Dying on the Hill of (Privacy) Principles

It’s Thursday and you’re looking forward to an hour of kayaking on the weekend – and that’s after an estimated 17.6 hours of ferrying kids to part-time jobs, catchups and parties. Instead, you’re hit with ‘Propulsion Failure.’ This isn’t a euphemism, but rather a warning light telling you to glide your car to the curb. Cut to: Wednesday. You’ve forgone the kayaking, but the child ferrying continues apace. Many thanks to the parents-in-law for the loaner, but you’re still without a replacement car. Why? On Monday, you told the rental car company that you wouldn’t airdrop or let them take a screenshot of your driver’s licence or any other ID. And you’ve just asked – 'Why isn't your company using the Document Verification Service (DVS) or a commercial equivalent?'  Those are the apps that enable companies to verify my ID – and all without having to retain copies of ID documents? 'Do they understand the risks of unnecessarily collecting personal data - and have they not heard about Optus, Medibank and other high profile data breaches?' 

Cue the blank looks from the poor rental car staffer. In fairness, this is all part of an extended supply chain and service offering, where the vehicle dealer will outsource their replacement car services to a third party. Why? They can’t afford to keep so many cars on the lot just in case you have ‘Propulsion Failure,’ meaning that most dealers will outsource to a rental car company. That also means consumers are stuck in the unenviable position of having to supply ID documents that will (most likely) be stored on the rental car company’s systems, thereby increasing the risk of data breaches, mishandling and so on. 

At the same time, there are other options (One of which I suggested) - 'Why not input the licence details into the rental car company’s systems and have the staff member confirm that they sighted the original?' Not a great option, because that would also involve typing-in my licence number, address, full name and date-of-birth, which will: 

Banks suffer with the same issue – they require customers to provide identification, generally two or three pieces of ID. Beyond the ID issue, banks must adhere to KYC or Know-Your-Customer rules and report suspicious dealings or transactions and possible money laundering, among other regulatory obligations. Much more serious than my 'propulsion' issues. But they often employ the same approach – requiring customers to provide a driver’s licence and another form of ID, such as a passport, which is scanned or photocopied, then possibly retained in a branch as a hard or soft copy. That brings us to the next ‘landing spot’ for copies of your identity documents… 

9.       The company’s photocopier. It has a hard drive that will store the scanned images. That photocopier is likely leased from a major supplier – and will be serviced by that supplier or a subcontractor, meaning another possible mishandling point (or two). And it could stay on the photocopier's hard drive for a long while...  

10.   Back to the scanned IDs, they will likely be transmitted from the photocopier via email to a staff member’s work email address, or group email. Chances are - the staff may replicate copies of your ID documents in another platform, such as their personal or common drive, which is used by other colleagues. And we’re back to the first 8 points… 

Every organisation will have different protocols, along with measures to reduce touch points where ID documents are handled and retained. And no doubt, I didn’t fully understand the rental car company’s processes. However, the point remains the same – Rather than data minimisation, Australian organisations are often data maximising. And needlessly. 

Beyond giving me an opportunity to rant, why do these issues matter? And why have I bothered to ‘follow the bouncing data ball’ in the above list? Let's start with vindicating myself for having died on the hill of privacy principles. Plus, I don’t want to be the lone voice in the wilderness or, to quote my teenage daughter, be ‘a very embarrassing, grumpy old man.’ I probably can’t change her description of me, but what I can start is a conversation about data security. In particular, how can we make it easier for Australians to raise these issues with service providers – and to press them to increase data security and reduce our collective risk of data breaches? 

The most obvious answer is this – Push service organisations to take advantage of the DVS and similar commercial services that enable them NOT to collect and retain personal information unless truly necessary. Arguably, the most effective method for that ‘push’ is to ask questions. And the most important question is ‘why?’ i.e. why is it necessary to collect this information? 

Chances are good that the service provider and their staff will respond with statements like – it’s a legal requirement. The reality is that it is generally NOT a legal requirement. It is much more likely that ‘the requirement’ is a business process that hasn’t been examined in a long time, nor kept pace with alternative protocols (and apps) to meet their actual business needs, i.e. demonstrating who will be driving the rental car and that they have a valid licence. 

That brings me to some questions that might be posed when a company asks you for your ID documents – and wants copies of them. 

Admittedly, I’m pushing the envelope with the last question. And I don’t want anyone bludgeoned by people in line at the bank or car rental office. Plus, these questions will likely be ‘filed away’ and you’ll be labelled as a ‘difficult customer’ (Just ask my teenage daughter).  

But how can 'we' difficult customers press for meaningful change? We can start with responding to the ‘How did we do?’ questionnaire that service providers inevitably send to you. In other words, I recommend that you take the time to inform the company executives that you’re concerned about their privacy practices. Why? Because the company didn’t provide satisfactory responses to my questions about personal data handling. At the same time, you can politely remind the service provider that this isn’t just about your own personal data. It's their corporate reputation at risk. And that’s not to mention the risk of privacy complaints, investigations by the Privacy Commissioner, fines and a host of other costly issues.  

This is just the start of the conversation, but it’s a conversation that I think we need to have. Why? The more personal data that organisations hold, the greater risk exposure in the event of a data breach. And with data breaches, it’s not a question of if - but when.