Australian law makes you a target

As a privacy and security focussed person, I want to keep a minimal financial fingerprint in the digital world. I do not pay via credit or debit card directly, but always use a trusted payment gateway which have sufficient security frameworks in place. This way I can ensure that these numbers are not splurged over the web and any breach of a particular website should not have an effect on my account. The main issue is that the right to be forgotten does not exist in the financial legislation in Australia. If you have any dealings with any financial institution, your data is locked in for at least 7 years. This makes you vulnerable and leaves you to the perils of the institution you’ve dealt with.

Unfortunately, there is no legislation on how your data needs to be stored and secured. Even though a provider may say that your data is stored on encrypted devices like disks or tapes, it does not guarantee this information is secure. If a provider suffers a breach and the malicious third party is able to decrypt the information, it doesn’t really matter how and where it is stored. The encryption and decryption is in most cases done transparently within applications. When the malicious party is able to obtain access to that application, he or she does not even have to go through the hassle of figuring out if data is encrypted or not.

This leaves you to the peril of the security policies of the provider. As we’ve seen in the various breaches that have been in the media, the majority of providers do not invest enough in securing their environment. I am in the fortunate position, I do not have any debt with any financial institution. However, when I asked my former mortgage provider to destroy and/or de-identify all records that are associated with the accounts I had with them, they fall back on the legislation that is currently restricting them from doing that. I received the following response.

We acknowledge your request for the destruction of your financial records held with xxxxxxx following the closure of your loan facility.

Unfortunately, we are prevented by law with destroying your records at this time.

The Financial Transaction Reports Act and the Anti Money Laundering and Counter Financing Act both impose record-keeping obligations on reporting entities (the lender being a reporting entity).

These obligations include retaining certain transaction records and customer identification records for a certain period of time, which in this case, is seven (7) years after the last transaction or end of customer relationship, under the above Acts.

We provide additional information below regarding the legislative record keeping requirements (inclusive of other lesser time period record keeping requirements).

I also know that the security policies of that provider are not top-notch and thus, this leave me hang out to dry if their systems ever get breached.

The Australian legislation is in this case very much leaning on preventing fraud and not consumer privacy. The second issue is that the 7 years as shown above, is merely a guideline, which, as we’ve seen with for example Latitude, does not imply that any provider should implement policies/procedures around data destruction. They can simply ignore this, as you can see with the additional line this provider responded with

Reasonable steps ???

Please note that we are cognisant of our obligations under the Australian Privacy Principles, particularly with respect to the protection of the information it holds from misuse and loss and from unauthorised access, modification or disclosure. Furthermore, we note that we must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed, but same can only be done when it does not contravene the above (ie: we can action the de-identification and destruction only once the 7 years have passed from your account closure).

The “reasonable steps” part is obviously up for interpretation and has never been tested in any courtroom as far as I know. This means that when a breach happens, even after the 7 years, my data will likely be on the street and the provider can simply wash his hands in innocence and say for example that “after a thorough investigation we’ve determined that we could not reasonably identify on which media and location my data was stored.

As mentioned above, given the fact that the legislation is primarily targetted to prevent financial fraud, the outcome is that due to the lack of sufficient protections around the storage of data as well as the links between the parties involved, all Australians are extremely vulnerable for a very long time. The definition of “long time” can be stretched to “indefinitely” as there are no counter processes defined in the legislation like the ones in the table above.

It is time for the government to start introducing laws around privacy specifically targetted around the type of data, who is able to access this, under what conditions does it need to be referenced, if and what may be shared with any third party and how this may impact the consumer. It is basically a total nonsense that mortgage repayments or personal loans for a car fall under the same legislation as international business transactions. If I have repaid my debt on a loan, there is no reason why any party should have to retain these records for more than 7 years.

Any comments are welcome.

Kind regards,

Print Friendly, PDF & Email

Subscribe to our newsletter to receive updates on products, services and general information around Linux, Storage and Cybersecurity.

The Cybersecurity option is an OPT-OUT selection due to the importance of the category. Modify your choice if needed.

Select list(s):