Answer ... (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?
In April 2022, the SOCI Act was amended to introduce a new framework for enhanced cybersecurity obligations required for operators of critical infrastructure. Under the SOCI Act, the minister for home affairs may privately declare a critical infrastructure asset to be a ‘system of national significance’. Operators of systems of national significance are subject to obligations to:
- develop cybersecurity incident response plans;
- undertake cybersecurity preparedness exercises;
- undertake cybersecurity vulnerability assessments; and
- provide system information to the Australian Cyber Security Centre (ACSC).
Providers of financial services in Australia must hold an Australian financial services licence (AFSL). The obligations of AFSL holders in relation to cybersecurity and cyber resilience have recently been the subject of legal action (see question 3.1).
All Australian healthcare providers are subject to the Privacy Act, even if they would otherwise be exempt as a ‘small business operator’ (see question 2.3). Victoria and New South Wales also have legislation which applies to the handling of health information in those states. The My Health Records Act governs the collection and handling of health information through Australia’s national electronic health records system.
Credit reporting agencies and credit providers are subject to special rules for the handling of credit information in Part IIIA of the Privacy Act.
(b) Certain types of information (personal data, health information, financial information, classified information)?
The Privacy Act governs the collection and handling of personal information, which includes health information and credit information, by the Commonwealth government entities and the private sector.
Specific Commonwealth legislation exists in relation to the My Health Records system, healthcare identifiers, criminal records and telecommunications data.
Most states and territories have legislation which governs the collection and handling of personal information by state and territory government entities. Victoria and New South Wales also have legislation which applies to the handling of health information by the state and territory government entities and the private sector.