Australia moots changes to privacy laws after Optus data breach

Government is revising regulations to allow telcos to temporarily share some of their customers' personal information, such as driver's licence and passport numbers, with financial services institutions to facilitate monitoring and remediation in the event of a data breach.
Written by Eileen Yu, Senior Contributing Editor

Australia is moving to change its privacy laws, so telcos can better work with financial services institutions and government agencies to mitigate the impact of a data breach on customers. Proposed amendments to the country's Telecommunications Regulations 2021 Act will allow the temporary sharing of some personal data to facilitate such efforts. 

The federal government said the amendments would better safeguard Australians following the Optus data breach last month, which compromised various customer data including identification document details such as driver's licence and passport numbers.

The proposed regulatory changes would allow telcos in the country to temporarily share certain government identifier data, such as Medicare and passport numbers, with financial services providers. This aimed to facilitate enhanced monitoring and safeguards for customers affected by a data breach, the office of Australian Treasurer Jim Chalmers said in a statement Thursday. 

He added that the amendments would enable better coordination between the telcos, financial institutions, as well as federal and state government agencies to detect and mitigate the risks of cybersecurity incidents. 

"The proposed regulations have been carefully designed with strong privacy and security safeguards to ensure that only limited information can be made available for certain purposes," Chalmers said. 

The amendments will apply to all financial institutions regulated by Australia's Australian Prudential Regulation Authority (APRA), excluding branches of foreign banks, with the personal identifier information only to be used for "preventing or responding" to cybersecurity incidents, fraud, scam activities, or instances of identity theft. 

Under the proposed changes, the Communications Minister also will be empowered to specify additional service entities, where required, that are related to or that support an APRA-regulated organisation. 

Entities that wish to receive the data need to submit written commitments to the Australian Competition and Consumer Commission (ACCC) that they will comply with their obligations, outlined under the Privacy Act 1998, and attest to APRA they meet all relevant data security standards. They also have to confirm, in writing, that the data they seek is "necessary and proportionate". 

In addition, approved recipients of the identifier information must meet information security requirements and protocols for any transfer and storage of data. The information also must be destroyed once it is no longer required. 

The Council of Financial Regulators' cybersecurity working group will further examine and report on options to enhance the ability of financial services institutions to identify customers and credentials under risk of compromise. 

Chalmers said: "The proposed changes will allow for increased fraud detection in the broader financial services sector through existing industry mechanisms to report fraudulent transactions, such as fraud information exchanges.

"Financial institutions can play an important role in targeting their efforts towards protecting customers at greatest risk of fraudulent activity and scams in the wake of the recent Optus breach. These new measures will assist in protecting customers from scams, and in system-wide fraud detection," he said. 

Following the Optus data breach, he noted that the government had been working with banks and financial regulators to "facilitate the safe and secure sharing of data" between the Singtel-owned telco and regulated financial institutions. 

Commenting on the planned regulatory changes, APRA said it would work with ACCC and relevant government bodies to coordinate the required steps and manage the "controlled process" of data sharing between Optus and APRA-regulated entities. It reiterated that data shared would only be used for the purposes of monitoring and protecting customers affected by the data breach. 

Amongst Optus' customer base of 9.8 million, 1.2 million had at least one number from a current and valid form of personal identification information that was compromised in the breach. Compromised data of the remaining 7.7 million customers did not contain valid or current identification numbers, but had encompassed other personal details such as email addresses, birth dates, and phone numbers. 

The Australian telco said Monday it appointed Deloitte to conduct an "independent external review" of the breach, which would encompass an assessment of its security systems, controls, and processes. 

The Office of the Australian Information Commissioner (OAIC) last week revealed was seeking information from Optus to ensure the telco had complied with requirements outlined in the Notifiable Data Breaches (NDB) scheme

Applicable to organisations covered by the Privacy Act 1988, the NDB scheme requires affected individuals and the OAIC to be notified "as quickly as possible" if the organisation experiences a data breach that is likely to result in serious harm to individuals whose personal information is compromised. 

Australian Information Commissioner and Privacy Commissioner Angelene Falk said the current review of the Privacy Act would provide stronger deterrence of breaches involving personal information. "The regulatory framework needs to shift the dial to place more responsibility on organisations who are the custodians of Australians' data, to prevent and remediate harm to individuals caused through the handling of their personal information," Falk said.


Editorial standards