Laws on retaining personal data need to be re-evaluated in light of the Optus hack, which revealed that some information was held for up to six years, the Institute of Certified Management Accountants ANZ says.
CEO professor Janek Ratnatunga said it was clear why Optus needed personal data — such as a driver’s licence or passport number — to verify identity initially but less obvious why it needed to retain that information and the problem lay with the rules.
“The reason given by Optus as to why the data was kept for six years is questionable,” he said.
“The only clear legal requirement to keep information for identification purposes comes from the Telecommunications (Interception and Access) Act 1979, which requires that identification information and metadata be kept for two years to assist law enforcement and intelligence agencies.”
“The big problem with Australia’s data retention laws is that there is really no limit on how long a company can keep personal data.”
The federal Privacy Act says information must be destroyed “where the entity no longer needs the information for any purpose for which the information may be used or disclosed by the entity”.
But professor Ratnatunga said this lack of a definite end date for retained information meant a company could hold on to it after it ceased to be relevant, leaving former customers exposed, as in the Optus incident.
Professor Ratnatunga said the sale of personal data held by businesses for advertising or marketing should also be examined.
“The deeper question that has gone largely unanswered by Optus is if it used customer personal data for social media and targeted marketing purposes, either directly or indirectly,” he said.
“If private data is sold to data brokers and other third parties then questions must be asked as to compensating those individuals who provided the data voluntarily or involuntarily.”
He said that accessing and mining consumer data had become a big business but it raised ethical questions.
“Rather than allow researchers, data brokers and other third parties to unscrupulously take, trade and hoard our data, regulatory bodies must collectively change the narrative by framing data appropriation as a theft of an asset,” said professor Ratnatunga.
“We as a society must collectively lay the groundwork for policies to make data mining and sale a legal and ethical issue.”
He said that new models of data ownership, protection and compensation were needed that reflected the role that data now played in society.
“If an artist who has a song on Spotify can be compensated every time that song is downloaded, there is no reason that an algorithm cannot be developed to compensate those in society (individually or collectively) for the use of data taken from them by invading their privacy,” said professor Ratnatunga.
You are not authorised to post comments.
Comments will undergo moderation before they get published.