Storage of personal details

Over the last few months, I have received two requests from Vodafone for feedback on my recent transaction. The only problem is that I closed my account with Vodafone more than two years ago and made no such transactions. It might be that, in their system, I did not take all the necessary steps to request that my details be removed from all the nooks and crannies of their computer records, but this makes me uncomfortable in the current environment of heightened security against data breaches.

Similarly, two smaller private businesses continued to send me advertising after I had unsubscribed from their mailing list, having moved out of town. This is a reflection of the troubling experience of a government-linked agency mailing out a card to me at an old address, despite my having changed my address with the government service provider and dealt with them at my new address for more than a year and of another government agency still placing me in a town I had left years before. This means I am floating around the digital ether at different addresses, driving different cars and who knows what else. Perhaps that gives me a measure of security by confusion!

I can understand that separation of records can enhance security by reducing access to hackers as well as produce this effect of the right hand not knowing what the left hand is doing. However the overall effect on me is that I feel as if businesses and other agencies I have dealt with might well have enough information about me to start an identity theft process if their systems are not as secure as they think they are.

Do we need oversight of software manufacturers to build in a requirement for business systems to delete data automatically, which is not refreshed by the consumer after 12 months? Do we completely trust the security of only the government departments and agencies, which need a historical perspective of us to perform their functions (e.g. ATO, Medicare)? Do I suffer from too much digital anxiety?

In the days when people stored cash in tins buried in the garden or whatever, I suppose this reflected a fear of bank crashes. How can we provide similar safeguards to the ones introduced to stabilise banking now that our resources and assets are digitised, while compensating the ordinary consumer who cannot reasonably be expected to safeguard against international fraud?

In my opinion that would be unreasonable (assuming you mean 12 months for an account that has not been closed).

How about first we just get the existing law enforced? The Privacy Act already contains provisions about old data pertaining to closed accounts but perhaps the language is too loose, allows too many loopholes, or perhaps business just ignores the law.

The other problem we have is that government legislates too many exemptions to force companies to keep data even after the customer has closed the account, data that is kept for the benefit of the government.

A lot of digital anxiety is grounded in reality.

Yes. It seems to me that the logical extension of that is that enforcement of standards is more helpful for the ordinary consumer than trusting different businesses to invent their own methods and “self-regulate”. I was pondering what might be a clumsy way to achieve that by requiring software companies to build in a safeguard, understanding that, like other laws it can only be enforced in a clear breach. As a society we need to exercise the right to control freedoms which cause others significant harm.

This is not a “software company” issue.

This topic has been discussed in this forum before but I will repost for the record, there are legitimate business scenarios where a closed account should not be deleted e.g.

  • they still owe you money
  • you still owe them money
  • there is an unresolved dispute between you and them

In addition, whatever warranty period is being offered (X years), it may make sense for a business to retain records for that period even if you have ceased doing business with them and requested your account to be closed.

Maybe the OAIC needs to run with this i.e. to work out when the existing law is working, and when it isn’t working, and in the latter case, why not, and whether further legislative changes are needed.

Completely removing all information about an ex-customer is not as simple as some would think.

For a start, various laws exist that require companies to retain information about customers for varying amounts of time, whether or not they are active customers.

Information about customers is held in many places, often maintained by different support groups using different applications and databases. Information may well be held by third parties outside a companies control.

Deletion of data out of databases can cause ‘delete anomalies’ unless very carefully designed. For the technically minded, that means at least normalised to Boyce-Codd level in Relational databases.

Unless the databases are fully dynamic, deletions will leave ‘holes’ that will need periodic reorganizations to fix. And that means offline.

Do you invalidate backups because if used for a recovery, deleted information would be reintroduced. I think not.

Much more sensible would be to flag the customer information as inactive, and leave it there.

You had me until the last sentence. All good points about the technical issues.

As a matter of interest, the Privacy Act allows a business to de-identify information rather than deleting it. In some respects, that may be easier in terms of addressing the technical issues that you raise. However if it were my business, I would just delete. (De-identifying presumably also allows information to be retained in an aggregated form, whether or not the underlying information is de-identified or deleted.)

De-identifying is no use. If the Gov comes asking about a person of interest and account and identification documents, they need to be connected.

Now when I say better to just leave the information there, I don’t mean in plain sight, I mean flagged as archived or index entries removed and longer available to applications. So your marketting team can’t include it in mailouts, or your online apps have no visability to the info.

Only available to special admin applications for database management purposes.

The government overrules all of this anyway. Of course if the government has legislated that a business has to retain data then the business has to retain data. The assumption is that the business is not obligated to retain data - then the question arises as to whether the business is obligated not to retain data.

The Privacy Act says that a business, under these circumstances, must delete or de-identify but I don’t know how well that is being enforced (leading to data breaches being larger than they need to be).