Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
 Download Current HansardDownload Current Hansard    View Or Save XMLView/Save XML

Previous Fragment    Next Fragment
Monday, 13 February 2017
Page: 585


Senator LUDLAM (Western AustraliaCo-Deputy Leader of the Australian Greens) (11:19): It will not come as a surprise to any in here that the Australian Greens also support the Privacy Amendment (Notifiable Data Breaches) Bill 2016. I think Senator Wong has given a good wrap-up of why the bill has such widespread support in this parliament. The basic principle is so sound that it will probably come as a shock to people to realise that these protections are not already enshrined in law in Australia—the fact that if you hold private information on people and you lose it you should be obliged to let people know so that they can do something about it. That is the principle that is at stake here. At the moment—and I will go through a couple of examples in a second—if the control of information that we hand over to government agencies, private companies and other entities, which records our lives in extraordinary detail, is lost, these entities are under no obligation whatsoever to report it so that we can take remedial action. That information could be credit card records, it could be your medical history, it could be your political views and affiliations, it could be your credit worthiness—anything at all. There have been some extraordinary examples, which I will go through.

I also find it immensely curious that the Australian government has not seen fit in more than three years—in fact, I think it is four years now—to proceed with this measure when the committee that it dominates, the Parliamentary Joint Committee on Intelligence and Security, in the wake of the disastrous debate on mandatory data retention, said that this is something that should happen. Senator Brandis at the time agreed with that, and nothing has been done.

In terms of what is at stake here, this is not a trivial matter. There are trivial examples, if you want to find them. The Australian immigration department, a couple of years ago, accidentally published personal details of world leaders by mistake—so this stuff can affect anybody at all. Much more seriously, they accidentally disclosed thousands of records of people imprisoned in our immigration detention system. These are people who have fled violent and, in many cases, authoritarian regimes and who have then had their private personal details published by the department that is charged with protecting their interests. This can affect anybody at all.

To go through some of the history briefly, in 2008 the Australian Law Reform Commission published a report, which was the first time, as far as I am aware—certainly the first time in my experience in this place—that that organisation had proposed a mandatory data breach notification scheme. As Senator Wong identified, in 2013 there was a bill that was up for debate—it was on the Notice Paper in this place—that lapsed after the election. Senator Singh, I believe it was, introduced a private senators bill to the same effect the following year, and of course during 2013 and 2014 we had the debate in here on mandatory data retention.

The general principle, I would have thought, of reducing the risk of these kinds of disclosures in the first place is, firstly, do not collect more information than you need. That is one of the Australian privacy principles enshrined in legislation: do not collect anything more than you need. Secondly, make sure it is securely protected and encrypted and, thirdly, if you do lose control of it, notify the people whose interests may have been harmed. Those are the three key principles: do not collect it, protect what you do collect and let people know if you have some kind of failure.

In the data retention debate, the government was obviously running directly in opposition to the first and, I would argue, most important principle, forcing telecommunications providers to collect vastly more information than they needed for their business records or the integrity of their networks. They were doing it for what we were originally told was only going to be the most serious national security and terrorism offences, but obviously the way the debate has swung now means we may see this material deployed in civil cases, family law disputes, copyright disputes—that kind of stuff. So this enormous pool of data that is basically worthless to everybody—certainly the telecommunications providers did not want to have to collect it—is being collected. So you have violated the first privacy principle. What happens when agencies or corporations lose control of this material that is being collected?

In 2008 the Law Reform Commission said people should be protected from this kind of disclosure. In 2013 the government introduced a bill. In 2014 a private senators bill was introduced. In 2014 the Parliamentary Joint Committee on Intelligence and Security said it was about time this was done, particularly if we were going ahead with data retention, and nothing happened. Nothing was done.

Let's just trip down memory lane. iTnews put together the biggest Australian data breaches of 2015. On 1 October, Kmart revealed it had discovered customers' data had been stolen by external attackers. David Jones disclosed that attackers had exploited a vulnerability in their WebSphere based website to pinch the sensitive personal details of their customers. Aussie Farmers Direct, a little bit later in October, found that it had fallen victim to an attack, according to iTnews, in which the personal details of more than 5,000 of its customers were posted online. In Aussietravelcover's breach, one of the first of 2015, 870,000 records were posted online by a teenage hacker. In one of the more notorious ones, 37 million customer profiles were ripped and posted from the infidelity website Ashley Madison. The US Office of Personnel Management fell for this. Hacking Team is one of the funnier examples, I guess. This is a company that provides offensive IT to governments undertaking dodgy activities. It found itself on the other side of the line when hackers pulled its pants down and disclosed all kinds of information about what Hacking Team was up to. VTech, TalkTalk, Experian—the list is enormous.

Those come just from 2015, and all of those examples happened since this parliament was made broadly aware, and the government has certainly known, that there is cross-party support—government, opposition and crossbench—for precisely the legislation that we are dealing with today. On 2 February last year I actually put a question to the minister, asking, 'Where is it?' A year later, we get around to it. It is really extraordinary.

The issues that I am going to invite the minister to respond to, if he cares to do so in his closing speech or if and when we go into committee, are issues that were raised during the inquiry into the exposure draft that the minister put forward in 2016. The main issues that we are concerned about relate to who the bill applies to. For example, the Privacy Act, which this bill amends, does not apply to small businesses operating on a turnover of less than $3 million. We think that is highly problematic. The threshold determining who this bill applies to should not have anything to do with turnover. It should have regard to how much material those entities are holding. Really, their turnover is irrelevant. There are companies and entities such as researchers operating under much smaller turnovers than that who are still amassing large amounts of private information. So that is one issue that I hope the minister will address.

So is the fact that enforcement agencies will be able to give themselves a free pass. Enforcement agencies such as the police or investigatory agencies can decide themselves, if they suffer a data breach, whether or not to disclose it. We think at the very minimum there should be some kind of reporting obligation so that we know if that is occurring. Some of the submitters to the inquiry suggested that the Ombudsman should play a role.

The third exemption from the Privacy Act, which should affect us all and give us cause to have a serious think, is political parties. They are collecting large amounts of private information on people in the electorate. Even after this bill is passed, they will still have no obligation to disclose any data breaches. We think that that is wrong.

The second issue is the test of seriousness. If you are a company or a government department who realises that a breach has occurred and you are trying to decide whether or not you fall within the ambit of this bill, you will need to pass the 'serious harm' test. This is an issue Senator Wong addressed briefly, but it was an issue that was hashed out by those who made submissions to the inquiry into the bill. We support the view of the Australian Privacy Foundation, who made a very detailed submission on the bill, that the threshold for requiring notification should be based on either of the following conditions being satisfied: a real risk of harm—without qualifying it according to the seriousness of the risk—or a significant breach, whether or not a real risk of harm has arisen.

That will lead us to the third issue that we believe has not been addressed yet: the fact that, if we simplify the test such that the entity does not have to assess whether or not there is a serious risk of harm but whether it is a significant breach or whether there is a real risk of harm, it should not take 30 days to undertake the test. I will read briefly from what is buried in the government's own explanatory memorandum, at clause 80. It says:

Under the voluntary system—

in other words, the system that we have at the moment—

the notification of individuals can be delayed for years, as discussed above. Such a failure to notify an affected individual of a data breach in a timely manner increases the potential cost of the data breach on the individual. For example, a delay in notification increases the risk of an affected individual becoming a victim of an identity crime such as identity theft, as they may be unaware of the need to take action to mitigate the detrimental consequences of the data breach. Summary statistics for the last 12 months presented in IDCARE's submission to the 2015-16 consultation indicated that the average number of days between a data breach and an individual being notified of the breach was 405 days, whereas the average time between a data breach and the misuse of compromised information was 72 hours.

So we have a voluntary system where there is no time threshold at all; people can choose to tell you or not, and it is really up to the company or the department. The average number of days between a breach and an individual being notified was 405 days. The bill, as we read it, would reduce that to a mandatory 30 days. The explanatory memorandum says the average time between a data breach and a misuse of compromised information is 72 hours. My question to the government is: what possible justification do you have for leaving people hanging out for that additional 27 days? Twenty-seven days—or 30 days, as the government has it in the bill at the moment—is an extraordinarily long period of time for material to be abused. If somebody loses control of my credit card information, I do not want legislation that does not force them to disclose that to me for a month, because a lot of harm can be done in a month.

These are the issues that we would like government to address before we put this bill to a vote. Other than that, I look forward to the bill passing into law—it is an essential piece of privacy legislation. As no doubt other speakers will point out, it is long overdue. In fact, we think it has been weakened in some important ways from the original conception proposed by the Australian Law Reform Commission all the way back in 2008. It is time that this bill was put to a vote, but we hope that the Senate will give regard to some of the issues that we have raised on the way through. I now move the second reading amendment standing in my name:

At the end of the motion, add "but calls on the Government to extend the Privacy Act 1988 to include political parties and businesses with an annual turnover under $3m, as such organisations have considerable holdings".