In response to Australia’s largest-ever data breach, the federal government will: temporarily suspend regulation those telcos stop sharing customer information with third parties.
It is a necessary step to face the threat of identity theft facing 10 million current and former Optus customers. This allows Optus to work with banks and government agencies to detect and prevent fraudulent use of their data.
But it is still only a corrective measure, intended for 12 months. More sweeping reforms are needed to tighten Australia’s loose approach to data privacy and protection.
Changing regulations, not legislation
This is a piece of “subordinate” or “delegated law” to the Telecommunications Act 1997. Changing the law itself would require a vote in parliament. Regulations are subject to change at the discretion of the government.
Under the Telecommunications Act, it is punishable for telcos to share information about “another’s business or personal data”.
The only exceptions are sharing information with the National relay service (allowing people with hearing or speech impairments to communicate by telephone), with “authorized investigative agencies” such as universities, public health authorities or election commissions, or with police and intelligence agencies with a warrant.
That means Optus can’t tell banks or even government agencies created to prevent identity fraud, like the little-known Australian Financial Crime Exchangewho the affected customers are.
Important Safety Precautions
The government says the changes are only sharing “government approved credentials” – driver’s licenses, Medicare and passport numbers.
This information can only be shared with government agencies or financial institutions regulated by the Australian Prudential Regulatory Authority. This means that Optus (or any other telco) cannot share information with the Australian branches of foreign banks.
Financial institutions will also have to comply with strict requirements regarding secure methods of transferring and storing personal information shared with them, and make commitments to the Australian Competition and Consumer Commission (which can be enforced in court).
The information may only be shared “for the sole purpose of preventing or responding to cybersecurity incidents, fraud, scams or identification theft”. Any entity that receives information must destroy it after it has been used for this purpose.
These are incredibly important safeguards given the current lack of limits on how long companies can keep identity data.
What is needed now?
While temporary, these changes could be a game changer. Over the next 12 months, Optus (and potentially other telcos) will be able to proactively share customer information with banks to help prevent cybersecurity, fraud, scams and identity theft.
It could potentially allow for a crackdown on scams that will affect banks and telcos alike, such as: fraudulent texts and phone calls.
But this does not negate the need for a larger legislative reform agenda.
Australian data privacy laws and regulations should set limits on how much data companies can collect or how long they can keep that information. Without restrictions, companies will continue to collect and store much more personal information than they need.
This requires an amendment to the federal privacy law – subject to a government assessment for almost three years now. There should be limits to what data companies can keep and for how long, and there should be higher penalties for non-compliance.
We all need to take data privacy more seriously.