Sue Boyce (Queensland, Liberal Party) Share this | Hansard source

Well, here we are at Groundhog Day again! I am surprised that the opposition would want to remind the Australian people of the bureaucratic and administrative mishmash and nightmare that purported to be government by the Labor Party.

The government strongly supports all efforts to improve privacy provisions for the Australian people and Australian organisations but—surprise, surprise!—we do not support doing it in the erratic, inexperienced, unthinking way that Labor would try to go about this. This piece of legislation was first brought to the House in June last year by the then government and came to the Senate with a whole 1½ days for a committee to hold an inquiry into the effects that it would have. It, of course, was something that they apparently had forgotten to include in their first tranche of legislation on privacy—and why would we be surprised by that? In the annals of history, the FoFA—Future of Financial Advice—legislation will stand in years to come for administrators to use as an example of how never to try and go about public policy: three tranches of legislation, some of it actually contradictory; some of it requiring that an IT system that had been put in place to meet the requirements of a first bill would subsequently have to be changed—within six months, was what the government first wanted—by those working in the industry. So we had once again the usual complete inability, apparently, of the Labor Party to grasp that some people out there are trying to make profits to create jobs and to create growth in our economy. This bill that we are now debating came into that category entirely.

I am somewhat bemused by Senator Singh's suggestion that Labor has consulted extensively with stakeholders in government. I will just quote from a couple of witnesses—well, not witnesses, because we did not have time to hold a full inquiry; it was done on the paper—for the inquiry held last year by the Legal and Constitutional Affairs Legislation Committee. The Cyberspace Law and Policy Centre of the University of New South Wales pointed out that it had 'around 10 working hours in which to collaborate on, draft and finalise a submission'. I am not sure that that constitutes extensive consultation. The Australian Privacy Foundation, who are dedicated to ensuring that the Privacy Principles apply to Australians, said that the great rush of the Labor government to get this piece of legislation through on reporting of breaches had a:

… seriously negative impact on the democratic process that is inherent in the provision by the Parliament of 1-1/2 working days, during which civil society organisations are expected to discuss, draft and finalise a Submission to your Committee.

Those comments go back to June last year, when this was an urgent, urgent piece of legislation to fix up, presumably, something that the then government had left out of the Privacy Act.

On 21 March, Minter Ellison pointed out to its clients that the bill was introduced with 'little fanfare' by Labor Senator Lisa Singh and that it brought up the same amendments that had been proposed by the then government back in June, when it was such an urgent, urgent issue. Minter Ellison said:

The timing is likely to be concerning for those entities still coming to grips with implementing the changes required by the amendments to the Privacy Act which commenced on 12 March this year.

The then opposition, the now government, did indeed support the Privacy Act put forward and the principles that changed it, but we also warned that there was no need to introduce these particular reporting requirements in a whole new piece of legislation at the same time that we were asking Commonwealth organisations and other reporting entities to get their heads and their systems around implementing the changes that were required under the Privacy Act and were to be implemented on 12 March. We have, yet again, the situation where a Labor government apparently thought it was okay to ask organisations to change their systems every 20 minutes on the whim of a government that did not have a clue what it was doing in terms of the costs it was imposing and the problems it was creating.

We only have to go back as far as the original changes to the Privacy Act that has now come into play: if it had gone ahead as the then Labor government wanted, most banks in Australia would have had to change the way they went about data processing. We were told during a committee hearing on the Privacy Act itself that a lot of data processing for Australian banks occurs offshore, including in New Zealand, yet if the legislation, as Labor drafted it, had stood this would have become at least fraught and possibly illegal. So there is a lot of good to be gained out of an inquiry process of the Senate.

I am not quite sure who Senator Singh has consulted so widely with, but certainly none of the stakeholders that I am aware of feel as though they have been consulted. To whip this legislation in now and then come up with some righteous platitudes, trying to suggest that only Labor cares about privacy, is the typical sort of stunt that one expects from a Labor opposition. It is not only Labor who cares about privacy. The basic legislation of the Privacy Act has been in operation now for a good two weeks. For heaven's sake, can we not let that settle down before we look at other changes that may very well need to be made and may in fact be useful changes?

Who knows is the problem. Who knows? This stunt appears to be designed to try to maximise some publicity out of the recent breach by the Department of Immigration and Border Protection, which, of course, this government abhors and has certainly dealt with in terms of repairing the damage that has been done as far as possible.

The model that Senator Singh would have us pass suggests that every government organisation, every reporting entity, should pass on to the Australian Information Commissioner data breaches which have given rise to a 'real risk of serious harm' to an affected individual. No-one, of course, has any issue whatsoever with that statement. The government would support the development of principles that would ensure that we were aware when serious breaches that caused real harm had occurred. The problem, of course, comes down to what exactly are we talking about when we talk about the 'real risk of serious harm'. Senator Singh says we define 'real risk' as 'not a remote risk'. Great! But what is 'serious harm'? What is a 'serious breach'? There is very little definition in it—and, of course, that will vary from individual to individual. The way to flesh out where the limits of this legislation should be, the costs that might be imposed by putting this legislation through, is to consult extensively, which certainly has not happened, with stakeholders.

The implications of this legislation, when we do not have a significant view of what constitutes 'real risk' or 'real harm', could be huge. We simply do not know where it would stop and start. Of course the people who are being asked to enforce it would not know where it should stop and where it should start. It is quite possible that if your PIN, for example, was inadvertently revealed, in some situations this could cause serious harm. It could be a serious breach. With a bank with very good security systems that could alert the individual immediately that somehow this had happened, then it may not cause serious harm or be a serious breach, because it has not caused damage to the individual.

Once again, we do not really know what the Labor Party is on about. Without having a full inquiry into how this would work, where the parameters should be, it cannot happen. But, of course, Senator Singh is not really interested in getting this legislation passed; she is interested in the smoke and mirrors of pretending to care more than the government about a principle which, of course, is one that this government more than any other has embedded into the culture of Australia. Privacy is something that has been of great concern and great interest to this government and this party. It is ridiculous of the Labor Party to suggest that they could, through their bureaucratic approach, improve the system that is in place.

The restrictive time frame on this legislation when it was first put up by the then government and the lack of analysis in most of the submissions—simply because the submitters did not have time to do it properly—was most unfortunate. There was no thorough or detailed scrutiny of this bill and there still hasn't been. All we have is the pious platitudes from Senator Singh suggesting that this is the right way to go. We have no idea how companies would be asked to interpret the legislation and what it means; we have no idea what the costs of adding this reporting process to the system would be; and we have no idea how this would interact with the current new Privacy Act that has come into force on the 12 March and which companies are happily, currently, put into place. Let us bed that down before we get on with the very real job that we would agree is vital to do, to ensure that breaches of privacy are reported to the Australian Information Commissioner and to the individuals concerned.

There is certainly an underreporting of privacy breaches in Australia. No-one is arguing about that. That needs to be fixed. But you would have thought that a piece of legislation that introduced 13 privacy principles and was supported by the now government would have come a long way towards fixing that. If it did not fix that, what was wrong with the then government, the Labor government, in the first place? Why on earth couldn't that have been a significant part of their original legislation? Let us see how the legislation that has now come into fruition—and has been operational now for just on two weeks—works before we go into the world of compulsory reporting, particularly compulsory reporting based on 'serious harm', 'real risk' and 'serious breach'. As I have pointed out, what constitutes a 'serious breach'? Certainly in the examples that Senator Singh gave no-one would have any problems saying, 'Yes, they are serious breaches of privacy principles—serious breaches,' and they have both come to public attention and they have both been dealt with. But there are many, many times when a company would need to consider whether a breach had the 'real risk', as opposed to a 'remote risk', of causing serious harm and was in fact a serious breach. These would be matters for judgement in many cases. This legislation gives companies no guidance whatsoever on what is a real risk or a serious breach or what would cause serious harm to an individual. There are, at the borders of this, many times that organisations would have to consider whether what was being proposed was in fact a problem or not a problem.

So, if Senator Singh had been serious about this legislation and wanting it to pass, she would not have snuck it into the Senate with, as Minter Ellison points out, little fanfare; she would have brought it to the attention of the Attorney-General, had it discussed and sought an inquiry from the relevant committee on this legislation so that all the stakeholders could tell us what their concerns were and how we might address any problems that were seen to be in the legislation, and she would have had the courtesy to give the many organisations that have just put new privacy principles in place a heads-up and a long time frame in which to decide how these changes might best sit with the changes that they have already had to make in the last few months to meet the new Privacy Act requirements. But none of this happened, of course, because Labor are not at all interested in getting this legislation through. They do not really care about breaches of privacy for individuals. They just care about trying to make a bit of a song and dance and carry on as though the government is in fact not looking at the issue.

It is quite bizarre that Senator Singh has chosen to approach it in this way. This legislation was allegedly urgent in June last year, according to the then government. If it was so urgent, they had plenty of opportunity to enact it. They pushed the Senate committee to make its inquiry in less than a few days. We did not have time to call witnesses; it was done on the papers. I have already used a couple of examples from the many submitters who made the point that, within that time frame, they could not put in a decent submission setting out in detail their concerns about this piece of legislation. Without any further consultation or any further work whatsoever, Senator Singh thinks that the Senate should simply roll over and put in place her piece of legislation when, as we said, no-one knows how it will pan out in practice. Without consulting the people who would have the difficulties—the onerous task—of ensuring that it goes into practice, it is ridiculous of Senator Singh to be suggesting that this legislation should go through.

I would make the point that, in the comments made by coalition senators on that extraordinarily rushed inquiry last year, we said:

Coalition senators note the concerns expressed by a number of submitters regarding the lack of definition of the terms 'serious breach' or 'serious harm' in the legislation.

Not only were the submitters concerned about the fact that there was no true definition there and in many cases it would be a matter of employing people to sit and decide what that meant; the industry also expressed great concern at the regulatory overload that the then government was putting on them or attempting to put on them. None of us would be surprised, of course, at the fact that industry—which, as I said, is driving our economy—would be complaining about regulatory overload from the then Labor government, the Rudd-Gillard government, because 'regulatory overload' was their middle name. Let us look at this legislation properly and not play political games.