According to the report, the question of whether the steps taken by Vodafone to protect personal information were reasonable in the circumstances was a subjective test based on particular risks within its business.

However, it did note that the use of store loginI identification, rather than individual login identification, added to underlying data security risk.

"The use of shared loginIDs reduces the effectiveness of audit trails to assist in investigations and access control monitoring, which are important steps for organisations in protecting personal information," the report reads.

"In practical terms, the use of shared logins means that anomalies may not be detected and if they are, they may not be able to be effectively investigated as the actions are not linked to an individual authorised user."

The report concedes that Vodafone did, on becoming aware of the alleged disclosures, act immediately to restrict access to personal information, commence an internal investigation the incident and review its data security practices.