Tuesday, December 04, 2012

An abuse of privacy

Geneva Finance is a finance company. You know the sort - car loans, "debt consolidation", basically legal loan sharks. Its a shitty business, and when loans go bad, companies like Geneva use shitty tactics to try and recover the money - harassing debtors at work, trying to wheedle information out of government departments and so forth (the Privacy Commissioner's collection of case notes is very enlightening about the sort of tactics this industry uses). But Geneva has gone beyond that: they used FYI, the public OIA request site, to lodge an OIA request with Housing New Zealand for a client's new address. This isn't just a matter of publicly shaming them with a record which will hang around in Google forever - they also thoughtfully included their full name, previous address, and date of birth, exposing them to identity theft.

FYI takes privacy seriously, and they removed the request very promptly. But someone sent me a (privacy-sanitised) screenshot:

request

The Privacy Commissioner is pretty clear that even inadvertently shaming someone is unacceptable behaviour by a debt-collection agency, and that case-law goes back decades. But this is well beyond that. Publicly labelling someone on an open website as a bad debtor is a wanton release of personal information. Including a date of birth in such a release is so far beyond irresponsible that it can only be seen as actively malicious. It breaks every rule in the privacy rulebook. But pretty obviously Geneva Finance doesn't give a shit about that. And they won't, until they start getting expensive reminders of the law which make such tactics deeply unprofitable.