspended its contract. He confirmed the issues raised in the October 2019 email were correct but that Alinta hadn’t told the company it was a FIRB condition to hold the data in Australia. He said once the article had been written Electricity Monster moved its data storage to Australia.
“It’s an easy thing to do,” Fitzgerald said.
The Senate also raised the hoary issue of potential conflicts of interest between consultancy giants and their clients. In this case it was Alinta and EY. But it was like pulling teeth getting information as the representatives of EY ducked and weaved and tried to hide behind jargon and professional standards.
Eventually EY confirmed it was Alinta’s internal auditor as well as doing internal projects such as the privacy review in June 2019 and the so-called independent review for FIRB.
When asked by Senator O’Neill if it was aware that legal advice had suggested that taking on the independent FIRB review could constitute a conflict, the response was the firm was unaware that such advice existed as the engagement partner on the project had left EY. According to LinkedIn, the partner in question left EY in April 2020, just after the issue had gone public.
When asked about various whistleblowers complaining that EY had asked them to water down reports to keep clients happy, EY partner Rob Locke denied it. “We are not in the practice of watering down reports,” he said, adding that the reports were “robust” and fact-based.
When EY partner Anton Ivanyi was grilled about his role as interim chief financial officer at Alinta, as described on his LinkedIn profile, he said: “I was not the interim CFO.” He did 25 hours a week at Alinta for four months but wasn’t aware that some of his colleagues were conducting an internal report into privacy. It takes embellishing resumes to a new level and undoubtedly gave the committee pause for thought.
The story of Alinta, its privacy and FIRB issues as well as its use of consultants raises some serious issues about what goes on behind the scenes with our critical infrastructure. As Senator O’Neill said “there is no transparency and because of that there’s no sunlight”.
Adele Ferguson is a Gold Walkley Award winning investigative journalist. She reports and comments on companies, markets and the economy.