Optus Data Breach: Calls for Privacy Act Reforms

Written by: The Hilltops Phoenix

optus data breach

In the wake of the recent Optus Data Breach, which has been branded “Australia’s largest ever data breach” there have been calls for reforms to the Privacy Act 1988 (“Privacy Act”).

However, it is noted that in 2019 the Australian Government had already announced it would conduct a review of the Privacy Act with a view to ensure privacy settings empower consumers, protect their data and best serve the Australian economy.

The review came about as a response to the Australian Competition and Consumer Commission’s (“ACCC”) Digital Platforms Inquiry. Submissions were sought in response to the Issues Paper, published in October 2020 seeking feedback on potential issues relevant to the reform.

It has been discussed for quite some time that the Privacy Act is considered by some as “woefully out of date” and “not suitably fit for purpose” in the digital age.

The recent Optus breach, amongst other substantial data security breaches in the past five years (including Canva, ProtectorU, Australian National University, Service NSW, Australian Parliament House and other Government breaches) has led to increasing discussion regarding fast-tracking Privacy Act Reforms.

The Issues Paper identified a number of matters to be considered, including: the scope and application of the Privacy Act in relation to the definition of ‘personal information’; general permitted situations for the collection, use, disclosure and erasure of personal information; effective protection and proportionate framework for promoting good privacy practices; current exemptions; notification and consent requirements; the possibility of introducing a statutory tort under Australian law for serious invasions of privacy; and the effectiveness of enforcement powers and mechanisms under the Privacy Act.

One of the concerns with respect to the Optus Breach has been the retention of personal information.

Given the broad interpretation of primary and secondary purposes for the collection of personal information, there are currently no strict requirements on entities to delete personal information after an individual ceases or concludes interactions with that entity.

There are also concerns with respect to the collection of information. As it currently stands, the Privacy Act provides that an entity can only use or disclose personal information for a purpose for which it was collected (the primary purpose) or for a secondary purpose if an exemption applies. The issue on this front is that entities are able to creatively interpret these laws, and identify that they require the information for additional purposes, such as targeted marketing and advertising.

The Privacy Act contains 13 Australian Privacy Principles (APP) which organisations (that are not defined as small businesses) must adhere to in relation to the collection, use, disclosure, storage and management of personal information. APP 11 states that an entity must take reasonable steps to protect personal information it holds from misuse, interference and loss as well as unauthorized access, modification and disclosure. In the case of the Optus Breach, it is likely that if pursued, the Office of the Australian Information Commissioner (OAIC) will lead to a finding that Optus has breached APP 11 in relation to the protection of information from unauthorized access.

While it is not clear if or when the changes to the Privacy Act, including the Online Privacy Bill will be passed, there are a number of considerations that may be taken into account early from a business perspective. Consider reviewing and future proofing contracts to ensure that they provide appropriate rights and protections that may be needed in the future; assess any existing direct data collection, sharing, licencing or procurement arrangements; review and update privacy compliance – including governance practices, privacy policy, terms and conditions and collection notices; and conduct privacy impact assessments as necessary.

The contents of this article are general in nature. For advice specific to your circumstances, please contact your legal practitioner.

Steph Cooke

Stay Connected

    Subscribe

    Get in Contact

Hilltops News to your inbox

Sign up now for the latest news from the Hilltops Area direct to your inbox.

HGH Motor Group