Australian “My Health Record” Was Breached 42 Times Between 2017 and 2018
Last updated September 18, 2021
The Office of the Australian Information Commissioner (OAIC) recently declared that 7-Eleven breached consumer privacy in a 14-month-long survey drive. The multinational convenience store giant collected sensitive biometric information without legally valid notice or consent. According to the company, they wanted to have a better understanding of the demographics when they took these photos of customers completing a survey.
Between June 2020 to August 2021, 7-Eleven placed tablets with inbuilt cameras in 700 stores for a poll, and they gathered as many as 1.6 million responders. The thing is, the tablets took a snap when a person engaged with it and another picture after the completion of the questionnaire. The company said it used personal information to understand demographic profiles and also to screen out potentially non-genuine responses.
The OAIC became aware of these things in July last year and started an investigation. As per the findings of the inquiry, the 7-Eleven tablets retained the recorded facial data for 20 seconds before sending them to a secure server from a Microsoft Azure infrastructure hosted in Australia. According to a 7-Eleven spokesperson, the servers then retained the facial data for seven days, during which times the company's representatives used it to identify and correct issues to reprocess survey entries and responses.
The company has claimed it posted a notice on its website about the survey and the photographic/biometric details it will record. However, the OAIC does not seem convinced that this was an appropriate notice to survey responders.
As per Angelene Falk, Information and Privacy Commissioner of Australia, the wide-ranging data collection, particularly of private biometric data, breaches Australia's privacy laws. The convenience store brand "has not justified that collecting its customers’ sensitive biometric information (including facial images and faceprints) was ‘reasonably necessary’ for understanding and improving customers’ in-store experience," further said the Commissioner.
The report mentions that 7-Eleven failed to mention how or for how long the facial identification would be used and stored, meaning the company was unable to acquire explicit consent from survey responders to store their facial imagery data. As per the Commissioner, it's considered consent when the individual is adequately informed before giving consent, the individual gives consent voluntarily, the consent is current and specific, and the individual has the capacity to understand and communicate their consent.
As a result, the OAIC ordered 7-Eleven to cease collecting data and also purge all previously collected facial data under the survey.