OAIC updated statement on Optus data breach

29 September 2022

The Office of the Australian Information Commissioner (OAIC) is continuing to seek information from Optus to ensure compliance with the requirements of the Notifiable Data Breaches (NDB) scheme.

As information is gathered and assessed, the initial focus remains on ensuring that Optus customers have information and resources available to take steps to protect themselves from any further risk to their personal information.

Under the NDB scheme, organisations covered by the Privacy Act 1988 must notify affected individuals and the OAIC as quickly as possible if they experience a data breach that is likely to result in serious harm to individuals whose personal information is involved.

“This is a significant incident that is of great concern to millions of Australians,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

The situation has highlighted a number of issues that all organisations who hold personal information should consider.

“All organisations need to assess the risk a data breach poses to compromising their own customers’ data and ensure additional safeguards are in place,” Commissioner Falk said.

“Entities covered by the Privacy Act must take reasonable steps to protect the personal information that they hold from misuse, interference, loss, unauthorised access, modification or disclosure.”

“Organisations should also make sure that they are only gathering personal information that is necessary to carry out their business,” Commissioner Falk said.

“When that information is no longer required, they must take reasonable steps to destroy or de-identify the personal information they hold. Collecting and storing unnecessary information breaches privacy and creates risk.

“And when any organisation experiences a data breach that is likely to result in serious harm, they must be as clear and timely as possible about what kind of personal information is involved. This allows individuals to take steps to reduce their risk. It also enables organisations across the economy to put in place more targeted security controls.”

Commissioner Falk said the current review of the Privacy Act presents the opportunity to provide stronger deterrence to penalise breaches involving personal information.

“The regulatory framework needs to shift the dial to place more responsibility on organisations who are the custodians of Australians' data, to prevent and remediate harm to individuals caused through the handling of their personal information,” she said.

"Australians need to have the trust and confidence that there is an appropriate regime that incentivises organisations to proactively protect personal information."

Further information about resources available to Optus customers can be found on the OAIC’s website.