Key Takeaways
- The Office of the Australian Information Commissioner (OAIC) will conduct a "compliance sweep" of dozens of businesses to ensure they meet legal standards for collecting and storing personal information.
- Businesses that fail to meet standards can be fined up to $66,000.
- The sweep will target high-risk sectors, including rental and property inspections, chemists and pharmacists, licensed venues, pawnshops, and car rental companies.
- Businesses must demonstrate clear policies for collecting, storing, and deleting personal information.
- The OAIC aims to protect customers from overcollection of personal information and associated risks to security and privacy.
Introduction to the Compliance Sweep
The Office of the Australian Information Commissioner (OAIC) has announced a "compliance sweep" of dozens of businesses to ensure they meet legal standards for collecting and storing personal information. The sweep will target high-risk sectors, including rental and property inspections, chemists and pharmacists, licensed venues, pawnshops, and car rental companies. The OAIC’s goal is to protect customers from overcollection of personal information and associated risks to security and privacy. According to the commissioner, Elizabeth Tydd, there is often a "power asymmetry" when a company confronts customers with in-person requests for personal information, which people feel unable to refuse.
Targeted Sectors and Businesses
The OAIC will inspect 60 businesses across six high-risk sectors throughout January, where customers are asked for personal details during short, urgent transactions. These sectors include rental and property inspections, chemists and pharmacists who collect information for paperless receipts and medication provision, licensed venues that collect IDs for entry, pawnshops and secondhand dealers, and car rental companies and car dealerships that collect personal data for rentals or test drives. The sweep will also target larger businesses with more customers, but may also check on small franchisees of big national brands in sectors such as real estate.
Industry Response and Concerns
Some industries have raised concerns about the compliance sweep, with the Australian Automotive Dealer Association’s chief executive, James Voortman, stating that cybercriminals have targeted dealerships in pursuit of customer data, resulting in numerous data breaches in recent years. However, Voortman also noted that new car dealerships have spent significant time, money, and effort to effectively protect customer data. Real estate agencies have also been criticized for unnecessary collection and storage of personal information, with some agents requesting tenants share 12 months’ worth of bank statements, personal social media profiles, and details about their tattoos.
Real Estate Agencies and Data Collection
Real estate agencies have been accused of overcollecting personal information, with some agents requesting excessive details from prospective tenants. Stacey Holt, risk adviser and chief executive of Real Estate Excellence, said that agencies were more likely to accept applications when prospective tenants allowed them to collect and store more data. However, Holt also noted that most businesses she worked with would delete data when it was no longer necessary, and that breaches were more likely to be observed among agencies reusing generic privacy policies borrowed from other websites or by franchisees from brands.
Consequences of Non-Compliance
The OAIC’s compliance sweep may catch some businesses off guard, particularly those that have not reviewed their privacy policies in anticipation of the crackdown. Businesses that fail to meet the OAIC’s standards can be fined up to $66,000. The commissioner, Elizabeth Tydd, has stated that businesses will likely have strengthened their privacy policies in anticipation of the crackdown. However, the OAIC’s goal is to ensure that businesses prioritize customer privacy and security, and that customers are protected from overcollection of personal information and associated risks.
Conclusion and Next Steps
The OAIC’s compliance sweep is an important step towards protecting customer privacy and security in Australia. By targeting high-risk sectors and businesses, the OAIC aims to ensure that companies prioritize customer data protection and comply with legal standards. As the sweep gets underway, businesses would do well to review their privacy policies and ensure they are meeting the OAIC’s standards. Customers can also take comfort in knowing that the OAIC is working to protect their personal information and prevent data breaches. The outcome of the compliance sweep will be closely watched, and it is likely that the OAIC will continue to monitor and enforce privacy standards in the coming months and years.