00:00It's a real mixed bag.
00:05Companies can hang on to customer data for a range of reasons.
00:10Sometimes they're required to.
00:11They're required to hang on to our metadata for at least two years if they're a telco.
00:17They're required to hang on to financial records, kind of ATO and ASIC require financial records
00:22held on to for five years and sometimes longer.
00:26But a lot of data companies will just hang on to for as long as they can because they
00:30can derive some utility from it, so they'll hang on to that data about us for as long
00:35as they're able to.
00:36So there could well be then customer details being held long after that customer has ceased
00:43being a client or doing business with an organisation and having an account with them.
00:48Is that the case?
00:51It's definitely the case that for, you know, for the case of retaining records for financial
00:57purposes, yes, that will be around for a long time.
00:59Certainly a lot of companies, when you kind of stop your relationship with the company,
01:03they won't necessarily delete your data.
01:06They will merely mark you as no longer a customer.
01:08So your data is all still in the system.
01:11You're just flagged as not active.
01:13So you're still there.
01:14They still have all of your data.
01:15So if that's the case, can you ask, request a company to delete your information from
01:21their database as things stand now?
01:23Now, you can ask companies to remove your data from their systems, but it's a request,
01:29not a demand.
01:31Under the Australian privacy principles, you're allowed to get in touch with the company's
01:35privacy officer and say, hey, you've got data on me.
01:38Can I see it?
01:39Can I correct it if it's incorrect?
01:42And if I ask you, can you delete it, please, then it gets a little more complicated and
01:48the company may or may not choose to delete that data.
01:52There are some processes that they go through largely around, are we required to hold it?
01:56What are the costs if we don't?
01:58So you can ask for your data to be removed, but the company doesn't have to say yes.
02:01So do you think it would be a good step forward to make that a legal requirement if a request
02:06is submitted, that a company has to take that information off its files?
02:12Certainly, we think the onus should be on the company to prove why they need to hold
02:16that information and that Australians should be given a lot more power in that conversation
02:21to say, that is my data.
02:23It belongs to me as a human individual.
02:25It doesn't belong to the company.
02:26It's not theirs.
02:28So they get a right to use it while we have a relationship for the purposes of conducting
02:32business.
02:33But once that relationship is over or at my request as an individual, they can't have
02:37that data anymore because it belongs to the individual.
02:39Is the quantity of information companies have on customers or clients an issue as well,
02:46Tom?
02:48Absolutely.
02:48Companies hoover up vast amounts of data about us.
02:53And if you were hanging around in the tech industry a few years ago, you would have heard
02:57people describing data as being the new oil and that companies would rush to gather as much
03:03of it as they can because they could monetize it.
03:05But I think what we're seeing now is that actually data is more like asbestos.
03:09It was useful at the time.
03:11It had a utility for us.
03:14But now it's got problems.
03:16It's pretty poisonous in some ways.
03:18And we have to be really careful of how we handle it.
03:21And so, yeah, companies are gathering lots of data.
03:24There's a risk when they gather that data.
03:25And largely that risk is borne by us as individuals because it's our data about us and our personalities,
03:33our personal demographics.
03:35And that's very hard to change if that gets leaked onto the Internet.
03:39Should the priority, though, still be to tighten security, to stop hackers accessing the information
03:44in the first place rather than getting rid of the information itself?
03:48Information security is incredibly important, and it is a very high priority.
03:55Companies absolutely need to do the right practices to look after the data that they're
04:00holding about us to keep it safe from nefarious people.
04:04But the easiest way to keep information secure is to just not have it in the first place.
04:10And so we can solve a lot of information security problems by reducing the attack surface and reducing
04:16the amount of data that companies hold.
04:18So you're a security expert and you do consultancy work for a tech company.
04:23How do you handle this, Tom?
04:25How do you protect your personal data?
04:27What's your advice?
04:30It's a tricky one because so many companies ask so much of you now, and you cannot just
04:36opt out of society.
04:37You can't just not buy things.
04:40You know, you need to buy things like insurance, and they want to know a lot of information about
04:43you.
04:44So you can't just kind of run into the woods and hide.
04:47But you can be a little more careful.
04:50So making sure you know where your information is going and which companies are handling it.
04:55Making sure that you've got a bit of a handle on the privacy policies of those companies
04:59and what they plan to do with it.
05:02Opting out of kind of data sharing agreements and things that you don't kind of understand.
05:06And you can push back on egregious requests for information that you don't really think
05:13companies will need.
05:14They will ask and ask.
05:16I'm sure many people have that experience of buying something in a shop and being asked
05:19at the checkout for your email address.
05:22They don't need that.
05:23You don't have to give it to them.
05:24You can just buy your things and be on your way.
05:27So it's hard as an individual.
05:29And that's why we really need to invest in some proper society-wide responses to too much
05:36data about us being stored.
05:38Tom Selston, good to talk to you.
05:41Thank you very much.
Comments