AUSTRALIA Law and Practice Contributed by: Dennis Miralis and Jack Dennis, Nyman Gibson Miralis
• the Digital ID Act 2024 (Cth) (the “Digital ID Act”), which is intended to embed safeguards for digital ID services and data in addition to the Privacy Act; • privacy legislation enacted at the state and territory level; • the My Health Records Act 2012 (Cth) (the “My Health Records Act”), which imposes specific obligations for health information col - lected and stored in Australia’s national online health database (in addition to the Privacy Act); • state and territory health records legislation enacted in NSW, Victoria (Vic) and the Aus - tralian Capital Territory (ACT); and • federal, state and territory surveillance legisla - tion, which regulates video surveillance, com - puter and data monitoring, GPS tracking and the use of listening devices on individuals. Further definitions and details on the Privacy Act are set out in 6.1 Cybersecurity and Data Protection . Cybersecurity Cybersecurity laws in Australia are primarily gov - erned under sector-specific federal laws, and include the following. • Critical infrastructure: this sector is regulated under the Security of Critical Infrastruc - ture Act 2018 (Cth) (the “SOCI Act”), which imposes registration, reporting and notifica - tion obligations on owners and operators of critical infrastructure and empowers the Australian government to gather information and issue directions where there is a risk to security. More details are in 2. Critical Infra- structure Cybersecurity . • Telecommunications: this sector is regulated by dual legislation, being:
(a) the Telecommunications Act 1997 (Cth) (the “Telecommunications Act”), which imposes security and notification obliga - tions on Australian telecommunications providers and empowers the Australian government to gather information and issue directions; and (b) the Telecommunications (Interception and Access) Act 1979 (Cth) (the “TIA Act”), which prohibits the interception of communication and access to stored communication data, except for certain law enforcement and national security purposes. • Corporate: corporations generally are regulat - ed under the Corporations Act 2001 (Cth) (the “Corporations Act”), which is highly relevant to the cybersecurity space. For example, the director’s duty to exercise “care and dili - gence” (Section 180) is equally relevant here. • Financial services: certain financial, insurance and superannuation entities are regulated through standards, including the Prudential Standard CPS 234 on Information Security (CPS 234), issued by the Australian Pruden - tial Regulation Authority (APRA). Additionally, entities in the financial services have specific obligations under the Corporations Act, such as adequate risk management systems to hold a financial licence (Section 912A). There are additional laws that are highly relevant to the cybersecurity space that are less sector- specific, such as consumer law, specifically the Competition and Consumer Act 2010 (Cth) (the “Consumer Act”) which addresses consumer affairs, including consumer data protection and
cyberscams. Cybercrime
Overlaying the above are various cybercrime offences in Australia at the federal, state and ter -
11
CHAMBERS.COM
Powered by FlippingBook