The report noted two key areas of the , NPP 2.1 and NPP 4.1, which applied to the incident.

NPP 2.1 states that organisations must only use or disclose personal information for the primary purpose for which it was collected, unless an exception under NPP 2.1 or otherwise applies.

NPP 4.1 states that an organisation collecting and holding personal information must take reasonable steps to protect that information from misuse and loss, and from unauthorised access, modification or disclosure.

"While the information available to the Privacy Commissioner showed that the reported incident was not a disclosure in breach of NPP 2.1, he considers that, at the time of the incident, Vodafone did not have an adequate level of security in place to protect the personal information it held in its Siebel system," the report reads.

"For that reason, Vodafone did not meet its NPP 4.1 obligations."