The federal government has announced emergency regulations designed to help banks and agencies protect customers caught up in the Optus data breach.
The regulations announced today will be in place for 12 months, and will slot into the Telecommunciations Regulations 2021.
Treasurer Jim Chalmers and communications minister Michelle Rowland today announced that the government will amend regulations to allow telecommunications companies “to better coordinate with financial institutions, the Commonwealth, and states and territories, to detect and mitigate the risks of cyber security incidents, frauds, scams and other malicious cyber activities.”
Carriers will be allowed to share “approved government identifier information” (driver’s licences, Medicare number, and passport numbers) with “regulated financial services entities” so they can monitor affected customers.
A separate regulation will allow those identifiers to be shared with Commonwealth, state and territory governments.
Rowland emphasised that the regulation would only allow a limited amount of data to be shared, with only a very limited number of organisations.
Names, addresses, dates of birth and similar personal information would be excluded from the sharing regulations.
Information shared under these regulations can only be used “for the sole purposes of preventing or responding to cyber security incidents, fraud, scam activity or identify theft”.
Companies using the regulations have to make commitments to the ACCC (that they will comply with the Privacy Act) and the Australian Prudential Regulation Authority (that they meet information security standards).
Organisations receiving information under the regime must destroy it when it is no longer needed.
The government has also asked the Council of Financial Regulators’ cyber security working group to provide data sharing options that would “further improve the ability of financial institutions to identify at risk customers and credentials”.
Growing calls for Privacy Act review
Rowland also told today’s press conference the government it intends to accelerate a review of the Privacy Act, but did not commit to a timeframe.
Earlier this week, information and privacy commissioner Angelene Falk told the ABC’s 730 program she has “recommended to government that there should be a positive obligation on all entities to handle data in a fair and reasonable way and that shifts the obligation on individuals having to navigate these privacy policies, and it means that they can rely on the fact that the entity is actually dealing with their information in a way that they would expect.”
Falk also said she believes the Privacy Act’s exemption of businesses with a turnover of less than $3.1 million is obsolete.
“I have recommended to government that it's time to we relook at that small business exemption. We can see now that even very small businesses can hold vast arrays of data.
"You can develop an app in the garage and suddenly you've got millions of Australians’ personal information.
“So they should be required to secure it in the same way as big companies, and of course it's a scalable obligation. It's reasonable steps. It depends on the sensitivity of the data that an organisation holds and the risk attached to it.”
The Australian Information Industry Association (AIIA) has added its voice to the fast-track calls, among other things backing Falk’s statement that the small business exemption should be abandoned.
The AIIA today called for the government to release an exposure draft of proposed changes to the Privacy Act.
“The AIIA believes that the Privacy Act is the appropriate legislative vehicle to deal with current data and privacy concerns and can resolve many of the questions the public is rightfully asking around retention of private data and identification documents”, it said.
“The security of sensitive citizen data must be a priority wherever it lies.
"The time has come for small businesses to fall under the Privacy Act and we would support measures to ensure SMEs can fully comply, including additional time for compliance and education”, AIIA CEO Simon Bush said.
Domestic data breach schemes should be aligned with European GDPR standards, the AIIA added.
.png&h=140&w=231&c=1&s=0)
Tech in Gov 2024
