A Treasury discussion paper on options for regulating screen scraping makes clear that, in a period of heightened concern about online scams and fraud, the controversial data sharing technology will not survive in its current form.
The paper, Screen Scraping – Policy and Regulatory Implications, says: “Fighting scams and fraud is one of the government’s priorities. Asking consumers to engage in any practice in which they disclose log-in and password information to third parties runs counter to IT security practices, advice provided by the Australian government, banks’ terms and conditions and MyGov’s terms of use.”
Policy options outlined in the paper include tighter Privacy Act provisions, mandating the ePayments Code and changes to the Consumer Data Right rules to encourage greater take-up.
Screen scraping, or digital data capture, relies on consumers giving banking and other log-in details to third parties that can then harvest their data to provide services. Its users include lenders, mortgage brokers, accountants and financial planners.
Last year’s Statutory Review of the Consumer Data Right recommended that screen scraping be banned. It said it was a less secure way of capturing data than CDR processes and banning it would encourage a more widespread transition to the CDR.
The Treasury discussion paper says screen scraping is inconsistent with best practice cyber security advice and may pose risks to consumers. It increases the number of parties that hold log-in details, creating opportunities for malicious activity.
Under screen scraping arrangements, the third party may have ongoing access to the consumer’s account information.
Another concern is that consumers who consent to digital data capture may not fully understand what they are signing up for.
CDR is considered safer because it does not require consumers to share log-in details. The CDR rules also offer protections around how data is collected, used and disclosed – and for how long.
The paper says there is some support in the industry for screen scraping to continue alongside CDR. But that position does not carry much weight in the discussion.
Currently, screen scraping is not regulated explicitly, although the Privacy Act covers the collection and handling of personal information.
Consumers who share their log-in details may lose protections available to them under the ePayments Code, which provides indemnities for losses caused by unauthorised transactions.
Changes to the Privacy Act may include a new “fair and reasonable” test for handling personal information and requirements to conduct privacy impact assessments for activities with high privacy risks.
The government could also remove the current small business exemption, meaning the Privacy Act would apply to many more businesses.