Australia: OAIC submits recommendations to new cybersecurity strategy
On April 18, 2023, the Office of the Australian Information Commissioner (OAIC) published its submission to the 2023–2030 Australian Cyber Security Strategy Discussion Paper issued by the Department of Home Affairs. In particular, the OAIC highlighted the discussion paper's commitment to consider feedback received on the current review of the Australian Privacy Act as part of the development of the strategy. The OAIC's submission listed nine recommendations, stating that the strategy should aim to:
- align cybersecurity reforms with proposals in the Privacy Act Review Report to uplift established privacy security obligations;
- consider the distinct purposes of the various cybersecurity regulatory frameworks in any reform proposals to ensure that relevant laws continue to work cohesively to address risks of harm, without leaving any regulatory gaps;
- encourage collaboration and information-sharing mechanisms to reduce the regulatory burden on entities and ensure a consistent and unanimous government regulatory approach to enhancing Australia's cybersecurity and resilience;
- consider whether the provision of guidance could assist entities to navigate their cybersecurity obligations as a first step to reducing the compliance burdens;
- accompany any proposed amendments to the Security of Critical Infrastructure Act 2018, including 'customer data' and 'systems' in the definitions of 'critical assets,' with relevant amendments to ensure that protected information can be disclosed to the OAIC so that it can continue to exercise its regulatory powers and functions;
- design any proposed single reporting portal in close consultation with affected regulators to ensure that the timeliness and integrity of the reporting requirements for all the regimes are consolidated within the portal, including the Notifiable Data Breaches (NDB) scheme, are preserved;
- ensure that the Cyber Security Regulators Network and other forums continue to play a role in post-incident reviews and that their work informs incident response planning policy and practice;
- ensure that any proposed obligations of confidentiality are carefully designed in consultation with regulators so that agencies such as the OAIC are able to obtain the information they need from affected entities at appropriate times, and to exercise their functions and powers in the public interest; and
- support government agencies and regulators to influence global dialogue in regulatory areas impacting cybersecurity, such as privacy, to promote consistently high standards around the world.
You can read the submission here.