Share this article on:
The Office of the Australian Information Commissioner (OAIC) has expressed concern regarding the review of Australia’s cyber security legislation, claiming it could cause a clash with the existing Privacy Act.
The ongoing cyber security discussion paper has suggested an expansion of the Security of Critical Infrastructure (SOCI) Act to include “customer data” and “systems”, with the aim of extending the act’s reach beyond operational disruptions to allow it to cover major data breaches.
In a submission to the ongoing cyber security discussion paper, the OAIC has said it is concerned that a proposed expansion of the SOCI Act could limit its ability to act on data breaches and other incidents.
“While we appreciate that [the SOCI expansion] could potentially allow for an uplift of security standards in relation to the handling of personal information, the OAIC is concerned that an unintended consequence of including ‘customer data’ or ‘systems’ in the definitions of ‘critical assets’ would result in a restriction on our ability to exercise our functions and powers in some circumstances, such as in the event of a data breach,” said the OAIC in its submission.
In addition, the OAIC believes that the change could cause an overlap of the Privacy Act, causing a clash of regimes.
“Although the discussion paper does not define ‘customer data’ or ‘systems’, it seems likely that it could constitute personal information and/or information about entities’ security arrangements and data breaches, and so the potential overlap into areas regulated by the Privacy Act will need to be considered,” it said.
Currently, the SOCI Act requires data to not be disclosed and flags it as “protected”, while the OAIC has a “statutory obligation” to be informed.
The OAIC suggested that to counteract the clash, the amendment should include the OAIC as an exception to the non-disclosure rule.
In addition to the above recommendations, the OAIC has also heeded the warning that the proposed “safe harbour” that would see an “explicit obligation of confidentiality upon the Australian Signals Directorate (ASD) and the [Australian Cyber Security Centre] (ACSC)” could slow regulatory response such as that of the OAIC.
“Any proposed obligations of confidentiality should be carefully designed in consultation with regulators to ensure that agencies such as the OAIC are still able to obtain the information they need from affected entities at the appropriate time and to exercise their functions and powers in the public interest,” the privacy watchdog said.
The OAIC warned that any changes must still comply with the Privacy Act.