Privacy considerations for financial services entities receiving data from a carrier or carriage service provider under the Telecommunications Regulations

11 October 2022

Overview

The Telecommunications Amendment (Disclosure of Information for the Purpose of Cyber Security) Regulations 2022 amends the Telecommunications Regulations 2021 (the Regulations) to enable a carrier or carriage service provider to disclose certain customer data to financial services entities.

Financial services entities must comply with the requirements set out in the Regulations as well as their existing obligations under the Privacy Act 1988 (the Privacy Act) and the Australian Privacy Principles (APPs) when handling information received from a carrier or carriage service provider under the Regulations.

The purpose of this guidance is to highlight key privacy considerations for financial services entities when handling this information. It does not cover the entirety of an entity’s privacy obligations and it should be read in conjunction with the Privacy Act and the APPs, the Regulations, the Australian Privacy Principles guidelines and other OAIC resources referred to in this guidance.

Specified information or document

The Regulations enable a financial services entity to make a written request to a carrier or carriage service provider for ‘specified information’ or a ‘specified document’ (the information). The Regulations provide that the information includes one or both of the following:

  • the government related identifiers (within the meaning of the Privacy Act) of one or more individuals who are, or were, customers of the carrier or carriage service provider
  • personal information of a kind specified by the Minister in a notifiable instrument about one or more individuals who are, or were, customers of the carrier or carriage service provider.

Common examples of ‘government related identifiers’ include Australian passport numbers, driver licence numbers issued by State and Territory authorities and Medicare numbers.

Key privacy considerations

Collection of personal information

It is important to note that the Regulations do not require financial services entities to collect the information. The Regulations provide a framework for financial services entities to request the information and authorise a carrier or carriage service provider to disclose the information provided the requirements and conditions set out in the Regulations are met.

In these circumstances, financial services entities must still consider whether the collection of the information is reasonably necessary for its functions and activities under APP 3 (Collection of solicited personal information).

Financial services entities must have clear and justifiable reasons for collecting the information. For instance, if entities could achieve the same outcomes using information they already hold, or if there are reasonable alternatives available, it may not be reasonably necessary to request the additional information from the carrier or carriage service provider.

This is supported by the requirement in the Regulations that a request to a carrier or carriage service provider for the information must state, in the opinion of the financial services entity, that the disclosure of the information or document is necessary and proportionate to deal with a cyber security incident, fraud, scam activity, identity theft or to address malicious cyber activity.

Transparency and notice

Under APP 1 (Open and transparent management of personal information), APP entities must have a clearly expressed and up-to-date APP privacy policy about how it manages personal information (APP 1.3). A financial services entity should consider whether updates to its privacy policy are required in the circumstances. [1]

Under APP 5, an APP entity that collects personal information must take reasonable steps either to notify an individual or to ensure the individual is aware of certain matters. APP 5.1 acknowledges that it may be reasonable for an APP entity not to take any steps to provide a notice or ensure awareness of all or some of the APP 5 matters.

The key consideration is what is reasonable in the circumstances. Relevant considerations include where the impracticability of notification, including the time and cost, outweigh the privacy benefit of notification, or where notification may jeopardise the purpose of collection or the integrity of the personal information collected and there is a clear public interest in the purpose of the collection.

Using or disclosing the information

APP 6 applies to the use or disclosure of personal information and APP 9 applies to the adoption, use or disclosure of government related identifiers.

APP 6.2(b) and APP 9.2(c) permit the use or disclosure of personal information, and government related identifiers, if required or authorised by or under an Australian law. The definition of ‘Australian law’ under the Privacy Act includes regulations made under an Act of the Commonwealth and includes the Regulations.[2]

The Regulations contain strict requirements around how financial services entities may use and disclose the information. Specifically, financial services entities must only handle the information for the sole purpose of enabling it to take steps to:

  • prevent a cyber security incident, fraud, scam activity or identity theft, or
  • respond to a cyber security incident, fraud, scam activity or identity theft, or
  • respond to the consequences of a cyber security incident, fraud, scam activity or identity theft, or
  • address malicious cyber activity.

Financial services entities need to have robust and effective practices, procedures and systems in place to ensure the information is only handled for the prescribed purposes. This may require additional restrictions around access to systems and staff training to ensure the information is handled appropriately (discussed further under ‘Security of information’ below).

Adoption of government related identifiers

Under APP 9 (Adoption, use or disclosure of government related identifiers), an organisation must not adopt a government related identifier of an individual as its own identifier.

An organisation adopts a government related identifier if it collects a particular government related identifier of an individual and organises the personal information that it holds about that individual with reference to that identifier. Financial services entities must not adopt a government related identifier received from a carrier or carriage service provider as its own identifier.

Security of information

Under APP 11 (Security of personal information), entities must take active measures to protect personal information they hold from misuse, interference and loss, as well as unauthorised modification or disclosure.

Where an entity no longer needs personal information for any purpose for which it may be used or disclosed under the APPs, the entity must take reasonable steps to destroy the information or ensure that it is de-identified (APP 11.2).

In addition, the Notifiable Data Breach (NDB) scheme applies to all entities with personal information security obligations under the Privacy Act. The NDB scheme requires entities to notify affected individuals and the OAIC when a data breach is likely to result in serious harm.

The Regulations also require a financial services entity to give the Australian Competition and Consumer Commission  a written commitment that it will comply with specific security-related requirements including, but not limited to, that:

  • the entity will only access, use or disclose the information for the purposes set out in the Regulation and only in accordance with the requirements of the Privacy Act
  • the entity will only share the information with an ‘associate’, which includes related bodies corporate and contractors of the entity, to the extent that this is necessary for the prescribed purposes[3]
  • if the entity is a body approved by the Minister, the entity will only share information with another financial services entity to the extent that this is necessary for the prescribed purposes
  • if the entity is a financial services entity (aside from a body approved by the Minister), the entity will not share the information with any other third parties
  • the entity will store the information in a manner that prevents unauthorised access, disclosure or loss
  • the entity will destroy the information once it is no longer required for the purposes set out in the Regulation
  • unless the information is destroyed sooner, the entity will review its need to retain the information or document at least once every 12 months, and
  • the entity has appropriate written procedures to ensure that the information or document is handled in accordance with these requirements.

Consistent with the existing requirements that apply to all personal information, financial services entities must ensure they have effective measures in place to protect the information at all stages of the information lifecycle to ensure compliance with APP 11 and the specific conditions set out in the Regulations. [4]

These measures should include ICT security, access security, physical security, processes for responding to data breaches, and robust privacy and security governance arrangements. Privacy and security governance arrangements should include appropriate training to ensure staff are aware of their privacy and security obligations and the requirements of the Regulations when handling the information, resourcing, documented policies and procedures, and management oversight to foster a culture of privacy.

Destroying information is also an important risk mitigation strategy and entities should ensure they securely and irretrievably destroy the information when it is no longer required for the purposes set out in the Regulation.

More detailed guidance can be found in the OAIC’s Guide to securing personal information.

Privacy impact assessments

We encourage financial services entities to consider undertaking a privacy impact assessment (PIA) to identify and mitigate the risks that may be associated with the collection of the information from a carrier or carriage service provider.

A PIA can assist an entity to determine whether the collection of information is necessary and proportionate in the circumstances and provides a useful framework to help identity and mitigate privacy risks and impacts that may be associated with handling the information.

For instance, a PIA may assist financial services entities to identity whether additional security or other measures are necessary to protect the information and ensure it is only utilised for the limited purposes set out in the Regulations. Mitigating privacy issues will help reduce the risk of experiencing a data breach, which could trigger entities notification obligations under the NDB scheme.

The OAIC has produced a suite of resources to assist APP entities conduct PIAs, including a Guide to undertaking privacy impact assessments and a Privacy impact assessment tool.

OAIC resources

More detailed guidance is available in the following resources available on the OAIC’s website:

Footnotes

[1] APP 1.4 sets out the information that must be included in an APP privacy policy which includes, but is not limited to, the kinds of personal information the entity collects and holds, how the entity collects and holds the information, and the purposes for which the entity collects, holds, uses and discloses personal information.

[2] ‘Australian law’ is defined under s 6(1) of the Privacy Act.

[3] An ‘associate’ is defined in s 6 of the Regulations as an employee of the entity, a related body corporate of the entity, an employee of the related body corporate, or a contractor of the entity.

[4] The Regulations also require an authorised officer of the entity to give the Australian Prudential Regulation Authority an attestation that the entity meets the requirements of Prudential Standard CPS 234 ‑ Information Security, as in force from time to time.