Optus data breach: Information for APRA-regulated entities applying for access under the Telecommunications Regulations 2021

The ACCC is working with the Federal Government, regulators and other relevant organisations to facilitate closer coordination of data sharing between Optus and Australian Prudential Regulation Authority (APRA)-regulated entities. This work facilitates data sharing pursuant to the Telecommunications Regulations 2021, which is intended to provide greater protection to Australians following the recent Optus data breach.

Key points:

  • The amount of information disclosed will depend on what is reasonable and proportionate to the needs of the financial institution and what is necessary to safeguard their customers.
  • Data sharing will occur in a highly secure manner and on terms that will ensure the protection of the privacy of individuals.
  • All APRA-regulated financial institutions, excluding branches of foreign banks, are eligible to apply to receive the data should they choose to.
  • To opt in, entities will be required to provide APRA written attestation to APRA Prudential Standard CPS 234 Information Security, in the context of accessing data from Optus associated with the recent breach.
  • Entities will also need to provide written commitments to ACCC and the OAIC that they will comply with certain conditions, including Privacy Act obligations.
  • Once an entity has complied with these requests, it would work with Optus to facilitate access to the data.
  • The ACCC and the OAIC will monitor compliance with the conditions, including obligations under the Privacy Act.

Who to contact if you need more information:

Further information on privacy considerations for financial services entities receiving data from a carrier or carriage service provider under the Telecommunications Regulations is available on the OAIC website.


Published date: 
11 October 2022