The Law Council of Australia has asked the government to deal with invasive personal data collection practices as part of a potential Cyber Security Act.
The council’s submission to the government’s cyber security discussion paper, published yesterday [pdf‘, said any Cyber Security Act should also look at ways Australians can verify their identity without providing excessive amounts of personal data.
It called for “a review of government legislation that requires the retention of records by both government and businesses, with a view to whether that retention is warranted, and the duration of that retention”.
The council wants the cyber security review to mirror the current review of the Privacy Act, and look at “government legislation that require the retention of records by both government and businesses as to whether that retention is warranted and the duration of that retention”.
It was also critical of Commonwealth exemptions to Australian Privacy Principles, saying the exemptions should be re-examined.
Governments should, the LCA suggested, be required to obey Australian Privacy Principle 11.2, which requires entities to “destroy or de-identify all personal information which they no longer need for any purpose”.
Australia also needs “less invasive” ways to verify identity, the council said.
As well as the framework proposed in the Trusted Digital Identity Framework (TDIF), the council suggested token-based authentication, and a “digital passport”, should be included in the Cyber Security Act to minimise unnecessary personal data collection.