There was a time when our full names, phone numbers, birthdays and home addresses were considered private information – shared cautiously with friends, family and our employers.
But at some point this information stopped being so personal.
As we began providing our data every time we shopped online or signed up for a new service, corporations hoovered it all up.
We’re now at the point that, after historic hacks of Optus and Medibank, experts aren’t even very concerned for millions who have had such data stolen by criminals.
It’s assumed, often rightly, that this once-personal data has already been leaked in one hack or another already.
See for yourself – visit haveibeenpwned.com and enter your personal data. You might be one of the millions of people already listed with leaked data on the site.
In the six months to June, almost 400 companies admitted to the cyber watchdog they had been hacked – that’s more than two every day.
And while most are small scale, large-scale data breaches are becoming far more common, as we’ve seen in recent months.
Professor Chad Whelan, Deakin University’s expert in ransom groups, says the hard truth is that many of the almost 10 million customers who had their data stolen in the Medibank breach had likely already had such information stolen previously.
“Most of that data has already been breached in some way, shape or form,” Dr Whelan said.
Australians hand over troves of data
These days even doing everyday activities requires handing over vast amounts of information.
TND has trawled through the privacy and data-collection statements of a variety of organisations and businesses, showing how everything from finding a job to opening a bank account and even volunteering requires Australians to cough up enough information to leave them vulnerable.
Looking to donate your time to the local op-shop? You’ll need to hand over your home address, birthday and previous work history – and that’s just the tip of the iceberg.
You may also need to consent to a third-party background check that will scour your credit score, health data, past addresses, passport or licence numbers, and even information about your “personal preferences”.
What about finding a place to live? Prospective renters across the country are being asked to provide bank statements, utility bills, Medicare cards and even car registration details when applying.
This information is often used to verify identities in ways that minimise risks of other crimes, but without information about how all this information is being used, Australians are left in the dark.
As ACCC deputy Delia Rickard told TND this week, there’s little transparency from businesses like real estate agents about where this data goes, how long it is stored and whether it is secured.
David Vaile, chair at advocacy group the Australian Privacy Foundation, said much of this data is being taken by companies with no legal basis.
Unlike banks, which are required to obtain 100 points of ID before letting someone set up an account, businesses like real estate agents and retailers face no such legislative hurdles.
Instead, Mr Vaile says many companies are merely hoovering up all this data because it has become standard practice, or is regarded as good business in a world where user data is valuable.
“There’s no obligation to do this,” he said.
“They’re within scope where they have discretionary power to do it.
“Businesses just want to do this because data might come in handy. Information is power.”
No turning back
Unfortunately, Mr Vaile says there’s no turning back time on the generational intrusion of privacy Australians are suffering through.
There are hopes, however, that law reforms and broader education about the risks of sharing excessive personal data will curb the worst intrusions.
Mr Vaile said Australia must consider changing from a nation in which companies maximise the data they collect to one in which they minimise stored data.
Even when companies must verify a person’s identity, there is no reason that personal data must be stored, sometimes for years.
“They could still do what they need to do; in many cases all they need to do is to cite information – yes, I saw they did have a driver’s licence, I held it in my hand,” he said.
“They could stop collecting this data and the world wouldn’t end.”