Handing over personal data: What are my rights?

by · RNZ
Not every business is following best practice when it comes to storing that information, nor disposing of it when it is no longer needed.Photo: 123rf

It seems almost impossible to make a transaction of any sort these days without being required to hand over personal information.

But that information is not always disposed of it when it is no longer needed.

In August, a major audiology chain of clinics admitted much of its customer data had been leaked onto the dark web - potentially including bank account details, patient records and insurance information.

One of those caught up in the Bloom Hearing Specialists hack was Auckland man Russell (full name withheld on request) - and he was not even a customer of theirs.

"I had some hearing loss, industrial deafness. ACC covered me for up to $5000 for hearing aids," he told Morning Report. "I went to Bay Audiology. They gave me a quote and a trial, and I'd actually approached Bloom to see what they had to offer. And they said, 'Oh, we can try these hearing aids for a week.' I ended up deciding I'll just go with Bay Audiology."

But that week-long trial with Bloom, six years later, led to his personal being leaked online.

"I've never really been a customer, and since I haven't been with them for 6.5 years, they should have deleted my data. And I can't recall how much information they got from me, whether they may have requested my bank account number as security or credit card details as security, but potentially there's a lot of information and also where I had all my ACC details."

The news of the hack was reported in Australia, but went under the radar here in New Zealand until RNZ reported on it on Thursday.

Russell said he was considering complaining to the privacy commissioner.

"The story, from my perspective, is that they haven't deleted the data from very old customers … There's people trying to hack systems all the time, these things can happen, but Bloom should have never had my data for such a long period of time. It should have been deleted. That's what my concern is."

Privacy Commissioner Michael Webster told Morning Report that Russell was was "absolutely right".

"You have rights as an individual in terms of what data can be collected from you, but importantly, you also have obligations as a business.

"And the bottom line is data minimisation. Data retention is proving to be the sleeping giant of data security as we see an explosion in cyber attacks around the world."

Under the law, Webster said, only information "that you absolutely regard as necessary for providing the services or products that someone wants" can be collected.

Michael Webster.Photo: VNP / Phil Smith

"If you're concerned about the amount of information being asked for or you don't understand why they want certain types of information, you can ask the agency to explain why and to justify why the collection is necessary. You can, for example, return the form with blanks where you're not convinced the organisation needs the information, and say to them, 'Justify why you need this information. You can refuse to provide it."

Organisations collecting data might want to reconsider just how much they ask for too, he said, and how long they keep it.

"There's been a lot of cyberattacks over the last few years in both Australia and New Zealand, for example. And you don't collect or shouldn't collect or hold on to information. You don't need any more. The risk is simply too high for your customers and your organisation, too.

"We've done surveys, I've seen other surveys from overseas, and there is an enormous loss of trust and confidence from having data cyber-hacked. We've seen results which say that seven out of 10 customers, for example, will consider moving from a business that doesn't keep their data and information safe.

"So it is in businesses' best interests to ensure that they have a real focus on data minimisation."

Bloom said it had notified the New Zealand police and privacy commissioner of the breach.

"As with any breach, Bloom Hearing will need to investigate to fully ascertain the size and scope of the breach and any impact on its New Zealand clients," the Office of the Privacy Commissioner said on Wednesday afternoon.

In its August message to customers, Bloom said: "You may see an increase in targeted phishing attempts via email, text messaging or telephone calls, where the scammer uses details specific to them."

It published a long list of advice on steps to take and how to respond.

"As soon as we became aware of the incident, we took immediate steps to contain it and secure our systems," Bloom said. It was still investigating.

"We sincerely apologise for any distress this incident may have caused."

The Privacy Act contains 13 "information privacy principles that govern how businesses and organisations should collect, handle, and use personal information", the commissioner's website said.

More information about how the Privacy Act works, your rights and organisations' responsibilities is available on the Office of the Privacy Commissioner's website.

Related Stories

Major hearing clinic's customer data on the dark webThe hacked data may include bank account details, patient records and insurance information.Phil Pennington, 03 Oct 2024Privacy complaint lodged over IRD's data-sharing with social media companiesA Queenstown employment consultant has lodged an official complaint about Inland Revenue giving his details to social media companies.16 Sep 2024Privacy Commissioner seeks more detail on possible census data breach at maraeThe Privacy Commissioner's Office says given the public interest, it's asking various government agencies for more information.06 Jun 2024Backing for bill that boosts consumers' data rightsPayments NZ says the government's Customer and Product Data bill will help give consumers greater choice and control about how their data is used and shared with third parties.22 Jun 2023