Companies could have the right to retain customers’ data stripped back by an ambitious suite of privacy reforms proposed by the Albanese government.
The attorney general, Mark Dreyfus, revealed on Thursday that in addition to completing a review of Australia’s privacy laws, the Albanese government will look to legislate “even more urgent reforms” later this year or in early 2023.
The immediate reforms could include penalties, safeguards on personal information and strengthening requirements for companies to notify customers of breaches.
On Thursday, the prime minister, Anthony Albanese, endorsed changes to data retention laws.
Albanese told FiveAA Radio that requiring companies to dispose of data when they no longer need it, such as after a customer leaves a provider, was a “pretty commonsense proposal” and confirmed it was under consideration.
Earlier, Dreyfus told reporters in Canberra the government was considering whether companies “should be permitted to go on keeping data when the purpose of collecting it in the first place might have been no more than establishing someone’s identity”.
Checking a customer’s driver’s licence or passport number to establish their identity “should be the end, one might think, of the company keeping all that data”, he said.
“They don’t seem to me to have a valid reason for saying we need to keep that for the next decade.
“Obviously the more data that’s kept, the bigger a problem there is about keeping it safe, the bigger a problem there is about the potential damage that’s going to be done by a huge hack [like the one] that’s occurred here.”
Labor has talked up the need for tougher laws since the Optus attack affected up to 10 million customers, including 2.8 million people who had their licence or passport number leaked.
The home affairs minister, Clare O’Neil, has suggested reforms will include increasing the maximum penalties for data breaches – currently capped at $2.2m – and extending a power to set minimum cybersecurity standards to telcos.
On Thursday, Dreyfus told ABC radio the foreign minister had written to Optus asking it to pay for Australians’ replacement passports and the prime minister had “made very clear … it is going to be a matter for Optus to pay for costs incurred by Australians as a result of the data breach that has occurred”.
Dreyfus said Australians were “rightly concerned” about the exposure of personal information, and warned Optus it expects “continuing cooperation” from the telco.
Asked about privacy law reforms, Dreyfus replied: “It is a matter of urgency. We need to bring privacy laws … up to date, [and make them] fit for purpose for the digital age.”
The attorney general said he hoped to complete a “long-running review” of privacy laws by the end of 2022.
“We are also looking at even more urgent reforms we can make straight away to the Privacy Act to do things like increasing the safeguards that are already there that relate to personal information, security guidelines, and strengthening the notifiable data breaches scheme.
“We’re looking at what can be brought to parliament in the remaining sitting weeks and if possible pass this year or, if not this year, then early next year.”
The government is asking Optus to share data with banks and financial institutions so they “can take precautions to protect those Optus customers whose data has been stolen”, Dreyfus told ABC News Breakfast.
Sign up to Guardian Australia’s Morning Mail
Our Australian morning briefing email breaks down the key national and international stories of the day and why they matter
The attorney general said that “regrettably” Optus had omitted from its initial notification to customers that “some Medicare numbers in addition to passport numbers and driver’s licence numbers were included in the data breach”.
Guardian Australia understands the telecommunications industry is gearing up for changes to laws as a result of the breach, including beefed-up cybersecurity and privacy law which will put more pressure on the companies to ensure their security is up to scratch.
Simon Bush, chief executive of the Australian Information Industry Association, said the government’s privacy response should address the issues raised around the breach, particularly how long ID-check information is retained.
“The breach raised a lot of questions around people’s individual citizen’s privacy, and they’re legitimate questions, and they’re questions that both industry and government needs to look carefully at, and the Privacy Act review should be looking at these issues very seriously,” he said. “If you lose the trust of the citizen, then the government or the business doesn’t have a licence to operate.”
UNSW law researcher Tony Song said Australia should look to adopt laws similar to the EU’s General Data Protection Regulation.
“Our current $2.2m limit [in corporate penalties for breaches] is nothing compared to the GDPR’s maximum of €20m or 4% of the firm’s worldwide annual revenue. For many large tech companies, that is still peanuts to them.”
Jocelinn Kang, a technical specialist at the Australian Strategic Policy Institute, said the government should look at requiring organisations to store sensitive ID document details separately similar to the requirement for credit card providers. She said the government’s digital ID system could also play a role in minimising the data held by companies like Optus.
In a statement on Wednesday evening, Optus said it had identified 14,900 valid and unexpired Medicare ID numbers among the compromised customer records, as well as 22,000 expired numbers.
Customers with valid Medicare numbers will be contacted within 24 hours, and those with expired numbers in the coming days.
Optus parent company Singtel on Wednesday said: “We are deeply sorry to everyone affected by the data theft on our subsidiary Optus.”
“Singtel management and board are treating this incident very seriously and working closely with Optus to address what is a complex issue, holistically,” the company said in a statement.
Paul Karp and Josh Taylor