Data breaches and identity theft: what right to privacy do you have?
With the world becoming more digital and people seeming to want more and more information, it’s hard to know how to protect information about yourself.
After the Optus data breach, people were told that not only were their names, addresses or phone numbers leaked, but also numbers on driver’s licences, passports and Medicare cards.
It raises the question of why a telco needed all of this information in the first place.
The problem extends beyond just telcos. If you’re a renter, think about what information you had to supply the last time you applied for a property. Not just identity documents but background checks, bank statements, employment history, and who knows what else.
Alone, any one piece of this information falling into the wrong hands might not be much cause for concern. But combined this would make identity theft much easier or at the very least add some validity to otherwise easy-to-spot scam emails.
What information are companies actually allowed to ask you for, and what should you tell them?
Australian privacy laws are governed by the Privacy Act 1988.
This Act includes the Australian Privacy Principles (APP). These are guidelines on the collection, management and use of personal information. They apply to government agencies like Centrelink and the ATO, plus organisations with an annual turnover of more than $3 million. This would include most telcos but not all smaller businesses asking for your info, the theory being that no one will hack smaller businesses.
The main takeaway of these principles is that organisations can only collect personal information where it is reasonably necessary for the organisations’ functions and activities.
The problem with this of course is that ‘reasonably necessary’ is not tightly defined.
But if you have a concern about what you are being asked to provide, it’s up to the agency or business which are subject to the Australian Privacy Principles to prove they need the information rather than you to prove they don’t need it.
If you’re not sure whether the company you’re dealing with is covered by the Act, you can find a detailed list of who must comply here and a list of small businesses who have decided to opt in anyway here.
While you have the right not to supply personal information, agencies and businesses also have the right not to take your business.
The Office of the Australian Information Commissioner is responsible for enforcing these principles and can rule that certain information is not necessary. They’ve done this before when someone applying to open a bank account was asked about their marital status and again when a medical practitioner photographed a patient to add to their medical file.
Theoretically, these rules should work fairly well to limit the amount of information that can be collected, to ensure it’s stored properly and to limit the length of time that the information is kept. But unfortunately, the rules aren’t well enforced, which is what leads to big leaks, like what happened with Optus.
A review of the Privacy Act was started in 2020 and the new Attorney-General is now pushing for these reforms to be passed by the end of this year.
The discussion paper for this review proposed changes like expanding the definition of personal information, strengthening consent requirements and introducing a ‘right to erasure’ of personal information that should start to put more power back into the hands of the consumer.