The Law Council of Australia says invasive practices of personal data collection must be part of any potential Cyber Security Act. 

In their submission to the government's cyber security discussion paper, the council called for a review of legislation that mandates the retention of records by government and businesses, questioning the necessity and duration of such retention.

The council highlighted the importance of aligning the cyber security review with the ongoing review of the Privacy Act. 

They specifically addressed the Commonwealth exemptions to Australian Privacy Principles, urging a reassessment of these exemptions.

The Law Council recommended that governments adhere to Australian Privacy Principle 11.2, which stipulates the destruction or de-identification of personal information that is no longer required for any purpose.

Furthermore, the council emphasised the need for Australia to adopt “less invasive” methods of identity verification. 

Alongside the Trusted Digital Identity Framework (TDIF), the council proposed the inclusion of token-based authentication and a “digital passport” in the Cyber Security Act to minimise unnecessary collection of personal data.