MY SAY: Changes to Privacy Act would help keep us safer
THE Commonwealth Attorney-General's Department's proposed amendments to the Privacy Act is not the topic on everyone's lips.
But the proposal will make notification of serious data breaches for organisations that must comply with the Privacy Act mandatory.
Breaches can come in many forms - from the criminal, such as via a computer virus, to the non-criminal, such as lost personnel files, or even mistakenly emailing the wrong details.
It's a complex environment as data breaches happen every day.
I recently received the wrong personnel file of an Army member wanting to re-enlist.
On receiving my news, Defence Force Recruiting didn't even advise me to destroy the record or return it to them. This was despite the fact they had accidentally sent me Private X's full name, date of birth, residential address, contact details and Army identification number.
Under the proposed changes to the Privacy Act, the responsibility to notify Private X would lie with the Department of Defence. But as I can't wait for our elected representatives, I contacted Private X. I can't repeat what he/she said but suffice to say they're now an advocate for the proposed amendments to the Privacy Act.
Why bother having a notification scheme? Well, put yourself in Private X's boots. Would you like to know that the Department of Defence sent your information to a complete stranger?
Australia's privacy regime is not a conversation for everyday Australians. It's a conversation conducted between government and the businesses and agencies that are doing their best to find out everything possible about us so they can sell and deliver more services to the customers and clients they want to attract.
A mandatory data breach notification scheme is likely to put off those who want to collect and monitor our every movement. It forces these organisations to re-empower the customer with information on exactly what has happened to their identifying information when it was in their custody.
While this sounds relatively straight-forward, there are complexities. Precisely who is responsible for notifying of a breach of identifying information is difficult to establish.
Let's say a travel company consultant clicked on a phishing email. In doing so, the consultant gave the phishers access to all of their client's personal information, including email addresses.
Let's say one client then clicked on an email sent from the travel company - another phishing email, but the address was identical to the ones they receive.
On clicking this email, the phisher gains access to all of the client's hard drive.
Amongst the records was a superannuation account. A few days later the client's superannuation fund agrees to roll $58,000 into a bank account controlled by the phisher.
Sounds implausible? Well it happened last week.
When I engaged the travel company they said it was really the client's fault for clicking on their email.
It's a complex one and under the proposed changes to the Privacy Act would have required the travel company to notify proactively every client whose records were originally compromised.
This didn't happen.
Dr David Lacey is a Senior Research Fellow at the University of the Sunshine Coast and Director of IDCARE, Australia and New Zealand's national identity support service.