Telcos can now give personal information to banks

Privacy
Written By Patrick Dwyer

In the fallout from the Optus data breach in September 2022, Optus wanted to liaise with the banks to help the banks protect their customers from attempted frauds using personal information stolen from Optus. However Optus was prevented from doing this because of provisions in the Telecommunications Act 1997 (Cth) that prohibit telecommunications carriers and carriage service providers from disclosing customer information to third parties.

To remove this obstacle, amendments were made to the Telecommunications Regulations 2021 (Cth) by the Telecommunications Amendment (Disclosure of Information for the Purpose of Cyber Security) Regulations 2022 (Cth) (the “Instrument”). The amendments took effect from 12 October 2022.

The Instrument is only temporary and the changes to the regulations will be automatically repealed 12 months after they come into effect. 

The amendments let telecommunications carriers and carriage service providers share certain types of customer information with financial services entities and government bodies.

The information flow permitted is one way only – the Instrument does not authorise the recipients to disclose information back to the carrier or carriage service provider.

Who can receive the information?

The Instrument restricts access to the data to “financial services entities”, Commonwealth government entities and State and Territory authorities.

Financial services entities are defined as entities that are regulated by the Australian Prudential Regulation Authority (“APRA”), including authorised deposit-taking institutions, general insurers, life insurers, registrable superannuation entities and their licensees, and private health insurers.

The Minister has been given the power to extend the class of financial services entities to include entities that provide services to APRA regulated entities. These services must be directly related to (or support) the provision of services by or to an APRA regulated entity, and the services provided by the entities approved by the Minister must be directly related to (or support) the purpose for the disclosure.

Information that can be shared

The information that can be shared includes government related identifiers (such as driver licence, Medicare and passport numbers) of current and past customers. The Minister can also specify other personal information by issuing an instrument.

Information requested by the financial services entity

Information can only be shared with a financial services entity if the carrier or carriage service provider has received a written request from an officer of the financial services entity. The request must state that the information is required only for the purpose of enabling the entity to take steps to:

  • prevent a cyber security incident, fraud, scam activity or identity theft;

  • respond to a cyber security incident, fraud, scam activity or identity theft; or

  • respond to the consequences of a cyber security incident, fraud, scam activity or identity theft; or

  • address malicious cyber activity (a “Permitted Purpose”).

The request must also state that, in the opinion of the officer, the disclosure of the information is necessary and proportionate to deal with the cyber security incident, fraud, scam activity, identity theft or cyber activity.

ACCC commitments

The carrier or carriage service provider is not allowed to disclose information to a financial services entity under the Instrument unless it has been notified by the Australian Competition and Consumer Commission (“ACCC”) that the entity requesting the information has given the ACCC with a written commitment confirming that:

  • it will only share the information with an associate to the extent necessary for a Permitted Purpose (“associates” include employees, related companies and contractors), and it will obtain a written commitment in the same terms from an associate (other than an employee of the entity) before sharing the information with that associate;

  • if the entity is a non-APRA regulated financial services entity, that it will only share the information with another financial services entity to the extent necessary for a Permitted Purpose, and it will obtain a written commitment in the same terms from another financial services entity before sharing the information with that other entity;

  • if the entity is an APRA regulated financial services entity, it will not share the information with any other third party;

  • it will only access, use or disclose the information for a Permitted Purpose and only in accordance with the Privacy Act 1988 (Cth) (the “Privacy Act”);

  • it will store the information in a manner that prevents unauthorised access, disclosure or loss;

  • it will destroy the information once it is no longer required for a Permitted Purpose;

  • unless the information is sooner destroyed, it will review its need to retain the information at least once every 12 months; and

  • it has appropriate written procedures to ensure that the information is handled in accordance with these requirements.

If a financial services entity gives these commitments to the ACCC and does not comply with them, the entity may find itself liable for a breach of the Australian Consumer Law. Financial services entities that intend to obtain information under the Instrument therefore need to ensure that they can make these commitments.

Other conditions

Another condition of disclosure to a financial services entity is that the information is disclosed in a secure and trusted manner, or if the Minister has approved a secure and trusted manner, in the manner approved by the Minister.

APRA regulated financial services entities must also provide APRA with an attestation signed by an authorised officer, confirming that the entity is complying with Prudential Standard CPS 234 – Information Security.

Privacy Act implications

Under the Australian Privacy Principles (“APPs”) in the Privacy Act 1988, one of the permitted uses of personal information which does not require the consent of the individual is where the use is authorised by an Australian law (APP 6.2(b)).  Use of the information disclosed under the Instrument would fall into this category.

The APPs also require an APP entity to take reasonable steps to notify an individual of certain matters, or otherwise ensure that the individual is aware of them. This is to be done at or before the time of collecting personal information, or if that is not practicable, as soon as practicable afterwards (APP 5.1).

One of the matters that must be notified is whether the APP entity collects personal information from someone other than the individual, and if so, the circumstances of collection (APP 5.2(b)). This would include collecting information under the Instrument from a carrier or carriage service provider.

APP entities that receive personal information under the Instrument may therefore need to consider whether their existing notices to customers will cover information collected under the Instrument, or whether further steps may be reasonably required to notify customers affected about the collection of this information.

The Office of the Australian Information Commissioner has published guidance on privacy considerations for financial services entities receiving personal information from a carrier or carriage service provider under the Instrument.

Patrick Dwyer and Kathleen Harris
Legal Directors

 

 

Patrick Dwyer
Previous

How are mortgages regulated under the National Credit Code?
Next

ASIC ramps up crypto enforcement