Joe Ludwig (Queensland, Australian Labor Party) Share this | Hansard source

The introduction of a mandatory data breach notification requirement will be a major consumer privacy protection reform. It will enable individuals affected by a data breach to take action to prevent identity theft and fraud by taking actions such as cancelling credit cards or changing passwords. It will encourage government agencies and private sector organisations to lift their security standards and be more transparent about how they handle personal information.

The proposals in the bill had been developed over a long period of time in consultation with a diverse range of industry groups and privacy and consumer advocates—unlike what the previous speaker spoke of. The bill will require all entities currently regulated by the act to notify affected individuals and the Office of the Australian Information Commissioner where there has been a data breach that gives rise to 'a real risk of serious harm' to an affected individual. A 'real risk' is defined as 'a risk that is not a remote risk'. That is one matter that was raised a number of times by Senator Boyce in her contribution. But if the good senator had done her homework she would have gone back to the ALRC's original report dealing with data breach notifications. In that report, the ALRC provided guidance about this particular matter—real risk of serious harm. I draw the Senate's attention to provision 51.85 of the ALRC's 2008 review No.108. It says:

In international law, the term 'a real risk of serious harm' has been refined to mean 'a reasonable degree of likelihood', 'real and substantial danger' and 'a real and substantial risk'.

And the ALRC cites a case on that point, at footnote 133, which is 'R v Secretary of State for the Home Department'.

In its draft voluntary information security breach notification guide the OPC sets out a number of questions to evaluate the risk associated with the breach: 'What personal information is involved and how sensitive is it? Could the information be used for fraudulent purposes? What is the cause and extent of the breach—for example, is there a risk of ongoing breaches? Is the information easily accessible? Was the breach deliberate, or inadvertent? Who is affected, how many people are affected, and are they particularly at risk of harm? What harm could result—for example, who is the recipient of the information; could the breach lead to fraud, financial loss or humiliation; and what impact would the breach have on the organisation or agency concerned?'

This is a matter that has been well thought through. The OAIC will have the power to compel notification to affected individuals where it becomes aware, as a result of complaints by individuals or otherwise, of serious data breaches that have not been notified. The OAIC will also be given the power to exempt an entity from the notification requirements where it is in the public interest to do so.

This is a scheme that has not only had extensive consultation; it has effectively already been embodied in a guide for the Public Service since April 2012. It is certainly not new to the Public Service or, more broadly, to those who work in the privacy area, including those companies which already take steps to protect people's privacy—for the obvious reason that it is good business practice.

Notification is ultimately about empowering the consumers, the individuals, where there have been breaches. The notification itself must contain at least four key pieces of information. It should contain a description of the breach, a list of the types of personal information that were accessed or disclosed, recommendations about the steps that individuals should take in response to the breach and, finally, contact information to allow affected individuals to obtain more information or assistance. It is quite a simple scheme that allows individuals to take appropriate action where their privacy may have been compromised.

Noncompliance with the scheme would attract normal Privacy Act remedies. These could include public or personal apologies, compensation payments or enforceable undertakings. A civil penalty could be sought where there has been serious or repeated noncompliance with the mandatory notification scheme.

This proposal has strong support from state and federal information privacy commissioners, from IT security companies and from privacy and consumer advocates. Some industry groups have asked for the proposals to be delayed, citing a large privacy law workload. Most, however, believe that it would easier for compliance purposes if the proposals were to commence with the other major privacy reforms in March 2014—which I agree with. Implementing this bill alongside those reforms would add to, not detract from, business certainty. It would help with compliance obligations for businesses as well as, more importantly, providing appropriate protections for individuals.

Delaying the proposals until the impact of the 2014 privacy reforms have been assessed would effectively postpone this action until around 2015 or 2016. This would attract, I think, significant negative criticism from consumer and privacy advocates and leave Australian developments well behind those of the US and EU in this important area. Some of the concerns raised by industry groups have been addressed in this bill, particularly those relating to the cost impacts. As a result, the bill now contains concessions to industry concerns, including more flexible notification and more clarity around the process for seeking exemption from notification requirements.

It is instructive on these issues to go back to the original ALRC report of May 2008, For your information—Australian privacy laws and practice. It said:

The Privacy Act should provide for notification by agencies and organisations to individuals affected by a data breach.

It is not simply about data breaches as an esoteric concept in the broad. As the ALRC report goes on to say:

… the primary rationale for data breach notification laws is that notifying people that their personal information has been breached can help to minimise the damage caused by the breach. Notification acknowledges the fact that a data breach potentially can expose an individual to a serious risk of harm. By arming individuals with the necessary information, they have the opportunity, for example, ‘to monitor their accounts, take preventative measures such as new accounts, and be ready to correct any damage done’.

But the risks are not limited to financial matters. The ALRC report continues:

Other types of personal information, such as health information, if disclosed, could subject a person to discriminatory treatment or damage to his or her reputation. Informing a person that such information has been disclosed makes that person aware of what may be the possible consequences of the breach.

All of that points to the importance of ensuring that personal information is maintained in the appropriate way and, if it is not—if there is either an inadvertent breach or a deliberate breach—to the importance of notification. Individuals, once notified, can take appropriate action. By notifying them, you arm them—you give the individual the power to do something rather than just be a target.

A data breach notification also provides incentives to businesses to improve their data security. There are a range of reasons why some companies might not want to notify consumers. The reputational damage that could follow a high-profile data breach, or the commercial consequences of such a breach, provides a powerful incentive not to notify. This bill will ensure that they do notify and give them the proactive ability to arm individuals with the necessary things to help them deal with such a data breach. Overall, it also creates a market incentive. Those companies with good, strong data protection notification regimes or privacy alert regimes and those with good information on privacy practices will have a competitive advantage in the marketplace. Consumers and individuals will feel more confident in dealing with those types of businesses, amongst an array of competing businesses, who can stand out and say: 'When you give us your personal information, feel confident that we will protect it. If we inadvertently fail in that, we have a privacy alert in place that will proactively deal with it in a range of ways.' In today's modern business world, I think that is a far better way to deal with areas of privacy.

One of the disappointing things is that there is a long list of speakers for this bill. I assume many from those opposite want to contribute to such a positive bill from Senator Singh. I do not think they ultimately disagree with it, but I do worry that they might simply be talking it out so we do not get on to another bill, the environmental bill dealing with supertrawlers. I would not think that ordinarily; I would think everyone has a positive view about dealing with privacy. I would encourage those on the other side to support what is good public policy and what provides for good outcomes for privacy. Ultimately, I think that the government will pass the bill in this form or a similar form when the Attorney-General gets off his hands and that they will be back in this chamber supporting it.