Privacy, digital safety and cybersecurity

Budget Resources

David McGovern

Largely building on existing or announced initiatives, the 2023–24 Budget funds a range of measures covering privacy, digital safety and cybersecurity. High-profile data breaches affecting millions of Australians in 2022 highlighted the limitations of existing incident response functions in government. Along with specific initiatives to progress ongoing regulatory reform and build capabilities across government, the Budget funds a standalone Privacy Commissioner, the National Anti-Scam Centre, and the National Office of Cyber Security. Agency resourcing: budget paper no. 4: 2023–24 highlights the role of these organisations in coordinating across government, the private sector and the community to protect Australian business and consumers (p. 4).

Privacy

The Office of the Australian Information Commissioner (OAIC) will receive $16.1 million (and $8.4 million per year ongoing), which Budget measures: budget paper no. 2: 2023–24 states is ‘to support a standalone Privacy Commissioner, progress investigations and enforcement action in response to privacy and data breaches, and enhance its data and analytics capability’ (p. 64). This follows $5.5 million for the OAIC over 2 years to support the investigation of and response to the Optus data breach described in Budget measures: budget paper no. 2: October 2022–23 (p. 47).

The Office of the Privacy Commissioner was integrated into the OAIC in 2010 via the Australian Information Commissioner Act 2010, which the then Gilliard Government intended would ‘establish three independent statutory office holders’ (p. 1) ­– namely, the Australian Information Commissioner, the Freedom of Information Commissioner and the Privacy Commissioner. In 2016, the Abbott Government appointed Timothy Pilgrim as Information Commissioner in addition to his role as Privacy Commissioner. He was previously acting as Information Commissioner while the Government attempted to reform the OAIC, which the then Labor Opposition opposed. In 2018, the Turnbull Government appointed Angeline Falk to both commissioner roles. The Attorney-General announced on 3 May 2023 that Ms Falk will remain as Information Commissioner and head of the OAIC, and that the Government would immediately begin the selection process for a new Privacy Commissioner. The Attorney-General highlighted that this would restore the OAIC ‘to the three-Commissioner model Parliament originally intended’.

In addition to baseline funding to support the standalone Privacy Commissioner once selected, the Budget provides funding for specific privacy provisions. The OAIC welcomed the combined funding, and outlined the other specific initiatives funded:

The OAIC will receive an extra $17.8 million in the 2023–24 financial year. Over four years the OAIC will receive $44.3 million to support privacy activities, including work responding to the increased complexity, scale and impact of notifiable data breaches, as reflected in recent large-scale breaches. In addition, $9.2 million is allocated over two years to continue to regulate privacy aspects of the Consumer Data Right, My Health Record and Digital Identity.

The measure funding the OAIC also includes funding for ongoing work around the Privacy Act 1988 within the Attorney-General’s Department (Budget paper no. 2, p. 64):

  • Existing funding will be used to ‘progress the Government’s response to the recent review of the Privacy Act 1988. This review originated in the Australian Competition and Consumer Commission’s (ACCC) Digital platforms inquiry – final report in 2019, which recommended ‘legislative changes to strengthen privacy regulations’. The review of the Act was publicly released in February 2023.
  • The new funding, $0.9 million over 2 years from 2023–24, is ‘to support a separate independent statutory review of Part IIIA of the Act’, which regulates consumer credit reporting.

Coverage since the Budget has suggested the funding will help meet community expectations, but may not be sufficient over the long term. Former privacy commissioner Malcolm Crompton was quoted claiming the Privacy Commissioner ‘needs doubling of its funding – which would still probably be not enough’, and suggesting the commissioner’s capacity to enforce the Privacy Act should take precedence over implementing a review.

Digital safety

Multiple portfolios will be funded for new initiatives to fight scams and the Australian Communications and Media Authority (ACMA) will receive ongoing baseline funding for the work of the eSafety Commissioner and dedicated support to combat misinformation and disinformation online.

A total of $86.5 million over 4 years from 2023–24 has been allocated across 4 agencies ‘to combat scams and online fraud’ (Budget paper no. 2, p. 211).  This is split across 3 initiatives:

  • $58.0 million over 3 years for the ACCC to establish a National Anti-Scam Centre with a focus on enabling data sharing, including ‘Fusion Cells’ to bring industry and law enforcement intelligence together. This follows $9.9 million in Budget paper no. 2: October 2022–23 along with other anti-scam measures (p. 188), and an announcement of the centre in November 2022. Partial funding is being held in reserve until ICT requirements are developed, and funding in 2026–27, or ongoing, is not listed at this stage.
  • $17.6 million, plus $4.4 million ongoing, for the Australian Securities and Investments Commission (ASIC) to target investment scams, with costs recovered from industry.
  • $10.9 million, plus $2.2 million ongoing, between ACMA and the Department of Infrastructure, Transport, Regional Development, Communications and the Arts to stand up ‘an SMS sender ID registry to impede scammers seeking to spoof industry and government brand names in message headers’.

Additional funding is allocated to ACMA ‘for the Office of the eSafety Commissioner to continue to support Australians online’, which ramps from $32.2 million in 2023–24 to $33.7 million ongoing (Budget paper no. 2, p. 179). The Minister for Communications’ budget press release stated the increase would ‘quadruple ongoing base funding to the eSafety Commissioner from 2023-24 onwards, addressing the funding cliff’. This does not appear to support new work, but rather ensure the commissioner can continue existing support for Australians online.

The Minister for Communications announced in January 2023 that the Government would provide ACMA with ‘new powers to hold digital platforms to account and improve efforts to combat harmful misinformation and disinformation in Australia’. These include information-gathering and record-keeping powers as well as the creation of an enforceable industry code, or a standard, if self-regulation proves insufficient. ACMA currently oversees a voluntary industry code of practice. The Budget provides $7.9 million over 4 years for implementing this program (Budget paper no. 2, p. 180).

Cybersecurity

The April 2022–23 Budget made a significant investment in developing Australia’s cybersecurity capabilities under the REDSPICE program, providing $9.9 billion over 10 years to expand the Australian Signals Directorate (ASD) with 1,900 new positions (see the Budget review 2022–23 article, ‘Cybersecurity package’ for more detail). The announced capability growth focused on technical offensive and response capabilities, and not the education and engagement functions attributed to the Australian Cyber Security Centre (ACSC) in Australia’s cyber security strategy 2020. The ASD receives no new funding in the
2023–24 Budget. Instead, the Budget funds other portfolios to support the development of engagement with the private sector and community, and incident response coordination functions. The cross-portfolio cybersecurity measure (Budget paper no. 2, p. 156) funds 2 new initiatives in response to the high-profile incidents of the past year, and increases funding for 2 existing initiatives:

  • $11.8 million per year ongoing ‘to establish the Coordinator for Cyber Security’ within the Department of Home Affairs, which was announced in February 2023 by the Minister for Cyber Security in response to the gaps in government coordination described above. The coordinator will be supported by the dedicated National Office of Cyber Security, with access to dedicated resources from Home Affairs ‘and other Commonwealth entities’. The announcement described the coordinating role as complementary to the technical capability developing within ASD. This does not appear to be new funding, with the listed funding for Home Affairs appearing to correspond to a decrease in funding for ASD, and the remainder coming from existing Home Affairs resources. Earlier reporting noted no new funding had been provisioned for the National Office for Cyber Security.
  • $19.5 million in 2023–24 to continue the Critical Infrastructure work undertaken by Home Affairs, which operates under the Security of Critical Infrastructure Act 2018 and is progressively engaging industries in risk management programs and enforcing new obligations under the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022. This will operate alongside cybersecurity in Home Affairs’ newly established Cyber and Infrastructure Security Group (CISG), which will also support the Coordinator for Cyber Security.
  • $23.4 million over 4 years will go to Treasury to fund ‘a small business cyber wardens program delivered by the Council of Small Business Organisations Australia’, which will develop in-house readiness among partner businesses, rather than engage them in ongoing government support. The website for the program currently highlights the involvement of the ACSC in helping to coordinate, but this funding is not being directed through ASD.
  • $12.2 million in 2023–24 to continue the Cyber Hubs pilot, through which agencies with strong cyber capabilities support less advanced government entities to develop their security posture. This funding is split across the pilot provider agencies, which are the Department of Home Affairs, the Department of Defence, Services Australia and the Australian Taxation Office. The ATO’s funding is redirected from existing money allocated for the pilot. This continues from $18.8 million in initial funding across those departments, which was detailed in Budget measures: budget paper no. 2: 2021–22 under ‘Digital Economy Strategy’ (p. 76).

Additionally, the Budget contains funding measures for related initiatives across other portfolios:

  • The Treasury’s resourcing includes $88.8 million in funding over 2 years, ‘to support the continued operation of the Consumer Data Right in the banking, energy and non-bank lending sectors, progress the design of action initiation and uplift cyber security’ (Budget paper no. 2, p. 213). This responds to the Treasury Laws Amendment (Consumer Data Right) Bill 2022 and builds on $28.6 million in 2020–21 (Budget measures: budget paper no. 2: 2020–21, p. 65) and $111.3 million over 2 years from 2021–22 (Budget paper no. 2: 2021–22, p. 74).
  • The Australian Sports Foundation will receive $3.8 million in 2023–24 to address cybersecurity risks (Budget paper no. 2, p. 137).
  • The Department of Education’s ICT funding refers to security and privacy of ICT systems and data holdings (Budget paper no. 2, pp. 87, 100 and 102).

The 2023–2030 cyber security strategy, with the goal of ‘making Australia the most cyber secure nation by 2030’, is currently under development and is likely to contain further initiatives once released, which are not detailed in this Budget. The current Budget invests $101.2 million to support quantum computing and artificial intelligence technologies (Budget paper no. 2, p. 164), which covers questions of responsible usage and ‘significant national challenges’. These emerging technologies will likely create new harms, potentially exposing vulnerabilities in critical systems, turbocharging bad actors online, and challenging norms around privacy and authenticity, necessitating more sophisticated responses in the future.

 

All online articles accessed May 2023

For copyright reasons some linked items are only available to members of Parliament.

© Commonwealth of Australia

Creative commons logo

Creative Commons

With the exception of the Commonwealth Coat of Arms, and to the extent that copyright subsists in a third party, this publication, its logo and front page design are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Australia licence.

In essence, you are free to copy and communicate this work in its current form for all non-commercial purposes, as long as you attribute the work to the author and abide by the other licence terms. The work cannot be adapted or modified in any way. Content from this publication should be attributed in the following way: Author(s), Title of publication, Series Name and No, Publisher, Date.

To the extent that copyright subsists in third party quotes it remains with the original owner and permission may be required to reuse the material.

Inquiries regarding the licence and any use of the publication are welcome to webmanager@aph.gov.au.

This work has been prepared to support the work of the Australian Parliament using information available at the time of production. The views expressed do not reflect an official position of the Parliamentary Library, nor do they constitute professional legal opinion.

Any concerns or complaints should be directed to the Parliamentary Librarian. Parliamentary Library staff are available to discuss the contents of publications with Senators and Members and their staff. To access this service, clients may contact the author or the Library‘s Central Enquiry Point for referral.