Data Sharing in the Australian Public Sector after the Optus and Medibank Incidents: Taking Reasonable Steps to Prevent Data Breaches

Abstract

In this article I identify weaknesses in the framework for public sector data sharing in Australia. Many Australian public sector agencies must share personal information they hold, potentially increasing the risk of a data breach. I consider the legal standard expected of data holders under the Privacy Act 1988 (Cth) to take ‘reasonable steps’ to protect the data, including in light of the 2022 Optus and Medibank breaches. For public sector data, legislated data sharing frameworks also apply, overriding some statutory protections and introducing potential areas of weakness and confusion. One concern is public sector reliance on the unsuitable ‘Five Safes’ data sharing principles, adopted into statutes with an apparent absence of critical examination. Data sharing agreements (‘DSAs’) may assist, but often fail to do so due to vague standards and contractual omissions. To meet the reasonable steps standard, I argue that public sector data holders should ensure that their DSAs require data recipients to have appropriate security governance and risk management in place (ideally including compliance with an independent security standard) and impose obligations regarding data retention, staff training, and auditing. To assist in meeting the reasonable steps standard, security risk assessments should also be undertaken as standard data sharing practice.