[LINK] Australian data breach notification law?

[Adam Todd]

At 02:55 AM 3/05/2007, Howard Lowndes wrote:
>One of the biggest problems is the relevance of the data being 
>sought. The other day I signed up to Engin VoIP and one of their 
>mandatory form requirements was either your driving licence number 
>or your passport number.

I get so frustrated when dealing with people who demand information 
over the phone or on a form.  "Oh it's required by the Privacy Act" 
or worse "We can't give anyone the information because of the Privacy Act"

Then I ask them what the Principals of the Privacy Act are and they 
say "Huh?"  Or even more interesting, i ask what their company turn 
over is, they will argue with me that they can't tell me because of 
the Privacy, so I toss at them that the Privacy Act does apply to 
companies with a turn over less than $3 million, do they have an 
income of greater than $3 million.  The answer is usually a dead giveaway :)

>What is the relevance of either to a VoIP service?

The Telecommunications Act requires that anyone requesting a 
telephony service in Australia provide Identification suitable to 
identify the person.

The issue is - does the Telco check?  No.  They don't have authority 
to go to the RTA and get your details.  The Privacy Act prevents that 
data being given.

ON the point of giving information (licence numbers etc) I have made 
it a policy when dealing with Government to always use a Government 
issued ID that was issued long before all the changes to databases 
and such.  Yes, using a DL doesn't prevent data farming and 
matching.  I unfortunately have used my DL in non Government 
situations and I know it's on databases that can provide chains of 
linking information.  I keep a record of EVERY form of ID used and 
for what it is used and to whom.

I NEVER let anyone take a photocopy of any photoID.  If they require 
said copy then they are required to arrange a JP so sign across the 
photo to ensure that the copy is verified and that it can't be easily 
scanned and used.

>In point of fact, it might be quite possible that some old dear, who 
>wants to keep in touch with the family by low cost phone calls, 
>would have neither.

Yes, plenty of people don't have a Passport, and many don't have a 
Drivers Licence.

Date of Birth is another I argue with.  I always ask what it's being 
asked for and the answer is always the same "Security Reasons."

I've posted on the Date of Birth issue before, so I won't repeat what 
is in the archives.  The number of people who know my name, address, 
phone number (publicly available from a google search) and the ease 
of accessing my DOB from any number of places, makes it not a viable 
security tool.  So I always tell them that I'll give them a fake DOB 
that way it's secure and only their database, my wife and I will know 
what it is.

I can almost celebrate my birthday on every day of the year 
now.  Only a few more to go :)

When it comes to street address, I tell people I can't give it to 
them, I don't have a lawful one.  If they get all antsy about it, I 
fax them a copy of the Judgement of Barr J from August 2006 and leave 
it at that.  It works 99% of the time. Hard to argue with a Judge!

>Needless to say, the licence number I gave was bogus.

Under the Crimes you could be charged with Fraud.  You have given 
knowingly false information on a commercial application which forms 
part of the T&C of trade with the business, so you entered into a 
contract with a Fraudulent response.

There is a case law example of this, but I can't place my finger on 
it right now.

>I could see a great taxation opportunity for governments based on 
>the volume of data that businesses want to hold.

Didn't Sweden introduce a Bit Tax on data across the Internet in the 1990's?

>I have no idea how it would be managed, but if businesses were to be 
>hit in the bottom line for holding excess data, then the result 
>could only be positive.

Great idea!  So now the Government wants to audit our servers and 
laptops!  (smirk)