Companies don’t need to keep identification data after it’s been verified, attorney-general says

Attorney-General Mark Dreyfus says he believes companies should not need to keep customers’ identification on file after checking it, and has indicated he is seeking to implement reforms to the Privacy Act.
The comments were made following an Optus data breach that resulted in hackers accessing millions of customers’ personal information dating back to 2017.

“We will be having a look at whether or not companies should be permitted to go on keeping data when the purpose of collecting it in the first place might have been no more than establishing someone’s identity,” Mr Dreyfus told reporters on Thursday morning.

“We are all familiar with this 100-point identity check; if a company says ‘we need to see your driver’s licence’ or ‘we need to see your passport number’ that is for the purpose of establishing that you are who you say you are but that should be the end – one might think – of the company keeping all that data.”

In the wake of the data breach, states and territories around Australia are allowing victims of the breach to replace their driver’s licences, while discussions are continuing around compromised passports and Medicare numbers.

What is the 100 point identification check?

The 100 point check was brought in by the Australian government to combat fraud and came into effect in 1988.
It means anyone opening bank accounts has to provide documents proving their identity – with points allocated to types of documentation.

Passports, birth certificates and citizenship certificates are worth 70 points, a drivers licence is among the ID types worth 40 points, and other forms are worth 35 and 25 points.

Attorney-General Mark Dreyfus says he’s looking into whether reforms to the Privacy Act could be made in the year’s remaining parliamentary sitting weeks. Source: AAP / Mick Tsikas

Mr Dreyfus said he did not think there was any need for companies to retain this information following initial checks.

“They don’t seem to me to have a valid reason for saying ‘we need to keep that for the next decade’,” he said.
“Obviously the more data that’s kept, the bigger the problem there is about keeping it safe, the bigger the problem there is about the potential damage that’s going to be done by a huge hack that’s occurred here.”

Mr Dreyfus said Australians need to be assured that when their data is asked for from them by a private company or by the government, it will only be used for the purpose for which it has been collected.

“We need to get in place something that (encourages) companies to dispose of data safely, to not keep data when they no longer have a purpose for it,” he said.
“For too long we have had companies solely looking at data as an asset they can use commercially … we need to have them appreciate very, very firmly that Australians’ personal information belongs to Australians, it’s not to be misused, it absolutely has to be protected and if the Privacy Act is not getting us those outcomes then we need to look at reforms to the Privacy Act.”

Mr Dreyfus said he was looking into whether reforms to the Privacy Act could be made in the year’s remaining parliamentary sitting weeks.

Do you need to change your electoral details?

The Australian Electoral Commission says customers affected by the Optus data breach who have changed their licence or passport details don’t need to update their electoral enrolment.

The customers will still be enrolled for state, territory and council elections, according to the AEC.

File source

Show More

Related Articles

Back to top button