John Durie: After the Optus breach, it’s time to reconsider the federal government’s data storage rules

Source: Alexander Sinn

As federal government ministers kick the Optus can down the gutter, the question also needs to be asked about just what data is required by government, for how long, and under whose control.

Often, the onus is on the business to collect the data, which is of minimal use in running the business.

Government is a voracious user of data.

Sydney-based Cynergex is a small business with 35 staff that operates a wholesale pharmaceutical distribution service for doctors and dentists, and runs around 1,000 courses a year for people who need a range of qualifications like first aid and other emergency medicine courses.

The courses sometimes are only half-day refresher courses, and each year the 27-year-old company trains around 10,000 people.

Each time someone does the course they have to fill in a questionnaire, which features about 40 questions on their age, sex, race and other details.

The questions asked are more detailed than those required to send morphine and other drugs to a doctor or dentist, which needs registration number, name and address.

Once the course questions are completed, they are sent to the Australian Vocational Education and Training Management Information Statistical Standard (AVETMISS).

It is a national data standard that ensures consistent and accurate capture and reporting of Vocational Education and Training (VET) information about students, and is part of the Australian Skills Quality Authority.

Cynergex pays a fee running into the thousands of dollars to have the information stored.

Maybe it is necessary detail, but it is also a case in point.

How much information is required by government that isn’t needed by businesses, but the businesses by law have to collect and in some cases, arrange storage?

Just how and why the Optus data breach occurred is not known and is not the issue here. What the cyber SNAFU has done is put the spotlight firmly on data storage and how and why is needed.

If government mandates data collection and storage then maybe it has to come up with some reasons why, as well as those demanded of Optus.

Separately, the ACCC has just handed the federal government its recommendations for tighter regulations on the digital platforms like Google, Meta and Apple, which also focus on data collection and storage.

In this case the data is stored often without people knowing about it and used for commercial purposes like advertising and product development.

This report demands government action given the data control in question.

And the Optus data breach demands that government review its own data demands and how they can be performed.

COMMENTS