I was a midwife at Optus’ conception and birth. So it gives me no joy to watch Optus’ privacy predicaments. As a long time privacy law practitioner, I have a particular insight into Optus’ responses to the massive haemorrhage of the personal data of half the Australian adult population.
My Optus data
Quite a few years ago, I was an Optus customer. I haven’t been notified that my data has been hacked. But very few businesses ever seem to get around to culling old personal data. That is despite it being illegal to fail to delete or anonymise such data. So I have written to Optus asking – as is the right of all of us –what personal data, if any, Optus holds about me.
For more than seven years part time I was Privacy Officer at Certified Practising Accountants, Australia (CPA). I wrote the CPA’s Privacy Policy. I frequently amended and updated its Privacy Policy to make it more informative. Indeed, each time a privacy issue arose, I reviewed the Privacy Policy to see if it needed updating or tweaking…
This telco prefers snail mail
To ask Optus what personal data it holds about me I needed to get the relevant Optus address. I have written before about the entrenched and expanding approach of businesses – and governments – not to make it easy to communicate with them except on their terms. But Optus is a telecommunications company so I hoped that it would have an email address I could use. Tech heads refer derisively to the sort of communications which Australia Post has traditionally delivered as “snail mail”. Surprise, surprise – Optus’ Privacy Policy has no email address: just a PO Box.
Who even has postage stamps at the ready anymore? This tells me that Optus does not want to make it too easy for people to engage with it about their privacy – or pretty much anything else. What of transparency and accountability?
Optus’ Privacy Policy
To my surprise, Optus’ Privacy Policy has not been updated since early July. I expected that would be a priority when Optus learned of the massive hack of its personal data holdings.
Optus’ Privacy Policy is remarkably short. It seems deliberately vague, uninformative and is full of holes. It’s very much a carte blanche apparently designed for Optus to maximise Optus’ ability to do what it likes with any personal data it lays its hands on.
The law requires Optus to have a clearly expressed Privacy Policy which must contain:
- the kinds of personal information that Optus collects
- how it collects and holds that information
- the purposes for which it collects, holds, uses and discloses personal information; and
- if Optus is likely to disclose personal information to overseas recipients—the countries in which such recipients are likely to be located.
Arguably, Optus’ Privacy Policy falls short in a number of these respects.
Optus’ Privacy Policy asserts that “protecting your privacy and keeping your information safe and secure is paramount to us.” The sceptic in me says that words are cheap.
You communicate with us on our terms
The first section of Optus’ Privacy Policy makes the bold contractual opening gambit: “By interacting with Optus, you agree that we can use information about you in accordance with this policy.” So by writing to Optus to ask what personal data holds about me, Optus asserts that I am contractually bound by its Privacy Policy!
In my letter, I judged it appropriate to provide some personal data in addition to the basics – recent residential addresses, phone numbers, email addresses etc – so that Optus could identify me to determine if it does hold my data. Optus is asserting that it can now share the information which I have just provided with, for example, its service centres and sales agents, any related companies, and advertisers of third-party products and services.
Medicare and passport number
After the introductory paragraphs, Optus’ Privacy Policy has a section on “The type of information we collect about you”:
“The information we collect and hold includes:
Identifiers such as your name, date of birth, username, password or contact details, or documents that verify your identity such as your driver’s licence”
There is no reference to passport numbers or Medicare number, both of which have reportedly been hacked from Optus.
Australian law forbids the Optuses of this world from using government related identifiers “unless that use is reasonably necessary for the organisation to verify the identity of the individual for the purposes of the organisation’s activities or functions.” Optus’ collection and retention of passport numbers and Medicare number sails very close to that wind.
“Certain sensitive information”
Optus’ Privacy Policy says:
“In limited circumstances, we may need to collect certain sensitive information about you, such as information about your health, race, ethnicity, political views, criminal history or biometric information (e.g. voiceprint or fingerprint). We’ll always get your express consent before we collect this information (except if the collection is required by law).”
No hint is given of what types of “limited circumstances” might necessitate such collections. How much such information has Optus been collecting? How is it used? When is it deleted?
Where Optus gets our data
Optus’ Privacy Policy says that Optus collects information about people from, amongst other places:
“Third party websites and social media platforms that collect and disclose information about you (including via the use of cookies and similar technologies) such as Google or Facebook”; and “Government agencies, such as the Australian Bureau of Statistics.”
I really wonder what personal data about me is available to Optus from the Australian Bureau of Statistics.
Optus’ Privacy Policy also says: “We may de-identify information about you to use and share with our business partners.” (emphasis added)
Overseas disclosure of personal data
As noted above, Optus’ Privacy Policy is required to include information about the likelihood that personal information will be disclosed to overseas recipients, and to what countries. Optus is a subsidiary of the Singapore telecom group – SingTel. Optus’ Privacy Policy says that Optus shares personal information with “Companies related to Optus including companies in the SingTel Group”. I understand that all that probably means disclosure to a company which is based in Singapore and governed by Singaporean law. But many Australian who deal with Optus would not know that.
Optus’ response to the legal requirement to delete or anonymise old personal data
As noted above, businesses such as Optus are required to delete personal data which is no longer required. Optus’ Privacy Policy says not a word about Optus having a program – or even a policy – to comply with that important legal obligation. To the contrary, the Policy says: “If you request access to records which are not current …it may take longer to locate those records”. An inference is that there are old records gathering dust somewhere and that Optus does not regard culling old data as a priority.
Deloittes to audit Optus
Optus has announced that Deloittes is “to run an independent external review of the recent data breach”. It is not clear in what respect the review can properly be described as “independent”. The sceptic in me asks: “Who pays the piper …”.
I do hope that the Federal Government will be just as sceptical.