The Optus data breach demonstrates that our private data has not received the practical or legal protections that are required in our interconnected society. This particular episode is, however, only the tip of the iceberg.
The three key categories of personal information that were contained in the Optus data breach – drivers license number, Medicare number and passport code – provide keys to identity theft, fraud, blackmail and even potential danger for those in abusive relationships.
The time has come for a significant review of the personal information that organisations – both in the private and public sectors – retain. We should also pause to consider whether we should entrust those organisations with material that provides a ‘honey pot’ for potential hackers.
In Victoria, we have opposed the enactment of the Health Legislation Amendment (Information Sharing) Bill 2021 (Vic). That Bill will not be enacted this term, but may be on the legislative agenda for the next parliament. If enacted, the Bill would make all health data of patients at public hospitals available across the Victorian public health system. Unlike the Federal eHealth record, the model does not have opt-out mechanism, and it is not possible to seek anonymity. Health and identity information would be accessible to those accessing a terminal including Medicare numbers. Liberty Victoria has advocated for an opt-in model.
The mass storage of personal data, especially after the original intended purpose or use has been achieved, is one of the largest failings of governments and corporations. There is a tendency to treat this data as belonging to the institution, and in some cases as a future asset for sale.
We need a change in attitude that centres privacy and ends the mass warehousing of personal information. In most cases personal data should only be held for the limited time required for identify verification. Where necessary, information that is retained should be stored by a system that is fit for that purpose – secure and with strong controls on access, including maintaining records of all access.
We need to strengthen our privacy culture with better regulatory and oversight obligations, a comprehensive and independent data security audit program, greater transparency as to data uses and practices, and clear pathways for members of the public to contact data custodians.
Private data is our property, and corporations and government agencies should consider themselves stewards of that property. Now is the time for the public and private sectors to commit to best practice data governance in the digital age.
Michael Stanton
President, Liberty Victoria