I was a midwife at Optus’ conception and birth. So it gives me no joy to watch Optus’ privacy predicaments. As a long time privacy law practitioner, I have a particular insight into Optus’ responses to the massive haemorrhage of the personal data of half the Australian adult population.
My Optus data
Quite a few years ago, I was an Optus customer. I haven’t been notified that my data has been hacked. But very few businesses ever seem to get around to culling old personal data. That is despite it being illegal to fail to delete or anonymise such data. So I have written to Optus asking – as is the right of all of us –what personal data, if any, Optus holds about me.
This telco prefers snail mail
Who even has postage stamps at the ready anymore? This tells me that Optus does not want to make it too easy for people to engage with it about their privacy – or pretty much anything else. What of transparency and accountability?
- the kinds of personal information that Optus collects
- how it collects and holds that information
- the purposes for which it collects, holds, uses and discloses personal information; and
- if Optus is likely to disclose personal information to overseas recipients—the countries in which such recipients are likely to be located.
You communicate with us on our terms
In my letter, I judged it appropriate to provide some personal data in addition to the basics – recent residential addresses, phone numbers, email addresses etc – so that Optus could identify me to determine if it does hold my data. Optus is asserting that it can now share the information which I have just provided with, for example, its service centres and sales agents, any related companies, and advertisers of third-party products and services.
Medicare and passport number
“The information we collect and hold includes:
Identifiers such as your name, date of birth, username, password or contact details, or documents that verify your identity such as your driver’s licence”
There is no reference to passport numbers or Medicare number, both of which have reportedly been hacked from Optus.
Australian law forbids the Optuses of this world from using government related identifiers “unless that use is reasonably necessary for the organisation to verify the identity of the individual for the purposes of the organisation’s activities or functions.” Optus’ collection and retention of passport numbers and Medicare number sails very close to that wind.
“Certain sensitive information”
“In limited circumstances, we may need to collect certain sensitive information about you, such as information about your health, race, ethnicity, political views, criminal history or biometric information (e.g. voiceprint or fingerprint). We’ll always get your express consent before we collect this information (except if the collection is required by law).”
No hint is given of what types of “limited circumstances” might necessitate such collections. How much such information has Optus been collecting? How is it used? When is it deleted?
Where Optus gets our data
I really wonder what personal data about me is available to Optus from the Australian Bureau of Statistics.
Overseas disclosure of personal data
Optus’ response to the legal requirement to delete or anonymise old personal data
Deloittes to audit Optus
Optus has announced that Deloittes is “to run an independent external review of the recent data breach”. It is not clear in what respect the review can properly be described as “independent”. The sceptic in me asks: “Who pays the piper …”.
I do hope that the Federal Government will be just as sceptical.