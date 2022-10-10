New South Wales minister for customer service, digital government, small business, minister and fair trading Victor Dominello has called for a “national inquiry” into how data breaches are dealt with to find ways to “significantly reduce the oversharing of personal information.”

The call comes as the federal government and dozens of state agencies continue to grind through the expensive re-issuance of credentials ranging from passports and driver’s licences to Medicare cards in the wake of the massive Optus hack that spilled personal identity information for more than 10 million current and former customers.

“There are many lessons to be learnt from the Optus data hack. The fundamental one — is that we “over-share” so much personal information — which potentially EXPOSES us to cybercrime,” Dominello said on LinkedIn.

“People often share copies of their driver’s licence when they rent a house, hire a car, open an account etc., etc. Every time a copy of your licence (passport, birth certificate etc) is shared — it potentially goes into the wild.”

The call for a national inquiry and conversation significantly ups the pressure on Canberra to expedite the rollout of a working digital identity system that can be used by consumers to prove who they are instead of businesses being forced to collect document identifier numbers.

With NSW widely regarded as the digital services leader among Australian jurisdictions, Dominello on Monday upped the ante on projects in the pipeline that could soon be delivered

“Your personal information was once considered hot property 🔥 … it should now be treated like a hot potato 🥔 — but instead of passing it on — pass it back ✅,” Dominello said.

“Better still — in the future — you won’t have to share it in the first place — watch this space”.

While the federal government has flagged significant revisions to the Privacy Act to toughen penalties and obligations for organisations that hold personal identifier information (PII) as a response to the Optus breach, others like Dominello are questioning the actual need for data collection, as opposed to exchange, to validate identity.

Chief executive of the Council of Small Businesses of Australia Alexi Boyd told The Mandarin her organisation was highly supportive of privacy, but that government and regulators needed to take into account what was already in place rather than just creating more new regulations.

“What we have concerns about is [whether] there will be more of an impost on small businesses in terms of reporting,” Boyd said, adding that what was already being reported needed to be factored in.

Many sectors already had rules around privacy and data, like bookkeepers and accountants that were already strictly bound in terms of their obligations.

“Filling in yet another form” would not of itself fix the problem Boyd said.

Boyd said that a nationally consistent and interoperable digital identity scheme was something “we do need to be examining”.

Labor has recently for the first time indicated its support for the idea of a national digital identity scheme, such as myGovID and the Trusted Digital Identity Framework (TDIF) after largely blanking the topic before and during the election campaign.

It’s understood the digital ID topic will now be put on the agenda for the forthcoming digital ministers’ meeting as a matter of urgency.

Data-protection experts caution that an all-singing, all-dancing digital identity scheme for everything may not be the fastest and most effective way forward.

“There is a danger we will respond to the Optus breach the wrong way, by spending ever more money to keep magic numbers secret, when we should be investing in making raw numbers worthless to criminals,” Stephen Wilson, the head of Lockstep Consulting told The Mandarin.

“We need to get over our obsession with ‘identity’. We hardly ever need to reveal our identity when there is something specific that matters in a transaction — be it age, credit card number, citizenship, licence to drive, or telephone number,” Wilson said.

“We consumers should be able to prove each number that matters, nothing more and nothing else.”

Wilson said Optus was “perhaps the worst ever example” of the perils of loose data “but the real problem with data is that lost data is dangerous.

“The community needs proper protection of data so it can’t be misused without authorisation.”

“There are technologies for people to prove their bona fides without revealing anything else or being over-identified: verifiable credentials in digital wallets,” Wilson said.

“These are broadly similar in structure to digital wallets like Apple Pay, where you click-to-pay, and digitally present just your payments credentials.”

READ MORE:

Optus and the policy of data insecurity