Legally Mine! by Brenda van Rensburg Head of Data Security, Terrene Global Privacy Officer/Analyst for HBF This article is adapted from a paper presented at a Law Society of Western Australia CPD seminar on 11 November 2020. It will be presented again on 10 February 2021.
A digital footprint is the trail of data you leave behind with every interaction you have with the digital world.1 From the latest website you visited to the last app you downloaded; your data is important to someone or some entity. Ignorant arguments have been raised which suggests that there is nothing to hide. However, very little attention is given to why this data is being collected. There is a misconception that if you cannot see it then it cannot be real. However, Cambridge Analytica2 has revealed that your digital footprint, your digital data, is more valuable than sensitive information as defined in the Privacy Act.3 The collection, storage and sharing of your data is legal and no consent is needed. Australia’s legislation is limited and unlike the General Data Protection Regulations (GDPR), it does not protect individuals from the collection of this data. Ironically, there is also no legal recourse for an individual who has been a victim to an information data breach.4 Additionally, a person’s reputation and company could experience significant brand damage as a result of
the collection of this data. Without regulations, data is ‘legally mine.’ This article will discuss the collection, storage and sharing of information/data and the steps a business should take to reduce brand damage.
Data v Information There is a significant difference between data and information. The latter is defined in the Privacy Act and is focused on the collection of Personal Identifiable Information which is legible.5 It is, for all intended purposes, the legible text which is collected, stored, and shared. The former, however, is a collection of data which requires normalisation in order to
understand it.6 It is the ‘basic element that can be processed or produced by a computer to convey information.’7 Arguably, without an algorithm, or a specific skillset, the average person would not understand it. The Privacy Act highlights factors which include information and sensitive information that can identify a person.8 Little attention is given to the term ‘data’. Arguably, data is the binary information with no substantial value. Therefore, a person using a tool such as ‘Wireshark’ would legally ‘eavesdrop’ on digital conversation and gather data without a person’s consent.9 Ironically, data is not recognised within the Privacy Act and thus this method is not considered as malicious.
Collection of Data Wireshark is a tool that is used to gather data from any device that uses the same network. To the average person, it lists ‘captured’ data/packets which would have no meaning or value. However, to a trained professional, this data could reveal 25
