Optus Data Breach: Regulatory Changes Announced, But Legislative Reform Still Needed

(MENAFN- The Conversation)

In response to Australia's biggest ever data breach, the federal government will that stop telcos sharing customer information with third parties.

It's a necessary step to deal with the threat of identify theft faced by 10 million current and former Optus customers. It will allow Optus to work with banks and government agencies to detect and prevent the fraudulent use of their data.

But it's still only a remedial measure, intended to be in place for 12 months. More substantive reform is needed to tighten Australia's loose approach to data privacy and protection.

Read more:

The changes – by Treasurer Jim Chalmers and Federal Communications Minister Michelle Rowland – involve amending the .

This a piece of“subordinate” or“” to the . Amending the act itself would require a vote of parliament. Regulations can be amended at the government's discretion.

Under the Telecommunications Act it is a criminal offence for telcos to share information about“the affairs or personal particulars of another person”.

The only exceptions are sharing information with the (which enables those with hearing or speech disabilities to communicate by phone), to“authorised research entities” such as universities, public health agencies or electoral commissions, or to police and intelligence agencies .

That means Optus can't tell banks or even government agencies set up to prevent identity fraud, such as the little-known , who the affected customers are.

The government says the changes will only allow the sharing of“” – driver's licences, Medicare and passport numbers.

This information can only be shared with government agencies or financial institutions the Australian Prudential Regulatory Authority. This means Optus (or any other telco) won't be able to share information with the Australian branches of foreign banks.

Financial institutions will also have to meet strict requirements about secure methods for transferring and storing personal information shared with them, and make undertakings to the Australian Competition and Consumer Commission ( ).

The information can be shared only“for the sole purposes of preventing or responding to cybersecurity incidents, fraud, scam activity or identify theft”. Any entity receiving information must destroy it after using it for this purpose.

These are incredibly important safeguards given the current lack of limits on how long companies can keep identity data.

Read more:

Although temporary, these changes could be a game changer. For the next 12 months, at least, Optus (and possibly other telcos) will be able to proactively share customer information with banks to prevent cybersecurity, fraud, scams and identity theft.

It could potentially enable a crackdown on scams that affect both banks and telcos – such as .

But this does not nullify the need for a larger legislative reform agenda.

Australia's data privacy laws and regulations should put limits on how much data companies can collect, or for how long they can keep that information. Without limits, companies will continue to collect and store much more personal information .

Read more:

This will require amending the federal Privacy Act – subject to a now nearing three years in length. There should be limits on what data companies can retain, and how long, as well as bigger penalties for non-compliance.

We all need to take data privacy more seriously.

MENAFN06102022000199003603ID1104976455

Legal Disclaimer:
MENAFN provides the information “as is” without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the provider above.