Handle with care

Privacy. It’s such a simple concept, so why does it have to be so complex in reality?

I reckon most of us have pretty simple expectations about how organisations use information that could affect our privacy. They should be upfront about what information they’re collecting and how they’ll use it, and they shouldn’t use it unfairly.

Unfortunately, that’s not what the law requires. Under the Privacy Act, businesses have a lot of latitude to decide what information they collect and how they use it. Unless it is ‘sensitive’ information – such as information about your health– they don’t need you to ask for your agreement. In most cases, they can decide their own rules through what they put in their privacy policy.

I don’t know if you have ever bothered to read the privacy policy of a large business, but they’re often encyclopaedic in scale. A few years ago, we hired an actor to read the privacy policy for Amazon Kindle. Coming in at over 73,000 words at the time, it took our professional script reader almost nine hours to get through the whole thing.

Our objective was to point out how absurd it is to allow a business to cover its back in this way – if a business’s terms and conditions are so complicated that you couldn’t expect an average person to digest them, the business should not be able to rely upon them.

One way to fix this would be to have much clearer rules in the Privacy Act about what can be collected and how it can be used. If the law was stronger, privacy policies would play a much smaller role.

But even if we fixed that problem, our privacy laws would still be riddled with loopholes that allow some businesses to evade them.

Most businesses with turnover under $3 million per annum, for example, are exempt from the Privacy Act, meaning they can collect whatever they want, with few consequences if something goes wrong. Small businesses such as real estate agents hold a lot of information that could cause embarrassment or harm if disclosed. It’s time to think about whether that’s still appropriate.

With a review of privacy legislation underway, the government has an opportunity to design the kinds of laws we need to protect us in a world where large amounts of information are being collected about us everyday, often without us even knowing.

Now more than ever, we need strong, simple laws that capture all businesses, regardless of size, and that ensure the amount of personal information businesses collect is kept to a minimum and can only be used in ways that genuinely help us.

I believe a more pressing issue that the government needs to address is businesses holding personal information, often at times as a requirement of legislation/statutory requirements. This means that one’s private information is scattered all over the internet and held by businesses, one hopes, has good controls in place to prevent the data being breached and released.

1. Government requires business to keep records, but does nothing to assist business in minimising the amount of information collected nor stored.

2. Government has available systems in place (such as IDMatch) to remove the requirement for businesses to collect and hold key personal information which can be used for illegal purposes when in the wrong hands.

3. Business have a belief that data is invaluable and increases the worth of a business. This linkage needs to be broken as it encourages business to retain personal data indefinitely.

The recent major breaches at Optus, Medibank, Latitude, Universities, Government Agencies (e.g. Tasmania) and the list goes on demonstrates that the existing system is broken and that it invites criminals to ‘hack’ the data for their own criminal activities.

I personally point the finger at government rather than business for the current predicament we are in. With changes in security legislation in the past couple of decades, the government suspects that any citizen could carry out something illegal and ‘data’ is needed to substantiate prosecution cases. This means that business is collecting vast amounts of personal data for government on the very off chance it is needed by government in the future. Businesses are not experts in data management, and why we now have the breaches we have.

Any changes in the privacy legislation should also ensure that government provides the tools to allow businesses to minimise personal data collection. If data collection and record keeping is mandated by government, the privacy legislation should make government ultimately responsible for its collection and storage.

I experience this frustration more when ordering online I am directed to a new processing agency, which has reams of legalese to wade through in the time frame before which the original request is cancelled. Perhaps what is required is a standardised statement of basic requirements to process the client’s request, summarised in straightforward language and available for download in the full form, then any extra requests peculiar to the individual business. Some websites offer a version of this, but it should be manageable to mandate a form of this concept for any website selling in the country. How to enforce it might be another matter.

I do often wonder if such legislation is actually to blame or simply business misinterpreting it or ‘over achieving’.

Does legislation really force Latitude to retain proof of identity for customers that they deemed not credit worthy and moved onto the next day.
They want credit ready customers, if prospective customer was rejected; case closed delete all the calculating records beyond package Application Unsuccessful nothing there can hint at irresponsibly lending.

Latitude are required to prove the customers you do have are credit worthy and means to meet lenders act, you are a responsible lender to customers you have Approved.

I personally doubt that even a name should to be retained with such an Application Unsuccessful Records after a period of Retention.
Nor do i believe business are explicitly told must retain all the crumbs and seeds they do including incomes, 3rd party inputs, theories, photos, identity document numbers once beyond a final result Pass Fail is known.

I expect legislation says business must perform precise steps ABC to consider eligibility to borrow and to what amount,
A business needs to know if a customer has a +ve or -ve credit rating, before generating a customer relationship, product or document. and income at time of application

The business should only retain that Rating Pass +ve or FAIL -ve, not all the crumbs and seeds used to come to that Rating.

Business misinterprets that evidence of performing Steps ABC due diligence is to retain the actual values gathered during Steps ABC along with the result.
Or they are simply greedy and retain Joes annual income declaration from old loan so they can upsell or cold call product offers in future.

I could only imagine if the Legislation is as these Business claim, applied to the Road Authority and the Highway Police
our roadside interaction would look much like this.

*Licence please, have you consumed any alcohol this evening sir?*
yes officer ; One glass wine for lunch; **hands over Valid VicRoads issued drivers licence**
*May i have your birth certificate, proof of residence, copy of recent utilities bills, proof of income, proof of Learner and probationary licence drivers completions 
I also will require any VicRoads doctor medical letters, the documents that pertain to that letter including X-rays, eye exams, cardiogram, mental acuity tests and toxicology reports as evidence that this licence is in fact valid?*

The cards presence and date of expiry and systems VicRoads licence Suspension (Yes or No) status is already evidence those prior seed documents, certificates tests exist were valid else the licence would not exist in Active Status. There is Zero reason to ask for let alone retain more.

If businesses are NOT capable to understand distinction proof of the activity and retaining every damn crumb of information
They should be banned from collecting information period
A Government body be used for the processing of personal records and disseminating a Score Result to the Business a True or False value.

It is possibly a bit of both.

For example, AUSTRAC legislation requires records of what what identity documents were used for customer verification purposes. This is for any customer where an account is opened. These records must be kept for 7 years after the person is no longer a customer. For a 30 year home loan, this would be a maximum of 37 years or for an application for say a service which wasn’t fulfilled, a maximum of 7 years after the application decision was made (either by the customer or organisation). This also includes unsuccessful applications.

I agree that recorded need for unsuccessful applications or where a customer cancels an application before a service starts should not be kept. An account may have been opened as part of the application process, but possibly no service was fulfill. This is something the government needs to answer.

Businesses don’t have a statutory obligation to maintain identity records after these timeframes, so questions should be asked why any record after the mandated 7 years are kept. This is where a business could be seen to misuse the customers records or be negligent, noting a court (or new legislation) would only be able to determine this.

The Government’s ID match system negates the requirement for a business to collect and store copies of identity documents. A transaction code held by the financial institution is used to link the identification record to those records held by government. A transaction code would have limited interest to a criminal and governments already store identity documents electronically so why get businesses to store copies. One hopes or must place trust that government storage systems are secure - they possibly will be far more secure than most businesses.

I believe the government is a sleep at the wheel and possibly thinks identity record keeping hasn’t been a vote winner. This has changed in the last 12 months with state sponsored hackers breaching the past government sanctioned data collection system… where businesses are required to keep copies of identity documents used for verification purposes.

There are many example of businesses not required to keep records under AUSTRAC, but are required do so by other legislation (telecommunications, medical, etc). Some have no mandated requirements.

The question needs to be asked why organisations which aren’t mandated keep identify document records. Surely providing using something which is already verified (phone, bank account for say verifying text or a bank transfer reference attached to a $0.01 deposit) is sufficient to verify a customer identity.

It’s not just the type, and amount of information collected and then used, and how and where it is stored that is the problem. As the recent big data breaches have shown, the length of time that information is retained is also a major issue. I was caught up in the Optus fiasco and yet I had not been an Optus customer for over 10 years. Not to mention that any data I had provided (apart from the ongoing account charges & payments) would have been at least 10 years before that! Why was it necessary to retain identification information so long after all connection ceased? The same situation has arisen with Lattitude where customers who were originally with GE Money probably had no idea their information was passed to Lattitude when GE Money was bought out, especially if their loans had already been discharged. It is understandable that a potential ccustomer should prove who they are when applying for crrdit of any kind. However, once the organisation has approved the loan (credit card, car loan, mortgage, phone account, store card etc etc) then surely all the extraneous documentation should be destroyed at that point.

I agree we need to capture businesses of any size in provacy legislation. As an example, when I was looking to buy a unit I, like most people registered with real estate agents for the sole purpose of them sending me detials of appropriate property. A few years later, I received a ‘sponsorship’ request from an individual at one of those real estate agencies who was taking part in some event and was raising money for a charity (e.g. a running event). I was furious that my details were being usedd for a purpose that I did not agree to. I complained to the agency and was basically asked why I was annoyed and why didn’t I want to support the nominated charity etc etc. I complainted to the Privacy Commission obly to be told that the laws did not apply to companies with less than that $3m turnover. I said they abuser is a real estate agent with far higher annual turnover than a paultry $3m (that wouldn’t have bought a single house in the area). But all to no avail. This was a clear abuse of my personal information but there was (and there is still) no redress.

Turnover (tax assessable) for a real estate business is what they earn in commissions, selling fees, etc (ordinary income). The total value of the property sales as selling agents is a measure of the business success. Although sometimes referred to as turnover it’s an exaggeration/misconception.

As previously noted.

Having been through a recent property sale the agent required photo ID, (DL images), full personal details including dob, contact phone numbers, email, home address, and bank account for the balance of the purchaser’s deposit. Consider also rental agencies are likely registered as a seperate part of any RE business and hold more sensitive information including employment and income information. That information is also often shared with a rent card service provider.

Many smaller businesses with an annual turnover of less than $3M hold or have access to sensitive personal information. This includes customer and employee records.

Why there is an exemption for businesses with a turnover of less than $3M exemption limit was a political decision. It could have been made differently. There are approx 2.6M small businesses in Australia. 92.6% have a turnover of less than $2M annually per the ABS (2022). How many hold or collect personally sensitive information and benefit from the exemption?

A large percentage of that 92.6%, most likely.

Businesses such as real estate agents are typically franchises of a large network. These businesses share data quite freely between individual agencies. In the first instance, they should be rated on the aggregate business network size for turnover exemption purposes. If they want exemption, they must not share identifiable data except as required by statute.

The argument that “small business” should be exempt from privacy legislation is nonsense, but it is certainly political. Governments of all colours pander relentlessly to the small business sector.

There should be a standard privacy regulation to cover the retention, use, and protection of business data, including customer data, with no exceptions. It should be written to protect consumers the data belongs, and who carry the risk of damage when it’s leaked or otherwise abused. It should not be written to disclaim business obligations that ought to be obvious - i.e. their duty of care, since they are in control of the data they hold.

The various levels of government have failed to grasp this situation, and Australia has developed a woeful corporate culture of lax data protection and data hoarding as a result.

One would hope that the larger businesses ($3M+) would have the means to implement strong security systems to maintain privacy of personal information from hackers. Clearly, recent events have shown that this isn’t the case and legislation needs to impose heavy fines on those that do not. And make it mandatory to report privacy breaches immediately so that those affected are made aware of the potential fallout.

Of more concern are the multitude of small businesses that are allowed to ask for and keep all sorts of personal information and keep it for as long as they please. These businesses would rarely have any idea of how to implement strong security over that data. Strong, audited security systems should be a legal requirement before such businesses are allowed to keep any private information.

The issue of what data companies should be allowed to collect and how long they should be allowed to keep it needs to be addressed urgently.

@AlanKirkland I don’t think many would disagree with what you’ve written. However, I’m sorry but the point escapes me; are you asking a question, seeking to stimulate discussion, or something else?

‘Privacy’ is actually an outcome hence it needs enablers, and its key enabler is security. No matter how strict the privacy legislation, if the gatherers of your data have poor security there won’t be any privacy noting that online transactions all require some type of personal data to be processed.

Most of the serious previous privacy breaches of late aren’t due to the legal on-selling of data from one vendor to another, they’re due to criminal activity in the form of hacking which has been made possible by woefully poor information security legislation and even worse compliance. These events have much more potential to harm victims than the on-selling of information by vendors for advertising or similar purposes, which I also agree simply shouldn’t occur.