Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
 Download Current HansardDownload Current Hansard    View Or Save XMLView/Save XML

Previous Fragment    Next Fragment
Monday, 13 February 2017
Page: 582

Senator WONG (South AustraliaLeader of the Opposition in the Senate) (11:07): I rise to speak on the Privacy Amendment (Notifiable Data Breaches) Bill 2016on behalf of the opposition. The opposition will be supporting this legislation. We welcome this bill which has been much delayed in its introduction by this government. We support the bill because it is actually a Labor bill. It is nearly identical to a bill that passed the House with bipartisan support some four years ago, but which lapsed at the election in 2013. It has taken this government that long to re-introduce this bill. Really, it ought to have been one of the first things on the Attorney-General's agenda, but, as we know, he has been distracted with a few other things.

Let me outline why this bill is important and why we thought fit to introduce it four years ago. As it stands, an individual's personal data can be breached by a government agency, a bank or an online store and there be no requirement that the individual be notified so that they can change their passwords or take other measures to protect themselves. A person might be told tomorrow that their data was hacked four years ago, and that organisation would face no consequences for its failure to notify them at the time. This is the situation that this government and this Attorney-General has let linger thanks to an inexplicable inertia on this important issue.

Let us have a look, briefly, at the history. In 2013, Mr Dreyfus, the then Attorney-General, introduced the Privacy Amendment (Privacy Alerts) Bill. That bill, like this one, made it mandatory for regulated entities under the Privacy Act to alert consumers when their personal data had been breached, whether through accident or malice.

The 2013 bill followed an extensive report by the Australian Law Reform Commission in 2008 which recommended that the Privacy Act be amended to provide as follows:

An agency or organisation is required to notify the Privacy Commissioner and affected individuals when specified personal information has been, or is reasonably believed to have been, acquired by an unauthorised person and the agency, organisation or Privacy Commissioner believes that the unauthorised acquisition may give rise to a real risk of serious harm to any affected individual.

And a failure to notify would result in a civil penalty. The Australian Law Reform Commission went on to clarify that 'specified personal information' should include personal information as well as sensitive personal information—for instance, a unique identifier that links someone's Medicare number to their name and address.

After extensive consultation, Labor responded to that recommendation with the privacy alerts bill, which was introduced on 29 May 2013. That bill had bipartisan support and passed the House of Representatives, but, sadly, lapsed at the election in 2013 before it could pass in this place. We have all been waiting for this government to do something about this. We waited patiently, but the government was far more interested in picking partisan fights than passing sensible law with bipartisan support. In particular, one would have to say, the Abbott government would have had to be one of the least constructive governments in Australia's recent history.

With the total absence of action from the Abbott government, the opposition introduced a private senator's bill in 2014 to the same effect as the 2013 bill. That lapsed at the hastily organised 2016 election. The best we got from the Abbott-Turnbull government in the 43rd Parliament was a fig leaf of an exposure draft which was released in 2015 but progressed nowhere. That came after a recommendation of the Parliamentary Joint Committee on Intelligence and Security on mandatory retention of metadata to the effect that a mandatory data breach notification scheme be introduced by the end of 2015. That was agreed by the government in its response to the committee's recommendation. Yet, here we are in 2017 and we have only just got this bill in the Senate. Given that history, we on this side of the chamber do find it somewhat baffling as to why the government has been so tardy in bringing this bill forward—four years to introduce a simple, straightforward bill that has bipartisan support.

Many Australians would be shocked to learn that it is not already mandatory for agencies or companies to notify them when their personal data has been breached. If consumers are not informed that their personal data has been breached for months or even years after the fact, it certainly removes any capacity to take remedial action. Significant loss of funds and identity theft cannot be easily avoided. Those affected cannot change their credit card details and they cannot keep a watch for suspicious activity. They are powerless, in effect, because they are not aware. That is not unacceptable.

While the government has waited and delayed, the situation has worsened. A prime example is the Catch of the Day case, where the personal data of some or all of its two million customers was hacked and stolen in 2011 but the customers were not told until 2014. This, quite rightly, caused outrage. Moreover, the company did not even report the hack to the Australian Federal Police when it happened but waited three years. This bill is designed to prevent exactly this kind of situation. Corporations, or public service departments, ought not be allowed to delay reporting of a serious breach of personal data simply because of the fear of the damage it might cause to their reputation. They should disclose to affected customers as soon as the breach is known, regardless of any embarrassment to them. Australians are entitled to know so that they can act to protect themselves.

Section 26WA of the bill sets out the threshold test for the eligible data breach. It provides that such a breach happens if it is 'likely to result in serious harm'. In contrast, the threshold test in the Privacy Amendment (Privacy Alerts) Bill 2013 was 'real risk of serious harm'. The test 'likely to result in serious harm' could be seen as a slightly higher threshold than the previous bill, particularly when combined with the list of relevant matters for consideration to help guide whether harm is likely or unlikely.

The Australian Law Reform Commission report For your information: Australian privacy law and practice noted that in international law the terms 'likelihood' and 'real risk' are similar and related. The term 'a real risk of serious harm' has been defined to mean a reasonable degree of likelihood, real and substantial danger, and a real and substantial risk. The law council, in their submission on the exposure draft of the bill, expressed concern that the 'real risk' test, as drafted, was unclear. They view the 2016 bill as an improvement on the exposure draft version of the bill. The new test responds to stakeholder concerns about the practicality of determining what degree of probability and what kind of harm would be captured in the phrase 'real risk of serious harm'. It will provide greater certainty for regulated entities to be able to comply with their obligations.

I want to turn now, briefly, to the handling of personal data. The protections for consumers contained in this bill become even more vital with the worrying trend of this government to outsource the handling of personal data from the public to the private sector. This includes the proposed sell-off of the corporate registry of ASIC, which holds critical information on more than two million companies in Australia. It holds the names of directors, companies, company names and corporate histories. It is a key resource for journalists and members of the public who wish to find out more about Australian companies. Business owners, for example, are required to lodge a lot of detail with ASIC, not all of which is made public, which undoubtedly they would not want to fall into the wrong hands.

In the midst of the election last year we heard that the Turnbull government intended to award the contract for managing sensitive medical records to Telstra, which will be in charge of the new national cancer screening registry from next year. The contract, estimated to be worth $180 million over three years, will be the first time such sensitive data is in corporate hands. Telstra does not have an entirely spotless history in terms of taking care of its customers' data and has had a number of breaches considered by the Office of the Australian Information Commissioner. In 2014, Telstra was fined for exposing the personal data of nearly 16,000 customers online. The Australian, in March 2014, stated:

The finding is the latest stain on Telstra's lax privacy record. In 2012 the telco received a similar warning from the Privacy Commissioner for publishing the personal information of more than 730,000 customers online. It also received warnings for breaches of customer data in 2010 when a mailing list error resulted in about 220,000 letters with incorrect addresses being mailed out.

In an era such as this, when personal health data is being handed over to a large corporate entity which has, demonstrably, a patchy privacy record, the passage of this bill is more important than ever.

Then we have the proposed privatisation of the Medicare data system, which the government pledges is no longer going ahead. But one wonders whether it will keep to that promise. If it did go ahead it would be possibly the largest transfer of personal health and financial data from public to private hands ever undertaken by an Australian government. It is vitally important that the protections contained in this bill are in place before that happens, if it does.

The passage of this bill also matters because of the singular botching of another bill to do with the protection of privacy and data that is yet to be debated in this place, the Privacy Amendment Data (Re-identification Offence) Bill 2016. Labor proposes to vote against that bill because it is a bad law which does not seek to protect Australians from having their personal privacy compromised; rather, it aims to cover up embarrassing mistakes by government agencies. It was hastily drafted, and regrettably—again—this government has refused to negotiate in order to find a compromise position. Luckily, given the excessively long lead time, that has not occurred with the bill we are currently debating.

The delay of this bill concerning data breach notifications is, one could surmise, symptomatic of a broader problem with this Attorney-General. There are a whole range of essential tasks—filling vacant judge positions, visiting community legal centres and complying with the FOI Act—which he seems not to be engaged in, but he is very intent on pursuing ideological frolics like the destruction of section 18C of the RDA. As I said, it really is inexplicable that this minister and this government have taken some four years to bring forward a bill that has bipartisan support and that Australians and privacy advocates have been seeking for some time.

Concerns about privacy in the digital era will surely grow in coming years, and it is important that Australians have faith that the government and the parliament are responding in an appropriate way. Considering the comprehensive mess this government made of the 2016 census and associated concerns with the safety of data provided to the government, there is a risk that Australians are losing faith in this government's ability to handle their sensitive data. If Australians are to hand over their most sensitive personal information, they must have faith that it will be properly and responsibly handled. If Australians lose that faith then our ability as a government—whoever is in government—to collect the important data which is needed to run good policy is at risk. So passing this law is an important step that will demonstrate to Australians that the parliament recognises their legitimate concerns about the safety of their data and will compel those organisations who handle it to be more mindful.

As I said, we regret that the government has taken so long to act in relation to this legislation but we are glad that it finally has. I commend the bill to the Senate.