Australia is set to change its privacy laws, so telcos can better work with financial services institutions and government agencies to mitigate the impact of a data breach on customers. Proposed changes to the country’s Telecommunications Regulation Act 2021 will allow the temporary sharing of certain personal data to facilitate these efforts.
The Federal Government said the amendments would better protect Australians after last month’s Optus data breach, which compromised various customer data, including details of identification documents such as driver’s license and car numbers. passport.
The proposed regulatory changes would allow telecom operators across the country to temporarily share certain government identification data, such as health insurance and passport numbers, with financial service providers. This was to facilitate enhanced oversight and safeguards for customers affected by a data breach, Australian Treasurer Jim Chalmers’ office said in a statement on Thursday.
He added that the changes would allow for better coordination between telecommunications operators, financial institutions, as well as federal and state government agencies to detect and mitigate the risks of cybersecurity incidents.
“The proposed regulations have been carefully crafted with strong privacy and security safeguards to ensure that only limited information can be made available for certain purposes,” Chalmers said.
The changes will apply to all financial institutions regulated by Australia’s Australian Prudential Regulation Authority (APRA), excluding branches of foreign banks, with personal identifying information to be used only to “prevent or respond ” to cybersecurity incidents, fraud, fraudulent activities or cases of identity theft.
Under the proposed amendments, the Minister of Communications will also be empowered to specify additional service entities, if necessary, that are related to or support an APRA-regulated organization.
Entities wishing to receive the data must submit written undertakings to the Australian Competition and Consumer Commission (ACCC) that they will comply with their obligations, as described in the Privacy Act 1998, and certify to APRA that they meet all relevant data security standards. They must also confirm, in writing, that the data they seek is “necessary and proportionate”.
In addition, approved recipients of credentials must adhere to information security requirements and protocols for all data transfer and storage. Information should also be destroyed once it is no longer needed.
The Council of Financial Regulators’ Cybersecurity Working Group will further examine and report on options to improve the ability of financial services institutions to identify customers and credentials at risk of being compromised.
Chalmers said, “The proposed changes will enable increased detection of fraud in the broader financial services industry through existing industry mechanisms for reporting fraudulent transactions, such as fraud information exchanges.
“Financial institutions can play an important role in targeting their efforts to protect customers most at risk of fraudulent activity and scams following the recent Optus breach. These new measures will help protect customers against scams and detect system-wide fraud,” he said.
Following the Optus data breach, he noted that the government had worked with banks and financial regulators to “facilitate the safe and secure sharing of data” between the Singtel-owned telecommunications company and regulated financial institutions.
Commenting on the planned regulatory changes, APRA said it would work with the ACCC and relevant government agencies to coordinate required steps and manage the “controlled process” of data sharing between Optus and APRA-regulated entities. . He reiterated that the shared data would only be used for monitoring purposes and to protect customers affected by the data breach.
Among Optus’ customer base of 9.8 million, 1.2 million had at least one number of a current and valid form of personal identification information that was compromised in the breach. The compromised data of the remaining 7.7 million customers did not contain valid or current identification numbers, but included other personal information such as email addresses, dates of birth and phone numbers.
The Australian telecoms operator said on Monday it had appointed Deloitte to conduct an “independent external review” of the breach, which would include an assessment of its security systems, controls and processes.
RELATED COVERAGE
#Australia #plans #change #privacy #laws #Optus #data #breach