Contact

Optus Data Breach: Time for change?

Published
05 Oct 2022
Read time
3 min read
Category
Law, News, Privacy

The Optus data breach has exposed how harmful a cyber incident can be. Many are now calling for changes.  But it’s important that we get it right …

Privacy 108’s Dr Jodie Siganto is the head of the Australian Privacy Foundation’s Telecommunications and Internet Committee, and has helped draft the APF’s Call for Action.  Released yesterday, the Call for Action identifies 6 steps the government should take now to try and prevent similar incidents and reduce the consequences in the future.

The Australian Privacy Foundation calls for the following:

  • An immediate review of statutory data retention obligations in Australia, particularly those applicable to telecommunications providers, to confirm the necessity and proportionality of those requirements;
  • A minimum set of security controls be prescribed for organisations with large holdings of personal information (like that held by Optus) – as a stand-alone exercise or as part of the development of risk management plans under Australia’s critical infrastructure laws;
  • Appropriate reforms to the Privacy Act in the current Privacy Act Review including the introduction of a data minimisation principle, a right to erasure, and a right to sue for damages for breach of the Privacy Act so that individuals in Australia who suffer a data breach can individually and collectively advance their claims in court;
  • Strengthening Australia’s mandatory data breach notification scheme to include immediate notification to people affected wherever there is a critical data breach and the provision of clear instructions on steps to take to mitigate potential harms. Organisations need to have the systems or processes in place to enable it to meet these requirements;
  • Extended powers for the Australian Information Commissioner and Privacy Commissioner and increased penalties for breaches as demanded also by the Commissioner;
  • Commitment to ensuring that the Office of the Australian Information Commissioner has the resources needed to perform its statutory oversight functions rigorously and effectively.

The Optus data breach points to the need for extra-vigilant cyber security by telecommunication service providers in the face of increasing risks of hacking. But it also raises broader policy questions about the need for Australian entities to collect and hold large amounts of personal data including identity data, the length of mandatory data retention, and the case for giving Australians a right to have their data erased and a right to claim damages under the Act for data breach.

The time for complacency is over. We know the government is working on a response to the Optus data breach.  We hope that that response includes the above, to ensure that Australians can regain the trust and confidence in our biggest entities and the government regulators, so vital to our national well being and prosperity.

Australian Privacy Foundation Call for Action – Optus Data Breach

October 10, 2022

Ready to turn insight into action?
Connect with Privacy 108.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Privacy 108 collects your name and contact details to respond to your enquiry and communicate with you about it. If you do not provide this information, we may be unable to respond. We do not disclose this information to third parties. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au.
Jodie Siganto
Privacy, security and training
Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.
Jodie Siganto
Privacy, security and training
Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.
Talk to us?
Looking to take your business to the next level? Speak with our experts today!
Contact us
Related articles
  • 1300 41 20 50
  • Level 3, 240 Queen St, Brisbane QLD 4000
  • Ground Floor Reception, 3 Spring St, Sydney NSW 2000
  • PO Box 3295, Yeronga QLD 4104
  • Follow us on LinkedIn
Services
Privacy Risk Management Privacy Impact Assessments AI Governance Privacy Legal Services Research and Policy
Company
About Privacy 108 Our Team Careers Insights Contact Us Privacy Policy Terms & Conditions
Subscribe to our newsletter
Subscribe
Privacy 108 Consulting Pty Ltd ABN 52 600 425 885 is an incorporated legal practice registered with the Queensland Law Society. Liability limited by a scheme approved under Professional Standards Legislation.
We respectfully acknowledge the Traditional Owners of the land we work on and pay our respects to their Elders past, present and future in maintaining the culture, country and their spiritual connection to the land.
© 2026 by Privacy 108 Consulting Pty Ltd. ABN 52 600 425 885
Website by DeeperLook
Subscribe to our Newsletter

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.