Privacy laws to be overhauled as Dreyfus questions why Optus kept customers’ details

Attorney-General Mark Dreyfus wants privacy laws overhauled within months as he questioned why Optus kept customers’ personal document identification numbers for years even after they left the telecommunications giant.

The government called on Wednesday for Optus to pay for replacement passports for affected customers however the company has yet to respond.

Attorney-General Mark Dreyfus has questioned why companies are keeping so much sensitive information on customers.Credit:Eddie Jim

The Sydney Morning Herald and The Age reported on Wednesday that metadata laws designed to help law enforcement detect criminals online do not tell phone companies what identity documents they have to keep on their customers.

Dreyfus said companies that inspected driver's licences or passports to confirm their customers' identities did not need to hold the information.

“They don’t seem to me to have a valid reason for saying we need to keep that for the next decade,” Dreyfus said at a press conference in Canberra on Wednesday.

“Obviously the more data that’s kept, the bigger the problem there is about keeping it safe, the bigger the problem there is about the potential damage that’s going to be done by a huge hack that’s occurred here.”

Optus revealed on Wednesday night that almost 37,000 Medicare numbers were exposed as part of the hack that affected about 10 million people. Of those, 22,000 were expired but only one digit changes in a Medicare number with a new card.

The company’s Singaporean parent company, Singtel, issued a statement late Wednesday apologising to Optus customers and defending its cybersecurity investments. It also backed in the company’s chief executive, Kelly Bayer Rosmarin, who has clashed with the federal government over the nature of the hack.

"We have extended our fullest support to Kelly and the Optus management team as they work to minimize inconvenience and risk to customers," a Singtel spokesman said.

Dreyfus said companies had for too long thought of data as something they could use commercially. That, he said, was the wrong approach.

"Australians need to be assured that when their data is asked for and taken from them by a private company or by government that it will only be used for the purpose for which it has been collected and we need to get in place something that encouraging companies to dispose of data safely, to not keep data when they no longer have a purpose for it," Dreyfus said.

The Privacy Act is currently under review and Dreyfus said he wanted new legislation to be drafted this year.

UNSW Professor Graham Greenleaf said the enforcement of Australian privacy rules had been a “black hole” before the current privacy commissioner’s tenure.

Optus had potentially made a series of potential privacy law breaches around failing to secure data and deleting unneeded data, Professor Greenleaf said. Those laws could trigger class action-style claims, with penalties largely unknown because there has been scant enforcement.

Maurice Blackburn, a major national law firm, joined its rival Slater & Gordon in saying it was investigating a group claim against Optus over the breach. The claim is at the investigation stage.

Optus has consistently defended its cyber practices, saying it was the victim of a "sophisticated" attack despite the government viewing it was "quite basic". It has said it is doing all it can to support customers and working with authorities on the investigation.

Cut through the noise of federal politics with news, views and expert analysis from Jacqueline Maley. Subscribers can sign up to our weekly Inside Politics newsletter here.

Most Viewed in Politics

From our partners

Source: Read Full Article