Commonwealth Consolidated Regulations Commonwealth Consolidated Regulations(1) For the purposes of subsection 292(1) of the Act, this section specifies circumstances in which section 276 of the Act does not prohibit a disclosure of information or a document.
Specified circumstances
(2) Section 276 of the Act does not prohibit the disclosure of information or a document if the information or document is disclosed to a financial services entity by or on behalf of a carrier or carriage service provider and all of the following paragraphs are satisfied:
(a) the information is specified information, or the document is a specified document, in relation to the carrier or carriage service provider;
(b) the carrier or carriage service provider has received a written request from an officer of the financial services entity for the specified information or the specified document;
(c) the request states that the information or document is required by the financial services entity for the sole purpose of enabling the entity:
(i) to take steps to prevent a cyber security incident, fraud, scam activity or identity theft; or
(ii) to take steps to respond to a cyber security incident, fraud, scam activity or identity theft; or
(iii) to take steps to respond to the consequences of a cyber security incident, fraud, scam activity or identity theft; or
(iv) to take steps to address malicious cyber activity;
(d) the request states that, in the opinion of the officer, the disclosure of the information or document is necessary and proportionate to deal with the cyber security incident, fraud, scam activity, identity theft or cyber activity mentioned in paragraph (c);
(e) before the information or document is disclosed, the carrier or carriage service provider has been notified, in writing, by the ACCC that the financial services entity has given the ACCC a written commitment (on terms acceptable to the ACCC) that:
(i) the entity will only share the information or document with an associate to the extent that this is necessary for a purpose mentioned in paragraph (c); and
(ii) if the entity is a body mentioned in paragraph (c) of the definition of financial services entity in subsection (6)--the entity will only share the information or document with another financial services entity to the extent that this is necessary for a purpose mentioned in paragraph (c) of this subsection; and
(iii) if the entity is a body mentioned in paragraph (a) or (b) of the definition of financial services entity in subsection (6)--the entity will not share the information or document with any other third party; and
(iv) the entity will only access, use or disclose the information or document for a purpose mentioned in paragraph (c) of this subsection and only in accordance with the requirements of the Privacy Act 1988 ; and
(v) the entity will store the information or document in a manner that prevents unauthorised access, disclosure or loss; and
(vi) unless the information or document is sooner destroyed as mentioned in subparagraph (vii)--the entity will review its need to retain the information or document at least once every 12 months; and
(vii) the entity will destroy the information or document once it is no longer required for a purpose mentioned in paragraph (c); and
(viii) the entity has appropriate written procedures to ensure that the information or document is handled in accordance with the requirements set out or referred to in this paragraph; and
(ix) the entity will obtain a written commitment in the same terms as that set out in this paragraph from an associate (other than an employee of the entity) before sharing the information or document with that associate in accordance with subparagraph (i); and
(x) the entity will obtain a written commitment in the same terms as that set out in this paragraph from another financial services entity before sharing the information or document with that other entity in accordance with subparagraph (ii);
(f) the information or document is disclosed:
(i) unless subparagraph (ii) applies--in a secure and trusted manner; or
(ii) if the Minister has approved a secure and trusted manner for the purposes of this subparagraph--in the manner approved by the Minister;
(g) if the financial services entity is a body mentioned in paragraph (a) or (b) of the definition of financial services entity in subsection (6)--an authorised officer of the entity has given APRA an attestation that the entity meets, and will continue to meet, the principles and requirements of Prudential Standard CPS 234 - Information Security , as in force from time to time, in relation to the information or document.
Minister may approve manner in which information or documents to be disclosed
(3) For the purposes of subparagraph (2)(f)(ii), the Minister may, in writing, approve the manner in which a carrier or carriage service provider discloses information or a document.
Minister may approve a financial services entity
(4) The Minister may, in writing, approve a body for the purposes of paragraph (c) of the definition of financial services entity in subsection (6), but only if the body is a body that provides services that:
(a) either:
(i) are directly related to, or support, the provision of services by one or more bodies mentioned in paragraph (a) or (b) of the definition of financial services entity in subsection (6); or
(ii) are directly related to, or support, the provision of services to one or more bodies mentioned in paragraph (a) or (b) of the definition of financial services entity in subsection (6); and
(b) are directly related to, or support, a purpose mentioned in paragraph (2)(c).
Minister may specify information
(5) The Minister may, by legislative instrument, specify one or more kinds of information for the purposes of the following:
(a) paragraph (b) of the definition of specified document in subsection (6);
(b) paragraph (b) of the definition of specified information in subsection (6).
Definitions
(6) In this section:
"ADI" means an authorised deposit - taking institution within the meaning of the Banking Act 1959 , other than a foreign ADI (within the meaning of that Act).
"associate" , of an entity (within the meaning of section 64A of the Corporations Act 2001 ), means any of the following:
(a) an employee of the entity;
(b) if the entity is a body corporate:
(i) a related body corporate (within the meaning of the Corporations Act 2001 ) of the entity; and
(ii) an employee of the related body corporate;
(c) a contractor of the entity.
"cyber security incident" has the same meaning as in the Security of Critical Infrastructure Act 2018 .
"financial services entity" means:
(a) an ADI; or
(b) a body mentioned in paragraph (b), (c), (e), (ea) or (f) of the definition of body regulated by APRA in subsection 3(2) of the Australian Prudential Regulation Authority Act 1998 ; or
(c) a body approved by the Minister for the purposes of this paragraph.
"officer" , in relation to a financial services entity, means:
(a) a director or secretary of the entity; or
(b) a person:
(i) who makes, or participates in making, decisions that affect the whole, or a substantial part, of the business of the entity; or
(ii) who has the capacity to affect significantly the entity's financial standing; or
(iii) in accordance with whose instructions or wishes the directors of the entity are accustomed to act.
"specified document" , in relation to a carrier or carriage service provider, means a document that only includes one or both of the following:
(a) the government related identifiers (within the meaning of the Privacy Act 1988 ) of one or more individuals who are, or were, customers of the carrier or carriage service provider;
(b) information of a kind specified for the purposes of this paragraph by the Minister in a legislative instrument, being personal information (within the meaning of the Privacy Act 1988 ) about one or more individuals who are, or were, customers of the carrier or carriage service provider.
"specified information" , in relation to a carrier or carriage service provider, means any of the following:
(a) the government related identifiers (within the meaning of the Privacy Act 1988 ) of one or more individuals who are, or were, customers of the carrier or carriage service provider;
(b) information of a kind specified for the purposes of this paragraph by the Minister in a legislative instrument, being personal information (within the meaning of the Privacy Act 1988 ) about one or more individuals who are, or were, customers of the carrier or carriage service provider.
Application
(7) This section applies to information or a document, whether the information or document was in the possession of a carrier or carriage service provider before, on or after the commencement of this section.
Sunset of this section
(8) This section is repealed at the start of 12 October 2024.