Australia’s privacy watchdog has recommended that the federal government consider implementing the proposed Privacy Act Review reforms in the upcoming cybersecurity strategy.
In particular, the Office of the Australian Information Commissioner (OAIC) highlighted “strengthening the NDB [notifiable data breach scheme]” and removing the small business exemption from the Privacy Act to establish “baseline security protections across the economy”.
Strengthening the NDB scheme includes shortening the requirement to inform those affected, from 30 days to 72 hours, expanding reporting requirements around remediating actions in response to a data breach, and “an express requirement for entities to take reasonable steps to implement practices, procedures and systems to enable them to respond to data breaches”.
Implementing the reforms recommended under the Privacy Act Review would also bring Australia “more in line” with international privacy and security standards, giving Australia the opportunity to contribute to global discussions on the issues, according to the OAIC.
The recommendations were made in an OAIC submission to the ongoing consultation on the 2023–2030 Australian Cyber Security Strategy.
The federal government will release the new strategy later this year, with the aim to make Australia the “the world’s most cyber-secure country by 2030“. McKinsey is one of the consultancies that has been brought in to provide project management work.
The Privacy Act Review found that many submissions “suggested small businesses are often the ‘weakest link’ in supply chains”, a finding highlighted by the Actuaries Institute that cyber attackers are increasingly shifting focus towards smaller firms “as easier targets”.
The OAIC also called for greater information sharing between government agencies and regulators, facilitated by legislative amendment where appropriate.
This would ensure there is consistency across the whole-of-government regulatory approach to enhancing cybersecurity by reducing duplication.
It also highlighted a need to consider any potential duplicative oversight requirements across the multiple frameworks that relate to cybersecurity, “including the Privacy Act and the Security of Critical Infrastructure (SOCI) Act as well as frameworks regulated by the Australian Securities and Investment Commission, and the Australian Prudential Regulation Authority”.
The regulator suggested that the new National Office for Cyber Security could be a “potential mechanism to centralise and consolidate guidance produced by government agencies and regulators to assist entities”.
It broadly welcomed the office and the new national cybersecurity coordinator, acknowledging the need for “greater centralisation and coordination of whole-of-government responses to data breaches and cyber incidents” in the wake of the Optus and Medibank data breaches.
The OAIC also expressed that caution should be taken with regards to a proposal that ‘customer data’ and ‘systems’ be included in the definitions of ‘critical assets’ under the SOCI Act, as highlighted in the cybersecurity strategy discussion paper.
It flagged that any SOCI Act amendments should be accompanied by “relevant amendments ensuring that protected information can be disclosed to the OAIC so that it can continue to exercise its powers and functions”.
