Consumer data collected by organisations is governed by the Privacy Act 1988 (Cth) and the Australian Privacy Principles established under that Act [see Australian Privacy Principles (APPs)]. The Office of the Australian Information Commissioner (‘OAIC’) administers the Act and the APPs [see the OAIC website or the Law Handbook page on the OAIC].

Individual industries have further obligations to protect consumer data, such as the Telecommunications Consumer Protections Code [in particular clause 3.7].

Data Breaches

A data breach occurs when personal information is accessed or disclosed without permission (or is lost). An affected consumer can suffer distress or financial loss as a result of a breach.

Depending on the type of data accessed or disclosed, a breach may also lead to an identity being stolen or compromised.

In the event of a data breach, organisations are required to notify all affected consumers. A customer complaint can be lodged with the organisation regarding the breach following the notification.

If a consumer believes they are affected by a breach but have not been notified, the organisation should be contacted directly. A complaint can be lodged with the OAIC if the organisation fails to respond within a reasonable period [see Make a data breach complaint]. A complaint can also be lodged if the consumer was notified but there was an unreasonable delay in the notification.

Upon receiving a notification that personal information has been affected by a data breach, the consumer should take immediate steps to protect against further harm. These steps include:

While multi factor authentication is recommended, beware that it has some risks. If a phone service has been compromised, the porting of the consumer’s phone number may mean that the authentication message is intercepted. A report should be made to a telecommunications provider immediately if a phone service is interrupted or lost.

For more information on data breaches, see OAIC Data Breach. If concerned about an identity being compromised, see also IDCare.

Consumer Data Right

Part IVD of the Competition and Consumer Act 2010 (Cth) introduces a regime called the Consumer Data Right ('CDR'). The aim of the CDR regime is to promote consumer choice and increase competition in certain business sectors.

It allows consumers to share certain information held by one business (for example a bank) to another accredited business in a secure manner. This allows the consumer to easily compare products and services.

The regime is opt-in, which means that a consumer does not have to use it and must give explicit permission to the business to use it.

The Competition and Consumer (Consumer Data Right) Rules 2020 (Cth) govern the regime. There are also technical standards to ensure that the information and data are in the correct format and transferred securely.

The Minister must designate an industry before that industry can use the system.

The first industry to use the system is the banking sector. Not all sectors of the banking system will have the service available. Remember that it is not compulsory to use the system and a consumer’s permission must be given first. The next industry to use the system is the energy sector in late 2022, followed by the telecommunications industry.

The industry sector determines the type of information that a consumer shares between businesses.

For more information about the CDR and how it works, visit the Consumer Data Right website.

Sharing personal information in this way requires strict safeguards for consumers to ensure that information does not get misused.

The Office of the Australian Information Commissioner enforces the safeguards. Consumers who have a complaint about the mishandling of their data pursuant to the CDR may lodge a complaint with the OAIC [see OAIC’s CDR Complaints webpage].

For more information about complaining to the OAIC, visit the OAIC website.