Australia's privacy regulator has launched an unprecedented investigation into how everyday businesses collect and store personal information. The Office of the Australian Information Commissioner (OAIC) is conducting a "compliance sweep" targeting 60 businesses, including real estate agencies, pubs, pharmacies, and car dealerships, to scrutinize their data practices.
The investigation focuses on situations where customers may feel pressured to hand over sensitive data during brief, in-person transactions. Companies found with privacy policies that do not meet legal standards could face fines of up to $66,000.
Key Takeaways
- The OAIC is inspecting 60 businesses across six high-risk sectors for privacy compliance.
- Targeted industries include real estate, licensed venues, car rentals, pharmacies, and pawnshops.
- The sweep examines the "overcollection" of personal data and how long it is stored.
- Businesses with non-compliant privacy policies could be fined up to $66,000.
- The regulator is concerned about the "power asymmetry" between businesses and customers in face-to-face data requests.
Regulator Focuses on High-Risk Sectors
The OAIC's first-ever compliance sweep, which began in January, is a direct response to growing concerns about how personal information is gathered and managed. The targeted sectors are those where customers often provide personal details during quick or urgent transactions, creating a potential imbalance of power.
The Information Commissioner, Elizabeth Tydd, highlighted the issue of "power asymmetry," where customers feel they cannot refuse requests for information. This can occur when inspecting a rental property, entering a licensed venue, or test-driving a car.
Privacy Commissioner Carly Kind noted that these situations can make customers vulnerable. Businesses may collect more information than necessary and retain it for too long, increasing the risk of data breaches and security threats.
"When that happens, it creates additional privacy risks; for example, cybersecurity risks where personal information can be harvested," Tydd explained in a recent interview.
The sweep requires businesses to prove their privacy policies are clear and legally sound. They must detail what data they collect, why they collect it, how long it is stored, and whether it is transferred overseas.
Sectors Under Scrutiny
- Real Estate: Agencies requesting extensive personal data for rental applications and open home inspections.
- Licensed Venues: Pubs and bars that scan IDs for entry.
- Pharmacies: Chemists collecting information for paperless receipts and prescriptions.
- Automotive: Car dealerships and rental companies that copy driver licences.
- Secondhand Dealers: Pawnshops and other dealers who collect personal data for transactions.
Real Estate and Automotive Industries Respond
The real estate and automotive industries, both of which handle significant amounts of customer data, have been put on notice. Real estate agencies, in particular, have faced criticism for requesting extensive personal information from prospective tenants.
Some agencies have reportedly asked for 12 months of bank statements, social media profiles, and even details about tattoos. This level of data collection has raised alarms, especially following data breaches at major franchises like Harcourts and LJ Hooker in 2022.
In response to these concerns, the New South Wales government moved in July to limit data gathering by the industry, estimating that real estate agencies collected approximately 187,000 pieces of identification information each week.
Stacey Holt, chief executive of Real Estate Excellence, acknowledged that prospective tenants often provide more data than necessary to improve their chances in a competitive rental market. "Most people, because they’re desperate for a home, are doing all the things they can do to make them look good," Holt said. She added that while many agencies delete data when it's no longer needed, breaches often occur when generic or outdated privacy policies are used.
Why is Data Kept?
According to industry insiders, real estate agencies often keep tenant details on file to meet landlords' insurance obligations. For open homes, contact information is retained for marketing purposes or, less commonly, in case of theft during the inspection.
The automotive sector has also been a target for cybercriminals. James Voortman, chief executive of the Australian Automotive Dealer Association, stated that dealerships have invested heavily in data protection following numerous breaches in recent years. "Customers can take comfort in the fact that new car dealerships have spent a great deal of time, money and effort to effectively protect the data," Voortman said.
Implications for Businesses and Consumers
The OAIC's investigation signals a tougher stance on data privacy in Australia. While the initial sweep targets larger businesses and franchisees of national brands, the implications are widespread. All companies that collect customer data are being implicitly warned to review and strengthen their privacy policies.
The sweep aims to ensure that businesses are not just collecting data, but are also being transparent and responsible with it. The core principles under review are:
- Necessity: Is the information being collected actually required for the transaction?
- Transparency: Is it clear to the customer why their data is being collected and how it will be used?
- Retention: Is the data being deleted once it is no longer needed for its original purpose?
- Security: Are there adequate measures in place to protect the data from breaches?
For consumers, this crackdown is a welcome development. It empowers individuals to question why their data is being requested and provides a clear channel for recourse if they believe their privacy has been compromised. The focus on "power asymmetry" directly addresses the common feeling of being unable to say no when asked for personal details.
As the results of the compliance sweep are compiled, businesses across the country will be watching closely. The findings are expected to set a new benchmark for privacy standards and could lead to more significant reforms in how personal data is handled in Australia.
