Consumer data collected by organisations is governed by the Privacy Act 1988 (Cth) and the Australian Privacy Principles established under that Act [see the Law Handbook page on the Australian Privacy Principles (APPs)]. The Office of the Australian Information Commissioner (OAIC) administers the Privacy Act and the APPs [see the OAIC website or the Law Handbook page on the OAIC].

Individual industries have further, more specific obligations to protect consumer data, such as the Telecommunications Consumer Protections Code [see in particular clause 3.7].

Data Breaches

A data breach occurs when personal information is accessed or disclosed without permission (or is lost). An affected consumer can suffer distress, financial loss or even personal risk as a result of a breach.

Depending on the type of data accessed or disclosed, a breach may also lead to an identity being stolen or compromised.

In the event of a data breach, organisations are required to notify all affected consumers. A customer complaint can be lodged with the organisation regarding the breach following the notification.

If a consumer believes they are affected by a breach but have not been notified, they should contact the organisation directly. A complaint can be lodged with the OAIC if the organisation fails to respond within a reasonable period [see Make a data breach complaint]. A complaint can also be lodged if the consumer was notified but there was an unreasonable delay in the notification.

Upon receiving a notification that personal information has been affected by a data breach, the consumer should take immediate steps to protect against further harm. These steps include:

While multi factor authentication is recommended, it has some risks. If a phone service has been compromised, the porting of the consumer’s phone number may mean that the authentication message is intercepted. A report should be made to a telecommunications provider immediately if a phone service is interrupted or lost.

For more information on data breaches, see the OAIC's resources on Data Breaches. IDCare can help if there are concerns about an identity being stolen or compromised.

Consumer Data Right

Part IVD of the Competition and Consumer Act 2010 (Cth) introduces a regime called the Consumer Data Right (CDR). The aim of the CDR regime is to promote consumer choice and increase competition in certain business sectors.

It allows consumers to share certain information held by one business (for example, a bank) to another accredited business in a secure manner. This allows consumers to easily compare products and services.

The regime is opt-in, which means that a consumer does not have to use it and must give explicit permission to the business to use it.

The Competition and Consumer (Consumer Data Right) Rules 2020 (Cth) govern the regime. There are also technical standards to ensure that the information and data are in the correct format and transferred securely.

The Minister must designate an industry before that industry can use the system. Consumer Data Right has been rolled out in the banking and energy sectors, with non-bank lending the next proposed industry.

The industry sector determines the type of information that a consumer shares between businesses.

For more information about the CDR and how it works, visit the Consumer Data Right website.

Sharing personal information in this way requires strict safeguards for consumers to ensure that information does not get misused. The Office of the Australian Information Commissioner enforces these safeguards. Consumers may complain about the mishandling of their data pursuant to the CDR to the OAIC [see the OAIC’s CDR Complaints webpage].