The Hon Michelle Rowland MP
Interview with Andy Park, Radio National Drive
SUBJECTS: Optus Breach, Data Sharing, Data holding.
ANDY PARK, HOST: The Federal Government has introduced a series of amendments to help telecommunications providers and financial institutions detect and mitigate cyber risks. Optus will be able to temporarily share driver's licences, Medicare and passport numbers with regulated financial institutions to monitor for and protect against fraud under the changes which will last for one year. It comes after the Australian Federal Police today charged a 19 year old man from Sydney's south for allegedly trying to blackmail people using some of the stolen Optus data. Michelle Rowland is the Federal Communications Minister. Minister, welcome to you. When will these changes come into effect?
MICHELLE ROWLAND, MINISTER FOR COMMUNICATIONS: Well, we anticipate that these will be presented to the Governor General for his assent tomorrow. And the financial services sector and the telco sector have both been widely consulted on these matters, so they are well aware of the regulations and both have expressed a desire to help keep customers safe by utilising their provisions. So we do anticipate that as soon as they come into force that these institutions will be ready to go and be prepared to share that information on the terms of the regulations.
PARK: Because the layman listening to this would be forgiven for misunderstanding, really, that by widening or expanding access to this data that it somehow becomes more insecure. What protections are in place to ensure that there aren't weaknesses in the system when data is shared between telcos and financial institutions?
ROWLAND: Certainly, and I think anyone who has been impacted by this or any other breach, the primary lens through which they're viewing this is a privacy one. People feel violated. It impacts on them potentially financially, but also emotionally. So I do want to reassure your listeners that this regulation has been designed in consultation with the Privacy Commissioner and other relevant agencies and they are very specific. It goes to certain government identify information. There are very clear thresholds on who is allowed to obtain that information, for what purposes, and the fact that it needs to be destroyed when it is no longer required. So I think your listeners can take heed of the fact that this has been very carefully calibrated with precisely those privacy concerns in mind. But at the same time, this is designed in order to provide those financial services institutions with the information they need to keep consumers safe.
PARK: But how carefully calibrated can it be if it's been rushed out in the last two weeks?
ROWLAND: We have consulted extensively on this, including examining the most appropriate and robust form in which this can be introduced. And we have determined that the best way to do this is through regulations under the Telecommunications Act and we have ensured that there are those protections in place. There are also undertakings that need to be provided and very clear guidance on the terms on which this information will be enabled to give you.
PARK: Minister on Sunday, two cabinet Ministers, Bill Shorten and Clare O'Neil, called for better cooperation from Optus. Now we see these changes. Is Optus able to legally share this information as the regulations currently stand?
ROWLAND: Certainly. And I think the key point here is to understand that under the Telecommunications Act there is a very specific requirement that telecommunications operators are not permitted to disclose the contents of communications or certain personal information attached to it. And that is a blanket rule, it is an offence to contravene it. There are a number of exemptions that apply and that would enable that sort of data sharing. But I think what we have seen in this instance is that Optus did not consider that it has the authority under those exemptions. And it also became abundantly clear that the scale and scope of this particular incident is one that certainly wasn't contemplated at the time the Telecommunications Act came into force. So what we have done is put forward these regulations. But also I think your listeners can be assured that we are taking a whole of government approach to this across departments and agencies, including law enforcement agencies. And the primary concern is to ensure that consumers risk is mitigated. We know that fraud and scams are out there, unfortunately at a rate that we haven't seen before, and unfortunately they keep getting bigger. So I would also urge all your listeners to be extra vigilant as well at this time. Of course, these regulations will assist banks and other financial institutions to be able to undertake that detection and help to mitigate the risk of malicious activity. But also consumers should have that heightened sense. If you, for example, receive a text and it looks suspicious, do not open links, you do not have to answer phone numbers that you don't recognise, in particular at this time, I think consumers should be extra vigilant.
PARK: It's thirteen past six, RN Drive with Andy Park. Communications Minister Michelle Rowland is here talking about the changes to protect your data. Obviously, well, going back to that exemption that you mentioned under the Telecommunications Act, Minister, Optus told the government they weren't able to share data under existing exemptions. So was the criticism of Optus on this measure alone a bit premature?
ROWLAND: I think it should be understood that there are other laws that apply across this sector, including providing information to other government agencies. But the primary concern here is about ensuring that Optus and other telcos are able to share this particular data with financial institutions for the sole purpose of ensuring that that detection, mitigation of risk and assisting in preventing fraud [indistinct] complied with.
PARK: Sorry, but it's just for twelve months, right? So if I was holding on to some of this information and I had nefarious ambitions for it, couldn't I just hold on for twelve months until that period concludes and then do what I like with the data?
ROWLAND: Well, for people receiving, in institutions receiving the data under this regulation, they are very defined. So this doesn't just go to anyone. They have to be a particular financial service entity who is an APARA regulated financial institution and that excludes branches of foreign banks. And there is a reason why this regulation sunsets in twelve months and why the data needs to be destroyed if it's no longer required by those receiving parties. And that is precisely because we understand that people have privacy concerns in this area. We needed to balance financial institutions being able to undertake that sort of activity to mitigate risk, but also completely understand that the privacy lens through which consumers are viewing this is a very valid one.
PARK: With respect Minister, one of the biggest sort of pools of data for most people is the government itself. In terms of personal data, we've all torn our hair out from time to time using MyGov or Centrelink. What's the government doing to tighten its own cybersecurity to ensure that hackers can't access some of those sensitive services using stolen personal information?
ROWLAND: Well, one of the reasons why we've put these regulations in place is to enable Optus and other telcos to share that limited information about customers with government agencies to assist in preventing fraud. So this in turn enables those government agencies to be able to do what they need to do to help prevent that malicious activity going on. But I certainly think that this incident has been, as the Prime Minister said, a wake up call for corporate Australia and certainly for those large entities who are holding large amounts of data, sometimes for many years and sometimes across a very broad range of categories. The telco sector is but one example. And I think it's important to recognise that these regulations have been specifically targeted towards doing exactly what is needed to be done in this very clear instance, and that is to keep consumers safe.
PARK: Minister, I appreciate your time tonight on RN Drive.
ROWLAND: Pleasure.
PARK: That's Michelle Rowland, the Communications Minister.