We got close this year to a mandatory data breach notification scheme for Australia. It proposed to impose fines and make public the details of organisations that failed to inform customers and staff who had their identifying information compromised.

At present, you wouldn’t know whether a breach of your identifying information has happened. What you would likely experience is some form of misuse that goes unexplained, particularly if the breach involved criminal hacking.

Let’s say a large supermarket chain offers a reward scheme for its customers, encouraging them to scan every time they’re at the checkout.

What’s not clearly stated in the interim card new subscribers may collect is that the scanning means that their buying habits – that is the food and other items they buy – is captured when they shop and scan.

Let’s say that same organisation collects this data and passes it on to a life insurance underwriter, so that it can start to tailor how it markets its products, and more importantly, calculate what it thinks your life expectancy is going to be and what premiums to charge. How would it do this? By looking at the groceries you buy each week and modelling the health impacts on this consumption. Can they do that? Under the privacy laws and regulations they can.

You would only know this if you read the terms and conditions that say by accepting and using this card, customers consent to sharing buying behaviours with third parties.

The reality is that if any of us has a problem with what big business and big government do with our data, there’s not a lot that can be done to say “no”. Of course we have a legislative right to say no, but often this is not a practical right.

Over the past few weeks a number of IDCARE clients have raised issues involving their employer or even local school who are demanding that they provide highly vulnerable identifying information, such as driver licence and passport details, online to either government or third parties. Failing to do so for these clients will result in a refusal to maintain their professional practice registration or access their children’s report cards online.

You may think that these clients are being a little melodramatic. Far from it.

The government agencies involved have been the most high-profile data breach sites witnessed recently.

• Dr David Lacey is IDCARE managing director and a Senior Research Fellow at the University of the Sunshine Coast.