The “Optus’ data breach which compromised the personal details and even identity documents such as Medicare cards, passports and driving licences of up to 9.8 million Australians leaves many questions unanswered, says Prof Janek Ratnatunga, the CEO of the Institute of Certified Management Accountants (CMA ANZ) in an in-depth study titled, Optus Data Hack: The Dark Side of Invading Social Media Privacy.

He says, “the deeper question that has gone largely unanswered by Optus is if it used customer personal data for social media and targeted marketing purposes, either directly or indirectly”.

Prof Ratnatunga says that obtaining data by hacking is a clear case of a theft of that asset. But then he asks, “whom does that asset belong to?”

“If private data is sold to data brokers and other third parties then questions must be asked as to compensating those individuals who provided the data voluntarily or involuntarily.”

Prof Ratnatunga says that Optus had a legitimate need to collect detailed data – to verify customers were real people and potentially to recover any debts later.

“However, the reason given by Optus as to why the data was kept for 6 years is questionable”.

“The only clear ‘legal’ requirement for Optus to keep “information for identification purposes” comes from the Telecommunications (Interception and Access) Act 1979, which requires that identification information and metadata be kept for two years – to assist law enforcement and intelligence agencies.”

“The big problem with Australia’s data retention laws is that there is really no limit on how long a company can keep personal data”, says Prof Ratnatunga.

Australia’s Federal Privacy Act only states that information must be destroyed “where the entity no longer needs the information for any purpose for which the information may be used or disclosed by the entity”.

With such a loose requirement, a company could argue it “needs” to keep customer information for anything – such as defending against a civil claim in court, or as part of its corporate records, or for in most cases marketing.

A serious weakness with Australia’s privacy laws is that when customers sign up for the services they automatically consent to all these uses by clicking the accept button without reading the pages of legal jargon.

Prof Ratnatunga says that with any service that puts a premium on personal information, there will be risks that individual data will be exposed whether by accident or through security loopholes.

“Once private data is obtained — via hacking or sale — there are several ways advertisers can invade an individual’s social media privacy, take advantage of their data and make them a target for their ads.”

Prof Ratnatunga says that accessing and mining consumer data has become big business, especially since the advent of researchers and data brokers who operate in a shadowy world where they buy and sell our most intimate private information every day and individuals have no right to demand to know what the companies hold on them. These companies justify their actions by stating that whilst data is everywhere, and generated every second of the day, they are converting it to an asset – by turning it into something of value.

Prof Ratnatunga agrees that this data is an asset — but says that it belongs to those who provided the information.

“Rather than allow researchers, data brokers and other third parties to unscrupulously take, trade and hoard our data, regulatory bodies must collectively change the narrative by framing data appropriation as a theft of an asset.”

“We as a society must collectively lay the groundwork for policies to make data mining and sale a legal and ethical issue”, he says.

We need new models of data ownership, protection and compensation that reflect the role information has in society.

“After all,”, says Prof Ranatunga, “if an artist who has a song on Spotify can be compensated every time that song is downloaded, there is no reason that an algorithm cannot be developed to compensate those in society (individually or collectively) for the use of data taken from them by invading their privacy.”


For further comment on the above topic, please contact:

Prof Janek Ratnatunga
CEO, ICMA Australia & NZ
Mobile: +61432758380
Email: [email protected]

About the Author
Professor Janek Ratnatunga is the CEO of the Institute of Certified Management Accountants, Australia & NZ. He has held senior appointments at the University of South Australia, Monash University, University of Melbourne, and the Australian National University in Australia; and the Universities of Washington, Richmond and Rhode Island in the USA. Prior to his academic career he worked as a chartered accountant with KPMG. He has also been a consultant to many large Australian and international companies and to the World Bank.