Telecommunications companies would be able to temporarily share identifiers with banks and government agencies in the wake of data breaches under new regulation proposed by the federal government to help prevent ID theft and scams.
Treasurer Jim Chalmers and Communications minister Michelle Rowland revealed the amendments to the Telecommunications Regulations 2021 on Thursday following the Optus data breach that exposed the personal information of 9.8 million Australians.
The regulations, which are yet to be rubber stamped by the Governor-General, are the first of several proposed reforms flagged by Home Affairs minister Clare O’Neil in the immediate aftermath of the breach.
While the changes are specifically in response to the Optus breach, they will apply to all telcos for the next 12 months, with the government to review the need for the regulations at that time.
“These regulations will be the latest in a raft of rapid but very measured initiatives under this government in response to this breach with the sole purpose of keeping Australians safe,” Minister Rowland said, referring to ongoing investigations by the Federal Police.
The regulations will enable telcos to share identifier information like drivers licence, Medicare and passport numbers, with APRA-regulated financial institutions to allow them to implement credit monitoring and other identity protections for customers affected by a data breach.
Telcos will also be able to share identifiers with federal, state and territory agencies to “detect and assist in preventing fraud” under the proposed changes, removing any ambiguity around the sharing of data.
Optus was criticised by the government earlier this week for not providing the details of customers with compromised credentials like Medicare cards in a timely matter so that Services Australia could put in place security measures to prevent fraud.
Minister Rowland said the regulations had been designed with “strong privacy and security safeguards to make sure that only limited information is made available for a specific set of designated purposes”.
Names, addresses, dates of birth or other personal information beyond driver’s licence, Medicare and passport numbers cannot be shared, with financial services institutions, which will be required to make a number of undertakings in writing to receive the data.
“[Financial institutions] need to comply with the Privacy Act obligations to the Australian Competition and Consumer Commission which are enforceable under Australian consumer law,” Treasurer Chalmers said.
Entities will also need to meet APRA’s cyber security standards and other protocols for data transfer and storage, ensure that the information they’re seeking is necessary and proportionate, and ensure they destroy any information when it’s no longer needed.
Minister Rowland said the new regulations come ahead of the government “reviewing the current privacy regime and the way in which Australians’ personal information is collected, used and disclosed”.
Greater penalties for data breaches and changes to the Notifiable Data Breaches (NDB) scheme are among the other long-term changes being considered by the government following the data breach.
Information and Privacy Commissioner Angelene Falk earlier this week said it is “timely” to consider changes to penalties to create a “deterrent that’s more than the cost of doing business”.
The Australian Information Industry Association (AIIA) earlier on Thursday called on the government to release draft legislation for proposed changes to the Privacy Act before the end of the year in the wake of “recent high-profile data breaches”.
“The process of updating the Privacy Act has been in train for almost two years. The AIIA is calling on the government to now move to releasing an exposure draft before the end of the year for consultation to ensure citizen data and trust is protected and maintained,” it said.
“The AIIA believes that the Privacy Act is the appropriate legislative vehicle to deal with current data and privacy concerns and can resolve many of the questions the public is rightfully asking around retention of private data and identification documents.”
The AIIA has specifically asked for the government to remove the exemption for small business to comply with the Privacy Act and to harmonise the Notifiable Data Breaches scheme with “high global standards such as the General Data Protection Regulation (GDPR).
The Attorney-General’s Department is expected to present the government with a final report from the review before the end of the year, with Attorney General Mark Dreyfus last week indicating it is a “matter of urgency”.
