26/05/2021

One of the most straightforward ways for a business to minimise its privacy risks is to minimise the amount of personal information it collects and stores.  After all, you can’t lose what you don’t have and, in the case of the Privacy Act 1988 (Cth) (Privacy Act), you aren’t obliged to notify individuals of a data breach if you don’t hold relevant information about those individuals in the first place.

Overview of data minimisation in Australian privacy law

The principle of data minimisation is captured in a number of the Australian Privacy Principles (APPs) under the Privacy Act:

  • Limited collection: APP 3 requires entities to only collect personal information that is reasonably necessary for one or more of the entity’s functions or activities.  A higher threshold exists for Commonwealth government agencies: the collection must also be directly related to that agency's functions or activities. 

    Ascertaining reasonable necessity is an objective test that asks whether a reasonable, properly informed person would agree that the collection is necessary. Relevant to this assessment is the purpose of collecting the personal information, how it will be used, and whether or not the relevant function or activity could be undertaken without it.

    As the OAIC has noted, collecting personal information on the basis that it may become relevant at a future point will generally not satisfy this test, nor will collecting solely to increase the completeness or value of an organisation’s database.
  • Limited retention: APP 11 requires entities to take reasonable steps to destroy or de-identify personal information that they no longer need. Assessing whether such a need still exists requires an assessment of whether the personal information can still be used or disclosed by the entity under APP 6, including the legitimate primary and secondary purposes for which that personal information may be used.

    Appropriate systems and procedures should be in place and utilised to comply with APP 11, rather than dealt with on an ad hoc basis in response to a request or incident.

These principles are analogous to the principle of data minimisation in the GDPR.

Overview of notifiable data breaches in Australian privacy law

Under the Privacy Act, entities must notify the Australian Privacy Commissioner (the Office of the Australian Information Commissioner) as well as affected individuals if the entity has reasonable grounds to believe that there has been an eligible data breach of the entity.  In simple terms, an eligible data breach occurs if:

  • there is unauthorised access to, or unauthorised disclosure of personal information or personal information is lost in circumstances where unauthorised access to, or unauthorised disclosure of the information is likely to occur; and
  • a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.

The term “serious harm” is not defined in the Privacy Act and can include harm of a physical, financial, reputational or psychological kind.  This would include identity fraud as well as other criminal conduct in which a person obtains unauthorised access to a person’s account or information. 

Generally speaking, the more information that an entity holds about an individual, the greater the risk that unauthorised access or disclosure of that information may be likely to result in serious harm to the individual. 

See our article for further information about Australia’s mandatory notifiable data breach rules - Mandatory Data Breach Notification laws are coming...are you ready?

Data minimisation in the context of dates of birth

By reconsidering the necessity of the data points collected, as well as properly accounting for the deletion of personal information over time, entities may be able to reduce their regulatory exposure and the risk of harm to their customers.

To illustrate this point, we’ve considered one type of personal information that is low-value but high-risk: dates of birth (DOB).  The collection of DOBs by entities is near ubiquitous when individuals sign up to a service or join an organisation.  Typically, DOBs are used for identity verification purposes – to verify the identity of the individual when they sign up to a service and/or to verify the identity of the individual when they engage with the service at a later stage. They can also be used for age verification purposes.  In many cases, DOBs are not separately verified by the entity that collects them by reference to other forms of identity (for example, a copy of a driver licence). 

However, it is the very ubiquity of DOB collection that also undermines its effectiveness in identity verification.

While some high-profile celebrities might succeed in keeping their DOB an industry secret, many people consider their DOB to be of little consequence or risk.  As a result, DOBs can be found everywhere.  Either through direct datapoints or corroborating several pieces of information, an individual’s DOB may be easy to glean from online activity, including their social media profiles and other digital affiliations.  They’re also often known by one’s personal and professional network – even the privacy savvy who choose not to disclose their DOB can become exposed by something as innocent as a friend sending them birthday wishes on a public profile.

Because of this, DOBs are low-value in nature – they are easy to discover and fabricate, which raises questions as to how useful they are in identity or age verification.  A DOB is not a data point that is a closely guarded secret for most individuals.

These widespread patterns of disclosure haven’t gone unnoticed by scammers and those with nefarious intent. Personal information as seemingly innocuous as one’s name or DOB can be used to defraud individuals through gaining access to their financial institutions, digital profiles, and other online and offline accounts and connections. In addition to various online safety groups, the Australian Cyber Security Centre has even advocated on this front, warning that the sharing of DOB creates a greater risk of identity theft, stalking and harassment.

For those entities with immature privacy practices, a DOB may be all a scammer needs to gain access to a person’s account or identity. Even where a DOB does not allow a scammer to obtain full access to a person’s account, it can help permit access to lower-level ‘stops’ along the way, where additional datapoints are collected and later exploited to penetrate financial, government and other sensitive accounts.

This means that DOBs are high-risk for entities that keep DOBs.  Given the widespread reliance on DOBs across a range of industry sectors, DOBs can be used to obtain unauthorised access to a person’s account / information and for other identity theft purposes.  So even if an organisation doesn’t use DOBs for identity or age verification purposes, if their database is compromised, a bad actor may be able to use stolen DOBs for identity theft with other organisations.  In this situation, the loss of DOBs means that the data loss incident is more likely to meet the “serious harm” test for notifiable data breach purposes, than if DOBs were not stored or lost in the first place. 

The takeaway

DOBs are just one example of low-value, high-risk personal information. In our increasingly data-centric economy, it might sound counterproductive to limit the personal information that your organisation collects, but when it comes to your database of personal information, bigger isn’t always better.

Organisations should continually question why they are collecting particular (identifiable) data points about their customers and the public. Not only is this critical for compliance with statutory requirements, but it also helps build assurance in a broader regulatory and risk sense.

Next time your organisation is planning for the collection of personal information, ask:

  • is the collection legal?
  • is the personal information reasonably necessary for your functions and activities?
  • are there additional risks in holding this type of personal information?
  • and if so, do the applicable requirements outweigh the risk?

Putting in this additional effort not only demonstrates diligent compliance with APP 3 and APP 11, but can also reduce the latent organisational risk that is inherent when maintaining databases that contain personal information. 

 

Authors: Andrew Hii, Bryce Craig

""