The recent Optus cyber-attack has brought a renewed focus on the adequacy of Australia’s privacy laws. Is this a matter of non-compliance with the Privacy Act? Or does it highlight the need to implement changes recently proposed? In any event, the Optus hack invites questions as to the collection and retention of personal information.


In November 2021 we discussed the previous government’s discussion paper relating to proposals to amend the Privacy Act and the Australian Privacy Principles (APPs). With the change of government earlier this year, Attorney-General Mark Dreyfus indicated an intention to expand the scope of consultation, circulate a draft bill by the end of the year and pass new laws within the new government’s first term. It appears that the Optus hack has now prompted the Attorney-General to shorten that timetable and have reforms passed this year.

Media reports indicate that personal information and sensitive information of approximately 10 million individuals was exposed in a cyber-attack on Optus. Personal information included email addresses, Medicare numbers, driver’s licence numbers and passport numbers.

Existing Laws

However, the Privacy Act (and other rules) already specifies how entities regulated by the Privacy Act (APP Entities) store information including government-issued IDs such Medicare numbers, driver’s licences, and passports. That invites questions over whether Optus was complying with its existing obligations under the Privacy Act and APPs. It is acknowledged that telecommunications companies including Optus were exempted from laws relating to the security of critical infrastructure, which could have imposed additional obligations on Optus as to how it managed personal information. Those exemptions could now be removed.

Further, the APPs also specify that an APP Entity can only use personal information for the purpose for which it collected the personal information (unless an individual consents or would reasonably expect that information to be used for another purpose). Information used to verify identity as part of know-your-client obligations should be destroyed or de-identified once it has served that purpose, or encrypted if there is an ongoing limited purpose. Again, that invites questions over whether Optus was complying with existing obligations.

In other words, the Privacy Act and the APPs already impose requirements on APP Entities to ensure they collect limited personal information, store personal information appropriately, and to destroy and de-identify personal information once it has served its purpose. 

Discussion Paper and Changes

The Discussion Paper did highlight a potential tightening of the definitions of ‘primary purpose’ and ‘secondary purpose’. The APPs could be amended and provide more particularity and guidance regarding issues of purpose, in order to make clearer that the ongoing retention of know-your-client information is not permitted unless reasonably necessary.

The Discussion Paper did raise a number of issues that have been highlighted by the Optus hack. There is now a stronger case for the following measures to be implemented, which we covered in our previous article:

  1. Tightening of rules regarding collection of personal information and sensitive information, requiring specific consent. That is, there could be a strengthening of what is required to demonstrate consent, to mean a clear affirmative act, that is voluntary, informed, unambiguous, specific and current. Pro-privacy default settings could also be mandated. A reduced amount of personal information held by an APP Entity should result in a reduced amount of personal information potentially being stolen in the event of a hack. Further, tightening of rules regarding the collection and buying of personal information from third parties should have the same effect. Such rules invite an APP Entity to question why particular personal information is being requested from an individual or third parties
  2. Increasing both penalties and the range of remedies for Privacy Act breaches in line with those applicable under Australia’s consumer laws. This will have deterrent implications for APP Entities and assist in ensuring compliance
  3. To that end, the regulator, OAIC, should be better resourced to enforce not only proposed amendments but also existing legislation. A well-resourced effective regulator that brings proceedings will, again, have deterrent implications for APP Entities and assist in ensuring compliance
  4. Introducing a right to sue for individuals as well as other reforms for the initiation of actions by individuals. This includes a statutory action of serious invasion of privacy, which would allow an individual to sue an APP Entity for serious breaches, and obtain remedies including damages. Existing laws provide minimal assistance to Optus customers. A statutory action of serious invasion of privacy, as proposed by the Australian Law Reform Commission, will force APP Entities to take both existing and future obligations under the Privacy Act and the APPs more seriously. The statutory action created 10 or so years ago in relation to consumer guarantees breaches provides both guidance and precedent as to how such an action may operate in practice, and serve to quash any alarmist opposition by APP Entities


Businesses should be mindful of developments in the area of privacy. Amendments to Australia’s privacy laws will change what personal information is collected from individuals, how that information is managed and potentially introduce significant consequences for non-compliance with both existing and potential new privacy laws.

Further information / assistance regarding the issues raised in this article is available from the author Bill Fragos, Special Counsel or your usual contact at Moray & Agnew.