Australian banks don’t think dead people’s data should be as well protected as the living because community attitudes to the issue are unclear, despite law reform commissions arguing for better protections.
In a submission to the current review of the Australian Privacy the Australian Banking Association, which represents most major Australian banks including all the Big Four, argues against widening the definition of personal information to include that of deceased people “until there is an established community expectation”.
The Attorney General’s Department is currently conducting a review of the Australian Privacy Act, spurred by the ACCC’s landmark Digital Platforms Inquiry. The wide ranging review includes the consideration of whether the term personal information should be updated.
If personal information is expanded it would mean data holders would need to better protect and govern more data.
The ABA says it supports the law review, including updating the definition of personal information to capture technical data related to an individual and clarify the position of inferred information. But de-identified data and the data of deceased people should not be included in any update to the personal information definition, according to the industry group.
“The ABA notes that there is a broader discussion in the community regarding the memorialisation of a deceased person and any enduring rights that their next of kin or estate may have to their personal and digital data including their digital persona which has yet to be settled,” the submission says.
“There does not appear to be a general community consensus on this issue.”
While not an explicit question in the review’s issues paper, the subject of deceased people’s data is raised, including the fact some state laws extend privacy protection to the handling of information about deceased individuals by state public sector agencies.
Protections for the handling of deceased people’s data vary by state. In NSW, for example, personal information is subject to privacy protection for up to 30 years following an individual’s death. In the Northern Territory protections extend to five years.
Under the current Australian Privacy Act, protections for personal information does not apply to the deceased, unless the information also identifies a living person.
However, the Australian Law Reform Commission in 2008 recommended the Act be amended to include protections for the personal information of individuals who have been dead for 30 years or less where the information is held by an organisation, including the private sector.
More recently the NSW Law Reform Commission recommended changes to privacy laws to deal with requests to access and manage personal information of deceased individuals.