With the world becoming more digital and people seeming to want more and more information, it’s hard to know how to protect information about yourself.
After the Optus data breach, people were told that not only were their names, addresses or phone numbers leaked, but also numbers on drivers’ licences, passports and Medicare cards.
It raises the question why a telco needed all that information in the first place.
The problem extends beyond telcos. If you’re a renter, think about what information you had to supply the last time you applied for a property. Not just identity documents but background checks, bank statements, employment history and who knows what else.
Read: Why cost-of-living pressures bite pensioners the hardest
Any one piece of this information falling into the wrong hands might not be much cause for concern, but combined this would make identity theft much easier or at the very least add some validity to otherwise easy-to-spot scam emails.
What information are companies actually allowed to ask you for, and what should you tell them?
Australian privacy laws are governed by the Privacy Act 1988. This Act includes the Australian Privacy Principles (APP). These are guidelines on the collection, management and use of personal information. They apply to government agencies such as Centrelink and the Australian Taxation Office, plus organisations with an annual turnover of more than $3 million. This would include most telcos but not all smaller businesses asking for your info, the theory being that no-one will hack smaller businesses.
The main takeaway of these principles is that organisations can only collect personal information where it is reasonably necessary for the organisations’ functions and activities.
Read: Is Age Pension indexing about to go monthly?
The problem with that of course is that ‘reasonably necessary’ is not tightly defined.
But if you have concerns about what you are being asked to provide, it’s up to the agency or business, which are subject to the Australian Privacy Principles, to prove they need the information rather than you to prove they don’t need it.
If you’re not sure whether the company you’re dealing with is covered by the act, you can find a detailed list of who must comply here and a list of small businesses that have decided to opt in anyway here.
Unfortunately, if an organisation isn’t an agency or business subject to the Australian Privacy Principles, there’s not much stopping them from asking for any information they want. You can check to see if they have their own privacy policy on their website, but they aren’t even required to do this.
While you have the right not to supply personal information, agencies and businesses also have the right not to take your business.
Read: Is money in the bank really as safe as houses?
The Office of the Australian Information Commissioner is responsible for enforcing these principles and can rule that certain information is not necessary. It has done this before when someone applying to open a bank account was asked about their marital status and again when a medical practitioner photographed a patient to add to their medical file.
Theoretically, these rules should work fairly well to limit the amount of information that can be collected, to ensure it’s stored properly and to limit the length of time that the information is kept. But unfortunately, the rules aren’t well enforced, which is what leads to big leaks such as happened with Optus.
A review of the Privacy Act was started in 2020 and the new attorney-general Mark Dreyfuss is now pushing for these reforms to be passed by the end of the year.
The discussion paper for this review proposed such changes as expanding the definition of personal information, strengthening consent requirements and introducing a ‘right to erasure’ of personal information that should start to put more power back into the hands of the consumer.
Paul Versteege is policy manager at the Combined Pensioners and Superannuants Association. This article is republished with permission.
Have you ever questioned the need for personal information being requested by a business or organisation? Will you do so after recent hacking incidents? Why not share your thoughts in the comments section below?
