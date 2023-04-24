Australia’s privacy regulator is concerned that changes to cyber security regulation in Australia could undermine its ability to respond to privacy breaches.

The Office of the Australian Information Commissioner (OAIC) has aired its concerns in its submission to the government’s cyber security discussion paper [pdf].

One proposal in the discussion paper was that the Security of Critical Infrastructure Act (SoCI) have its scope expanded beyond threats and breaches to operational technology, to include customer data and systems.

“The OAIC is concerned that an unintended consequence of including ‘customer data’ or ‘systems’ in the definitions of ‘critical assets’ would result in a restriction on our ability to exercise our functions and powers in some circumstances, such as in the event of a data breach," the privacy regulator said.

Such an extension of SoCI risks creating contradictory regimes: if a SoCI-regulated entity suffers a customer data breach, SoCI requires the information to be treated as “protected” and not disclosed, in spite of a “statutory obligation” for the OAIC to be informed.

“This may also impact the ability of the OAIC to effectively investigate and otherwise handle complaints made by individuals," the office said.

The OAIC proposed that if the SoCI amendments proceed, it should be accompanied by protections for disclosure to the OAIC.

The OAIC’s other concern is the “safe harbour” proposal made in the discussion paper.

The proposal suggested that the Australian Cyber Security Centre and Australian Signals Directorate be put under a confidentiality obligation.

That way, information shared with them during a data breach would not be passed on to regulators.

This is intended to address the reported reluctance by some companies to disclose their data breaches to the ACSC and ASD.

The OAIC said any such change in cyber security legislation can still ensure entities comply with the Privacy Act, including reporting notifiable data breaches to the regulator.