Research has found that 1 in 3 Australians had their personal information exposed in 2022. In light of the high-profile breaches in Optus and Medibank and others, Australians are left wondering what they can do personally to protect their privacy.
Think about all the online memberships you have innocently signed up for over the years. Recent events have shown that all organisations or online platforms, large or small, government or private, are potentially vulnerable to cybersecurity threats. Whilst you may rely on those organisations to protect your personal information, you should also be proactive in looking after your personal privacy.
How might you do that?
One way to do this would be to apply the AAA framework: Ask, Assess, Act.
AAA Framework to personal privacy
ASK for your personal information
The Australian Privacy Principles apply to organisations which are APP entities, such as those organisations which have a turnover of over $3M per annum.
Under the Australian Privacy Principles, it would be reasonable for you to ask organisations for details of your personal information which they hold to ensure it is accurate, up-to-date and complete and so you are aware of what information they hold.
In this process, you should review the applicable privacy policies to check who you may need to talk to in the organisation when making such a request. Please be aware that some organisations may charge a reasonable administrative fee for the information and they can take a reasonable time to respond, which could be up to 30 days.
You can list out all the potential organisations that have collected your information. From this list, you can review whether they are an APP entity by looking on their website for their privacy policy. This is not determinative, but it would be a starting point.
ASSESS the information pool
The assessments in this process change depending on the APP entities' response, your interests such as desire to remain on the organisation's data base as well as your risk appetite. When you've left an organisation or changed service providers, it may be useful to assess whether you wish for them to continue to hold your personal information. Many of the Optus victims were past consumers of Optus. It may be wise to consider an organisation's data retention policy or de-identifying policy before you sign up or before you leave.
Suppose an APP entity provides you with your personal information they hold. In that case, you may decide whether you want that entity to have such information, only a subset of the information, or whether the organisation should update your information.
If an APP entity refuses to provide you with the information, you may decide to make a privacy complaint. We have previously written an article on making a privacy complaint for your general information which can be found here.
ACT to change or delete
You may request for information to be updated, returned and/or deleted. This can come from withdrawing your consent to the organisation's use of your data and requesting for your data to be deleted and/or returned. If they are an APP entity and do not respond to the request, then you may wish to make a privacy complaint. If you are ready to protect your privacy, we are happy to assist you at each point. Please feel free to contact us.
IMPORTANT NOTE: This is general information prepared to assist the readers but it is no substitute for advice on particular circumstances. You should obtain specific legal advice before making a decision and continuing in these circumstances.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
