Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
 Download Current HansardDownload Current Hansard    View Or Save XMLView/Save XML

Previous Fragment    Next Fragment
Thursday, 13 October 2016
Page: 1774

Senator GRIFF (South Australia) (13:00): It is important to point out that the amendment does not require the minister to direct the Auditor-General, and the advice I have is that it is quite appropriate for the parliament to refer matters to the Auditor-General for inquiry, if it sees fit.

I had indicated I would be moving a further amendment, which would require an independent review of the operation of the bill two years after its implementation. The minister has provided my office with a letter confirming she would instruct her department to ensure that an independent review into the operation of the act is undertaken within two years after the commencement of the operation of the register. The minister has also indicated that the Department for Health has engaged Clayton Utz to conduct an independent privacy impact assessment to inform and guide the implementation of the register. Clayton Utz is currently finalising that PIA and proposes to recommend a periodic review of the operation of the register to ensure it is operating as intended and is appropriately managing and protecting privacy. The minister has indicated that she indicates to accept this proposed recommendation. I am satisfied that these undertakings will serve as an opportunity to assess the effectiveness of the national register, something which appears to have been somewhat lost in this debate. I indicate also that the Nick Xenophon Team is supportive of the changes that bring this bill in line with the recommendations of the privacy and information commissioner.

This brings me now to a related privacy issue that is particularly important to my colleagues and me and one that I will be addressing by way of a second reading amendment. The government previously agreed to introduce a mandatory data breach notification scheme and to consult on draft legislation in response to the 2015 inquiry of the Parliamentary Joint Committee on Intelligence and Security into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014.

For those of you who are not familiar with this issue, the rationale of data breach notification is to allow individuals whose personal information has been compromised to take remedial steps to avoid potentially adverse consequences such as financial loss or identity theft. This is an area that my colleague Senator Xenophon has done a great deal of work on, and we are extremely keen for the government to reintroduce a bill that is consistent with the exposure draft during this session of parliament. Such legislation would strengthen the privacy laws that apply to Telstra Health and indeed any other corporation in possession of individuals' personal information. As such, I indicate I will be moving a second reading amendment requesting the exposure draft be introduced before the end of this year.

Lastly, I note that there has been a lot of concern about the penalties that will apply to Telstra Health for the unauthorised use or disclosure of personal information and the ownership of data stored on the register. In relation to the first of these issues, the bill currently proposes penalties of 120 penalty units or $21,600 for such breaches. As I understand it, the opposition intends to increase this penalty to 600 penalty units or $108,000. It is important to note two points in relation to this.

Firstly, pursuant to the Crimes Act 1914, the court can impose a penalty of up to five-times these amounts for corporations. Secondly, the privacy and information commissioner also has the ability to impose penalties way in excess of those just outlined and up to $1.7 million. I note that, according to the government, the penalties outlined in the bill are from a drafting perspective consistent with other relevant legislation. I am advised that, perhaps somewhat ironically, the only exception to this general rule appears to apply to the My Health Records Act 2012. The minister's office has advised that the penalty regime in that legislation is significantly out of kilter with normal drafting practices. I think it would be pertinent for the government to provide some further clarification around this.

In relation to the second issue, I note the government has raised concern about the possibility of unintended consequences over the opposition's proposed amendment. Again, I think it would be useful if, for the purposes of this debate, the minister could place on the record further details around those unintended consequences in order to assist in our deliberations. Noting that there is already a second reading amendment by Senator Polley, I foreshadow that I will be moving the second reading amendment circulated in my name.