Federal Privacy Commissioner, Timothy Pilgrim, has issued a `please explain’ email to Google Australia after the search engine giant revealed in an email to Pilgrim that it still has a portion of data collected from unsecured Wi-Fi networks in Australia by Street View vehicles during 2010.
A Senate inquiry in 2010 found that Google Australia collected data from home networks via its Street View cars, noting private emails, web addresses, as well as passwords were among the data captured.
In the emailed letter, dated 27 July, a Google spokesperson said that it had re-scanned thousands of disks from the Street View inventory and found that it continued to have payload data from Australia and other countries.
“We are in the process of notifying the relevant authorities in those countries,” read the email.
“Google intends to delete the Australian disks that we located. If you would prefer that we take another course of action, please advise us by 3rd September 2012 so that we can ensure no steps are taken in that regard without further consultation with you.”
In Pilgrim’s report, dated 6 August, and addressed to Google Australia’s head of public policy and government affairs, Iarla Flynn, Pilgrim wrote that the National Privacy Principle 4.2 (NPP2) requires an organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under NPP2.
“I do not require Google to retain the additional payload data and, unless there is a lawful purpose for its retention, Google should immediately destroy the data,” Pilgrim wrote.
He also requested confirmation from an independent third party that the data will be destroyed.
“Further, I would also request that Google undertakes an audit to ensure that no other disks containing this data exist, and to advise me once this audit is completed,” he said in the email.
“I would add that I am concerned that the existence of these additional disks has come to light, particularly as Google had advised that the data was destroyed. Organisations that retain personal information that is no longer required could leave individuals at risk should it be misused.”
The Office of the Australian Information Commissioner (OAIC) conducted its own investigation into the collection of the payload data under the Privacy Act. After that investigation, Google Australia advised the OAIC in March 2011 that all payload data was destroyed and that it had committed to working more closely with the Privacy Commissioner.