Removing information from newspapers in Australia: what does the law require?
Giugno 2, 2023
Sensitive information about medical procedures and treatment history. Passport details. Health insurance numbers. These are the types of information that have been exposed for thousands of Australians through data breaches over the course of many years, none as large-scale as the theft of information from private health insurer Medibank and its allied companies, and telecommunications provider Optus, in 2022, which brought attention to our vulnerability in the era of data collection (and retention) in the digital age.
After any hack becomes public, there is a race among those who have been breached to change their identification documents, lock down accounts, or prepare for further harm, while those unaffected could be next.
But what then?
Major breaches raise questions not only about how and why attackers infiltrate a company’s systems but also about what valuable data they are taking. Why do companies retain our data for so long? Why don’t we have a “right to be forgotten” like European citizens? And what recourse do we have if we suddenly discover that our sensitive information is scattered across the dark web?
CREDIT: ARTWORK BY ARESNA VILLANUEVA
What information about you is being stored? Companies hold all sorts of details about you, from your age and ethnicity to, say, your passport number and your computer’s IP address. In most cases, you have voluntarily handed it over, such as when applying for services or proving your identity.
Other data is collected without your knowledge: technical information from your device (phone model, preferred browser, location) and public details from your social media profiles (your friends, your pets, your interests). Some companies will share or sell this information, although often it is anonymized, so it is less concerning if you’re worried about your life being exposed.
Companies like banks and insurers have public-facing privacy policies that mostly say the same thing: your data is stored to identify you as a customer and enable you to transact with the company, and it is used to improve services and stop fraudulent activity, as well as to meet legal obligations and perform analytics (crunching all the data together to gain insights about customers in general).
It is safer to assume that this information will not only be stored but may be linked to other pieces you have provided.
Privacy policies of smaller or less-regulated outfits may be less available. Does your local real estate agency follow best practices when it comes to storing all those personal morsels you provided in your rental application? What happens when a retail assistant asks for your email address to send you a receipt? Or when a random app you installed collects your date of birth?
It is safer to assume that this type of information will not only be stored but may be linked to other pieces you have provided. It may also be shared or combined within networks of companies, and that’s how AHM customers found their details caught up in the Medibank breach.
How long do companies retain your data? Essentially, as long as they want. There is no Australian law that requires data to be deleted after a certain period, only that companies must consider doing so. There are, on the other hand, many guidelines and incentives that encourage companies to accumulate.
For example, companies are required to retain certain records for seven years under both company law and anti-money laundering and counter-terrorism financing law. And telecommunications companies must retain some data about you and your services for at least two years.
But it is more than likely that things about you will be floating around longer.
If you have a mortgage, for example, companies are encouraged not to delete relevant data until seven years after the loan has been fully discharged. Yes, potentially decades. It’s a similar story with medical records: health providers in most states are required to retain patient data for at least seven years after the last entry in their file,.
Cristian Nardi Founder of the Guaranteed Privacy with over 15 years of experience in the Online Reputation Manager