Theย โOptusโย data breach which compromised the personal details and even identity documents such as Medicare cards, passports and driving licences of up to 9.8 million Australians leaves many questions unanswered, saysย Prof Janek Ratnatunga, the CEO of theย Institute of Certified Management Accountants (CMA ANZ)ย in an in-depth study titled,ย Optus Data Hack: The Dark Side of Invading Social Media Privacy.
He says, โthe deeper question that has gone largely unanswered by Optus is if it used customer personal data for social media and targeted marketing purposes, either directly or indirectlyโ.
Prof Ratnatunga says that obtaining data by hacking is a clear case of a theft of that asset. But then he asks, โwhom does that asset belong to?โ
โIf private data is sold to data brokers and other third parties then questions must be asked as to compensating those individuals who provided the data voluntarily or involuntarily.โ
Prof Ratnatunga says that Optus had a legitimate need to collect detailed data โ to verify customers were real people and potentially to recover any debts later.
โHowever, the reason given by Optus as to why the data was kept for 6 years is questionableโ.
โThe only clear โlegalโ requirement for Optus to keep โinformation for identification purposesโ comes from theย Telecommunicationsย (Interceptionย andย Access)ย Actย 1979, which requires that identification information and metadata be kept for two years โ to assist law enforcement and intelligence agencies.โ
โThe big problem with Australiaโs data retention laws is that there is really no limit on how long a company can keep personal dataโ, says Prof Ratnatunga.
Australiaโs Federalย Privacyย Actย only states that information must be destroyedย โwhereย theย entityย noย longerย needsย theย informationย forย anyย purposeย forย whichย theย informationย mayย beย usedย orย disclosedย byย theย entityโ.
With such a loose requirement, a company could argue it โneedsโ to keep customer information for anything โ such as defending against a civil claim in court, or as part of its corporate records, or for in most casesย marketing.
A serious weakness with Australiaโs privacy laws is that when customers sign up for the services they automatically consent to all these uses by clicking the accept button without reading the pages of legal jargon.
Prof Ratnatunga says that with any service that puts a premium on personal information, there will be risks that individual data will be exposed whether by accident or through security loopholes.
โOnce private data is obtained โ via hacking or sale โ there are several ways advertisers can invade an individualโs social media privacy, take advantage of their data and make them a target for their ads.โ
Prof Ratnatunga says that accessing and mining consumer data has become big business, especially since the advent ofย researchersย andย data brokersย who operate in a shadowy world where they buy and sell our most intimate private information every day and individuals have no right to demand to know what the companies hold on them. These companies justify their actions by stating that whilst data is everywhere, and generated every second of the day, they are converting it to an asset โ by turning it into something of value.
Prof Ratnatunga agrees that this data is an asset โ but says that it belongs to those who provided the information.
โRather than allow researchers, data brokers and other third parties to unscrupulously take, trade and hoard our data, regulatory bodies must collectivelyย change the narrativeย by framing data appropriation as a theft of an asset.โ
โWe as a society must collectively lay the groundwork for policies to make data mining and sale a legal and ethical issueโ, he says.
We need new models of data ownership, protection and compensation that reflect the role information has in society.
โAfter all,โ, says Prof Ranatunga, โif an artist who has a song onย Spotifyย can be compensated every time that song is downloaded, there is no reason that an algorithm cannot be developed to compensate those in society (individually or collectively) for the use of data taken from them by invading their privacy.โ
[End]
For further comment on the above topic, please contact:
Prof Janek Ratnatunga
CEO, ICMA Australia & NZ
Mobile: +61432758380
Email:ย janek.ratnatunga@cmaaustralia.edu.au
About the Author
Professor Janek Ratnatunga is the CEO of the Institute of Certified Management Accountants, Australia & NZ. He has held senior appointments at the University of South Australia, Monash University, University of Melbourne, and the Australian National University in Australia; and the Universities of Washington, Richmond and Rhode Island in the USA. Prior to his academic career he worked as a chartered accountant with KPMG. He has also been a consultant to many large Australian and international companies and to the World Bank.
Contact details:
Prof Janek Ratnatunga
CEO, ICMA Australia & NZ
Mobile: +61432758380
Email:ย janek.ratnatunga@cmaaustralia.edu.au
