The Optus data breach – an earthquake whose aftermath is still being felt
In the wake of the Optus data breach, amendments to the Telecommunications Regulations 2021 were introduced in October 2022. They enable telcos to disclose certain customer data to financial institutions (generally banks), the Commonwealth, and States and Territories, in order to manage the risks of malicious cyber activities.
Other changes enable telcos to provide government agencies with information to help prevent fraud. The changes will apply for 12 months and will then be reviewed by government, with no parliamentary discussion required.
However, requesting personal information carries additional privacy considerations that government entities need to be aware of.
What can government do under the amendments?
The amendments allow telcos to temporarily share certain government identifier information such as driver licence, Medicare and passport numbers with regulated banks and the Commonwealth and States and Territories. The information may be requested to:
-
prevent a cyber security incident, fraud, scam activity or identity theft
-
respond to a cyber security incident, fraud, scam activity or identity theft
-
respond to the consequences of a cyber security incident, fraud, scam activity or identity theft
-
address malicious cyber activity.
The regulations include safeguards to ensure customer information is only made available for the purposes above. In addition, certain security requirements must be met, including that information or documents:
-
must be stored in a manner that prevents unauthorised access, disclosure or loss
-
must be destroyed when no longer required
-
if not required to be destroyed, the entity must review its need to retain the information or document at least once every 12 months.
The provisions also allow the government entity requesting the information to share it with an associate (for example, a related company or contractor), but only to the extent necessary for one of the purposes listed.
In addition, a written commitment must first be obtained from the associate on the same terms that the entity is required to provide the telco.
The government has undertaken extensive consultation across Commonwealth agencies, regulators, Optus, the banking sector, telcos, and the Australian Information Commissioner in considering its approach.
This demonstrates a commitment to give financial institutions the resources to further enhance protection from financial crime, and warrants government agencies doing all they can to support them in this endeavour.
Interplay with the Privacy Act
Banks must also comply with the Privacy Act 1988 and the Australian Privacy Principles (APP) when handling information received from a telco.
The Office of the Australian Information Commissioner says that banks must still consider whether the information is reasonably necessary for their functions in accordance with APP 3.
In other words, they need to have clear reasons for collecting the information. In particular, if they could achieve the same outcomes using information they already hold, or they have other reasonable alternatives, it may not be reasonably necessary to request the information.
The Commissioner has also emphasised the importance of banks having robust and effective systems in place to ensure information is only used for the purposes allowed by the regulations. A government agency dealing with a bank request for information may wish to check that such systems do indeed exist.
Other considerations
ComputerWeekly, a media organisation that reports on the IT industry, believes that organisations with strong data retention regimes are in a good position to cope with the latest regulations at a technical level, but may need to adapt some of their business practices.
In particular, it says, the demand for systems that can automate the retention and destruction of records may increase.
Likewise, the growing use of immutable storage – which prevents data from ever being changed or deleted – could complicate banks’ ability to comply with the new regulations.
As responsible agents, government agencies should be aware of these considerations, and act accordingly – whether to ensure that they, or those with whom they share data, are able to manage it in a way that complies with the new regulations.
Other proposed reforms
The Federal government is considering reforms to the Privacy Act, including increased fines for breaches, and whether entities should be permitted to retain data when the information may have only been needed to establish someone’s identity. These reforms should provide further much-needed protection for consumers, particularly as data breaches are becoming more frequent.
However, in the wake of the Optus data breach, the question is whether even more needs to be done.
If you have any questions regarding this article, please contact Michael Cossetto.
Author: Norman Donato and Isabella Krstanovski
Supporting partner: Michael Cossetto