Thursday, 27 March 2014
Privacy Amendment (Privacy Alerts) Bill 2014; Second Reading
I rise to speak to the Privacy Amendment (Privacy Alerts) Bill 2014. Labor believes Australians should be told when there has been a breach of their privacy. It is time that companies who are required to protect Australians' personal data should also have the complementary duty to tell a consumer when their personal data has been the subject of unauthorised public release. Businesses that already implement good privacy practices and comply with current voluntary guides from the Office of the Australian Information Commissioner, the OAIC, will have little difficulty in transitioning to the new scheme.
A consumer should have the right to know if their personal information has become compromised or if their bank or telecommunications provider has lax security standards. Consumers need to have the power to change their passwords, improve their security settings online, cancel credit cards or completely change providers such as banks and telecommunications companies.
In an increasingly digital world, more and more data and personal information is being collected from Australian families. This bill puts in place a compulsory notification regime in order to strengthen the protections around this information and build on the privacy regime Labor implemented when it was in government. The bill will require all entities currently regulated by the act to notify affected individuals and the OAIC when there has been a data breach that gives rise to a real risk of serious harm to an affected individual. A real risk is defined as a risk that is not a remote risk. Therefore, only the more serious data breaches will need to be notified—a responsible approach to implementing this important privacy regulation.
The OAIC will have the power to compel notification to affected individuals were it becomes aware of a serious data breach that has not been notified. The OAIC will also be given the power to exempt an entity from the notification requirement where it is in the public interest to do so. The bill ensures that the victims of a data breach will receive comprehensive and useful information about the circumstances of the relevant breach. Firstly, it must contain a description of the breach. Secondly, it must contain a list of the types of personal information that were accessed or disclosed. Thirdly, the notification must contain recommendations about the steps that individuals should take in response to the breach. Finally, contact information for affected individuals to obtain more information and assistance must also be included.
Noncompliance with the scheme would attract the normal Privacy Act remedies. These include public or personal apologies, compensation payments or enforceable undertakings. Under the new privacy regime enacted by the Gillard Labor government, a civil penalty can be sought where there has been serious or repeated noncompliance with mandatory notification requirements.
This bill is in substantially similar terms to the Privacy Amendment (Privacy Alerts) Bill 2013 previously introduced into the parliament in 2013 by the Gillard Labor government. It was to be the next step in the important reforms of Australia's privacy legislation being delivered by the Labor government, but the bill lapsed when parliament was prorogued ahead of the 2013 federal election.
The privacy reforms passed in the last parliament were significant Labor reforms to an area of law about which Australians are deeply concerned, and rightly so. That legislation, which has recently begun operation, delivered a number of important changes. The Privacy Act now contains a set of 13 Australian Privacy Principles which apply to Australian and Norfolk Island governments and some private sector organisations. The APPs harmonised and replaced the two sets of principles which previously applied to government and the private sector. The Office of the Australian Information Commissioner has been given new powers to assess and enforce privacy compliance and to seek civil penalties where serious breaches occur.
There are new provisions in the Privacy Act governing credit reporting. The law now provides for both more comprehensive credit reporting and an improved process for correcting reporting errors and dealing with complaints. Civil penalties now apply for certain breaches of the credit reporting provisions. The Privacy Act now provides for the recognition of external dispute resolution schemes for handling privacy complaints and for the registration of binding privacy codes.
These are all important reforms. They are important Labor reforms. It took a Labor government to enact the Privacy Act 1988 and it took a Labor government to deliver the most significant reforms to that act in the decade and a half since. Labor understands that privacy is a human right. Labor understands that technological change has made privacy a pressing everyday concern for many, many Australians. These reforms are well within the long and proud Labor tradition of consumer protection. They are an example of Labor's commitment to responsible regulation which protects rights which make a real and positive difference in the way Australians work and live.
The bill I speak to today is the next step in that package of reforms. The bill will introduce a new consumer privacy protection for Australians that will keep their personal information more secure in the digital age. It will also encourage agencies and private sector organisations to improve their data security practices. The risk of data breaches and the seriousness of their consequences have grown as new technology has allowed government and the private sector to collect more and more personal information about Australians. A data breach can severely affect an individual whose personal information has been compromised. People can lose money. The identity can be stolen. They can be embarrassed and distressed by the release of sensitive personal information.
Labor believes that individuals should know when their privacy has been interfered with. Currently, the law imposes no obligation on organisations who suffer a data breach to notify those whose privacy has been compromised. Labor thinks that is manifestly inadequate. It is out of step with what our community expects. It is out of step with the way that technology has changed the way we live our lives. Labor is committed to act to remedy this gap in our privacy laws. We were committed to doing this in government and we remain committed to doing it in opposition.
Data breaches are of significant concern to modern Australia. There have been a number of high-profile breaches in Australia in recent times. One that comes to mind recently was the Department of Immigration in February this year, which published personal details of around 10,000 asylum seekers held in Australia. Similarly, between February 2012 and May 2013, the information of 15,775 of a telco's customers from 2009 and earlier were accessible on the internet. This included the information of 1,257 active silent customers. Previously, the personal information of approximately 734,000 customers had been made publicly available online in December 2011. Other large companies have had data breach issues as well, and the OAIC is aware of 56 data breaches in 2011-12.
But data breaches are a concern not only for individuals. The security of personal data is of commercial importance to Australian companies. Data breaches are bad for business and can be incredibly costly due to the errors that come about from them. Companies stand to lose not just time and money rectifying a data breach but also their reputation, and in a modern information economy the important trust of consumers in a company's privacy compliance is an incredibly important part of a company's goodwill. In 2012, the ABC reported that the average data breach incident in Australia cost the organisation in question some $2 million. What is more, that average cost has been steadily rising year on year.
Labor understands the importance of this issue not only to individuals but also to business and to the competitiveness of Australian companies and we have introduced this bill from opposition to ensure that appropriate action is now taken. This bill, rightly, has strong support from Australia's various information and privacy commissioners, from relevant industries, from IT security experts and from privacy and consumer advocates. But most importantly, the Australian public demand the protection this bill will provide. In a survey conducted last year, the OAIC reported that some 96 per cent of Australians believed that they should be notified of data breaches if they are affected by them.
In government, Labor consulted extensively with relevant stakeholders. We focused on making these reforms as flexible as possible. We focused on minimising the compliance burden on companies and agencies while making sure that the privacy rights of individuals are steadfastly protected. We took both industry and consumer concerns on board, and the widespread support for the bill very much reflects this. So given that the hard work of this bill has been done by Labor and given that consumers and industry support its passage, we might wonder why the new Attorney-General has sat on his hands. This month the suite of privacy reforms that were passed by the Gillard Labor government entered into force and this bill comprises an important addition to that package of reforms.
So why hasn't the government acted? Industry and the community are ready for this reform and, indeed, it will be easier for compliance if this bill could enter into operation more or less alongside the other major changes to the Privacy Act which have just now come into force. Delaying the passage of this bill would leave Australia behind developments in comparable jurisdictions, notably jurisdictions like the US and the EU. Australian consumers deserve protection every bit as good as that which the citizens of other nations enjoy, and Australian businesses must stay ahead of the curve to be competitive.
The Liberals did support this bill, though, when last in parliament and, when the bills lapsed at the conclusion of the 43rd Parliament, there were reports in the press that an incoming Liberal government would continue this important work and work towards the enactment of a privacy alert law when in government. Well, they have now had six months in power, and yet we have heard nothing from this government. Nor is it the case that the Abbott government or the Attorney-General, Senator Brandis, have more important things to do. Senator Brandis's only legislative work in the time he has been in office has been the bills he contributed to the Abbott government's repeal day media event. In many cases the main function of these bills was the correction of typographical errors and grammatical mistakes: a worthy enterprise, but not one that carries much legislative weight. As my colleagues in another place pointed out yesterday, the Attorney-General is yet to introduce any legislation of substance.
I hope that the Attorney-General's unedifying recent appearance on Alan Jones's show on 2GB radio does not indicate that he is now preparing to walk away from privacy law reform. On 14 March, in a display of disingenuousness, Senator Brandis appeared to disown the privacy laws that he and his party had voted for in the last parliament. Mr Jones put a number of confused complaints to the Attorney-General about the operation of the new credit reporting provisions of the privacy legislation, and this is what our bold Attorney-General said in the course of his response:
… these were measures that were introduced by the Gillard Government.
He said that the new privacy laws were:
… something we inherited from Gillard.
What a shameless act of buck-passing, when they supported the privacy reforms in the last parliament. The Liberal Party supported these privacy reforms in the last parliament. So though it was Labor that spearheaded these reforms, and Labor that did the hard yards, the Liberal Party did do the right thing in supporting our privacy reforms in the last parliament. They were right to do that at that time and so that is why it is now disappointing that they should not have the integrity to continue to hold to that responsible policy position—some six months have passed and they have had so many opportunities in the time we have been sitting in parliament for them to have done so.
When Australians want to know their Attorney-General's position on issues that matter to them, should they trust the way he votes in this parliament, or should they trust his throwaway lines on talkback radio? The only thing the public can count on is the opportunism of the Attorney-General. Why doesn't he have the courage of his convictions to stick by the Labor reforms that he so rightly supported? And why doesn't he explain the operation of legislation that he did vote for, rather than slinking away from it at the slightest hint of public debate—like the example I just gave of him on talkback radio? Does the Attorney-General support privacy law reform again, now that he is back in the cloisters of the parliament? What is his position on this issue which is of such importance to Australians in their everyday lives, and will continue to be important to them as we continue into this age of the digital economy?
This government and this Attorney-General might be a policy-free zone, but the Labor opposition is here to help. I sincerely hope that, as they rightly did when they were in opposition, the Liberals will support this prudent bill—this bill that is needed; this bill that will put us in step with other jurisdictions such as the EU and the US; this bill that will ensure we have certainty for consumers and for industry as we move further into this digital age. I hope the government will help us continue the good work in this area of the previous Labor government and I hope they will support this bill. I commend the bill to the Senate.
Well, here we are at Groundhog Day again! I am surprised that the opposition would want to remind the Australian people of the bureaucratic and administrative mishmash and nightmare that purported to be government by the Labor Party.
The government strongly supports all efforts to improve privacy provisions for the Australian people and Australian organisations but—surprise, surprise!—we do not support doing it in the erratic, inexperienced, unthinking way that Labor would try to go about this. This piece of legislation was first brought to the House in June last year by the then government and came to the Senate with a whole 1½ days for a committee to hold an inquiry into the effects that it would have. It, of course, was something that they apparently had forgotten to include in their first tranche of legislation on privacy—and why would we be surprised by that? In the annals of history, the FoFA—Future of Financial Advice—legislation will stand in years to come for administrators to use as an example of how never to try and go about public policy: three tranches of legislation, some of it actually contradictory; some of it requiring that an IT system that had been put in place to meet the requirements of a first bill would subsequently have to be changed—within six months, was what the government first wanted—by those working in the industry. So we had once again the usual complete inability, apparently, of the Labor Party to grasp that some people out there are trying to make profits to create jobs and to create growth in our economy. This bill that we are now debating came into that category entirely.
I am somewhat bemused by Senator Singh's suggestion that Labor has consulted extensively with stakeholders in government. I will just quote from a couple of witnesses—well, not witnesses, because we did not have time to hold a full inquiry; it was done on the paper—for the inquiry held last year by the Legal and Constitutional Affairs Legislation Committee. The Cyberspace Law and Policy Centre of the University of New South Wales pointed out that it had 'around 10 working hours in which to collaborate on, draft and finalise a submission'. I am not sure that that constitutes extensive consultation. The Australian Privacy Foundation, who are dedicated to ensuring that the Privacy Principles apply to Australians, said that the great rush of the Labor government to get this piece of legislation through on reporting of breaches had a:
… seriously negative impact on the democratic process that is inherent in the provision by the Parliament of 1-1/2 working days, during which civil society organisations are expected to discuss, draft and finalise a Submission to your Committee.
Those comments go back to June last year, when this was an urgent, urgent piece of legislation to fix up, presumably, something that the then government had left out of the Privacy Act.
On 21 March, Minter Ellison pointed out to its clients that the bill was introduced with 'little fanfare' by Labor Senator Lisa Singh and that it brought up the same amendments that had been proposed by the then government back in June, when it was such an urgent, urgent issue. Minter Ellison said:
The timing is likely to be concerning for those entities still coming to grips with implementing the changes required by the amendments to the Privacy Act which commenced on 12 March this year.
The then opposition, the now government, did indeed support the Privacy Act put forward and the principles that changed it, but we also warned that there was no need to introduce these particular reporting requirements in a whole new piece of legislation at the same time that we were asking Commonwealth organisations and other reporting entities to get their heads and their systems around implementing the changes that were required under the Privacy Act and were to be implemented on 12 March. We have, yet again, the situation where a Labor government apparently thought it was okay to ask organisations to change their systems every 20 minutes on the whim of a government that did not have a clue what it was doing in terms of the costs it was imposing and the problems it was creating.
We only have to go back as far as the original changes to the Privacy Act that has now come into play: if it had gone ahead as the then Labor government wanted, most banks in Australia would have had to change the way they went about data processing. We were told during a committee hearing on the Privacy Act itself that a lot of data processing for Australian banks occurs offshore, including in New Zealand, yet if the legislation, as Labor drafted it, had stood this would have become at least fraught and possibly illegal. So there is a lot of good to be gained out of an inquiry process of the Senate.
I am not quite sure who Senator Singh has consulted so widely with, but certainly none of the stakeholders that I am aware of feel as though they have been consulted. To whip this legislation in now and then come up with some righteous platitudes, trying to suggest that only Labor cares about privacy, is the typical sort of stunt that one expects from a Labor opposition. It is not only Labor who cares about privacy. The basic legislation of the Privacy Act has been in operation now for a good two weeks. For heaven's sake, can we not let that settle down before we look at other changes that may very well need to be made and may in fact be useful changes?
Who knows is the problem. Who knows? This stunt appears to be designed to try to maximise some publicity out of the recent breach by the Department of Immigration and Border Protection, which, of course, this government abhors and has certainly dealt with in terms of repairing the damage that has been done as far as possible.
The model that Senator Singh would have us pass suggests that every government organisation, every reporting entity, should pass on to the Australian Information Commissioner data breaches which have given rise to a 'real risk of serious harm' to an affected individual. No-one, of course, has any issue whatsoever with that statement. The government would support the development of principles that would ensure that we were aware when serious breaches that caused real harm had occurred. The problem, of course, comes down to what exactly are we talking about when we talk about the 'real risk of serious harm'. Senator Singh says we define 'real risk' as 'not a remote risk'. Great! But what is 'serious harm'? What is a 'serious breach'? There is very little definition in it—and, of course, that will vary from individual to individual. The way to flesh out where the limits of this legislation should be, the costs that might be imposed by putting this legislation through, is to consult extensively, which certainly has not happened, with stakeholders.
The implications of this legislation, when we do not have a significant view of what constitutes 'real risk' or 'real harm', could be huge. We simply do not know where it would stop and start. Of course the people who are being asked to enforce it would not know where it should stop and where it should start. It is quite possible that if your PIN, for example, was inadvertently revealed, in some situations this could cause serious harm. It could be a serious breach. With a bank with very good security systems that could alert the individual immediately that somehow this had happened, then it may not cause serious harm or be a serious breach, because it has not caused damage to the individual.
Once again, we do not really know what the Labor Party is on about. Without having a full inquiry into how this would work, where the parameters should be, it cannot happen. But, of course, Senator Singh is not really interested in getting this legislation passed; she is interested in the smoke and mirrors of pretending to care more than the government about a principle which, of course, is one that this government more than any other has embedded into the culture of Australia. Privacy is something that has been of great concern and great interest to this government and this party. It is ridiculous of the Labor Party to suggest that they could, through their bureaucratic approach, improve the system that is in place.
The restrictive time frame on this legislation when it was first put up by the then government and the lack of analysis in most of the submissions—simply because the submitters did not have time to do it properly—was most unfortunate. There was no thorough or detailed scrutiny of this bill and there still hasn't been. All we have is the pious platitudes from Senator Singh suggesting that this is the right way to go. We have no idea how companies would be asked to interpret the legislation and what it means; we have no idea what the costs of adding this reporting process to the system would be; and we have no idea how this would interact with the current new Privacy Act that has come into force on the 12 March and which companies are happily, currently, put into place. Let us bed that down before we get on with the very real job that we would agree is vital to do, to ensure that breaches of privacy are reported to the Australian Information Commissioner and to the individuals concerned.
There is certainly an underreporting of privacy breaches in Australia. No-one is arguing about that. That needs to be fixed. But you would have thought that a piece of legislation that introduced 13 privacy principles and was supported by the now government would have come a long way towards fixing that. If it did not fix that, what was wrong with the then government, the Labor government, in the first place? Why on earth couldn't that have been a significant part of their original legislation? Let us see how the legislation that has now come into fruition—and has been operational now for just on two weeks—works before we go into the world of compulsory reporting, particularly compulsory reporting based on 'serious harm', 'real risk' and 'serious breach'. As I have pointed out, what constitutes a 'serious breach'? Certainly in the examples that Senator Singh gave no-one would have any problems saying, 'Yes, they are serious breaches of privacy principles—serious breaches,' and they have both come to public attention and they have both been dealt with. But there are many, many times when a company would need to consider whether a breach had the 'real risk', as opposed to a 'remote risk', of causing serious harm and was in fact a serious breach. These would be matters for judgement in many cases. This legislation gives companies no guidance whatsoever on what is a real risk or a serious breach or what would cause serious harm to an individual. There are, at the borders of this, many times that organisations would have to consider whether what was being proposed was in fact a problem or not a problem.
So, if Senator Singh had been serious about this legislation and wanting it to pass, she would not have snuck it into the Senate with, as Minter Ellison points out, little fanfare; she would have brought it to the attention of the Attorney-General, had it discussed and sought an inquiry from the relevant committee on this legislation so that all the stakeholders could tell us what their concerns were and how we might address any problems that were seen to be in the legislation, and she would have had the courtesy to give the many organisations that have just put new privacy principles in place a heads-up and a long time frame in which to decide how these changes might best sit with the changes that they have already had to make in the last few months to meet the new Privacy Act requirements. But none of this happened, of course, because Labor are not at all interested in getting this legislation through. They do not really care about breaches of privacy for individuals. They just care about trying to make a bit of a song and dance and carry on as though the government is in fact not looking at the issue.
It is quite bizarre that Senator Singh has chosen to approach it in this way. This legislation was allegedly urgent in June last year, according to the then government. If it was so urgent, they had plenty of opportunity to enact it. They pushed the Senate committee to make its inquiry in less than a few days. We did not have time to call witnesses; it was done on the papers. I have already used a couple of examples from the many submitters who made the point that, within that time frame, they could not put in a decent submission setting out in detail their concerns about this piece of legislation. Without any further consultation or any further work whatsoever, Senator Singh thinks that the Senate should simply roll over and put in place her piece of legislation when, as we said, no-one knows how it will pan out in practice. Without consulting the people who would have the difficulties—the onerous task—of ensuring that it goes into practice, it is ridiculous of Senator Singh to be suggesting that this legislation should go through.
I would make the point that, in the comments made by coalition senators on that extraordinarily rushed inquiry last year, we said:
Coalition senators note the concerns expressed by a number of submitters regarding the lack of definition of the terms 'serious breach' or 'serious harm' in the legislation.
Not only were the submitters concerned about the fact that there was no true definition there and in many cases it would be a matter of employing people to sit and decide what that meant; the industry also expressed great concern at the regulatory overload that the then government was putting on them or attempting to put on them. None of us would be surprised, of course, at the fact that industry—which, as I said, is driving our economy—would be complaining about regulatory overload from the then Labor government, the Rudd-Gillard government, because 'regulatory overload' was their middle name. Let us look at this legislation properly and not play political games.
Normally it would be uncharacteristic of me to comment on a previous senator's contribution, other than to indicate that perhaps it was a little muddled and a little circuitous in its argument. But, nonetheless, it gives me an opportunity to correct some of the misconceived ideas in the contributions that have been made by those opposite on this important bill, the Privacy Amendment (Privacy Alerts) Bill 2014.
Labor is a proud champion of the rights of Australians, including the right to privacy—unlike, it appears, those opposite, but that surprised me nonetheless. Unlike the Liberal and National Party government, who have shown a blatant disregard for the rights of Australians, whether against racial discrimination or against breaches of privacy, in this instance Labor is taking action. It is deplorable that it takes an opposition to do what is, in effect, basic work of a government.
This bill provides another simple, basic plank in the protection of the right of Australian citizens to have their data held safely and, when breaches occur, to be notified. It is a very simple concept. The Australian government is the custodian of some of the most sensitive data and information of individuals. It is imperative that government departments and agencies act above and beyond best practice in the handling, management and storage of and access to the data of individuals.
It was the Liberal and National government who dispassionately oversaw the release of thousands of personal details of people in the government's care. It took a news outlet, The Guardian, to alert the department and cause it to act responsibly. That is in the face of what already exists on the record, which is the April 2012 document Data breach notification—a guide to handling personal information security breaches, a guideline produced by an Australian government agency, the Office of the Australian Information Commissioner. One would have thought the government would at least have managed to follow those guidelines, but no. If that is the standard that this government has for the privacy of people in its direct care and responsibility then it is apparent what its disregard for privacy as a whole would be.
Only Labor cares about the rights of individuals to have their privacy protected. It is, frankly, damning in the extreme that the government has not picked up the work of the former government and continued this important reform. It speaks volumes of the priorities and the choices being made by the Abbott government. Whether it is letting jobs and industries fall off the cliff, or tearing away the basic protections against racial discrimination, or instituting knights and dames—which I think is becoming comical—it is now clear that this government stands for little and is doing little. The Abbott government is not standing up for Australians and is not working in the best interests of their privacy or their rights.
I notice that the Attorney-General is in the chamber, so let us consider his track record. Let us look at what he has done during the six months he has been in office. Has he introduced measures to protect privacy? No. Has he looked at a reform agenda? If you put the Racial Discrimination Act in that bin, I think the answer is no. The only piece of legislation the Attorney-General has introduced into the parliament is to correct typos in a bill dating back to 1901! How apt it is that this anachronistic Attorney-General's first priority in this chamber has been correcting commas and removing hyphens from words such as 'email' rather than protecting the important rights of Australian citizens. This is an Attorney-General who has become absolutely catatonic when it comes to being the first law officer of the land. He has ground his department to a screaming halt—no reforms, no protections, no actions. After his 'commas and hyphens bill' his first priority—and I quote his own cabinet colleagues—has been 'to drink the right wing Kool-Aid'. That comment does not come from this side; it comes from his own side. His own cabinet and backbench have had to pull him away from the ideological cliff. Be that as it may, I think the truth is that the Attorney-General has his eyes on the bigger prize—and Senator Abetz, the leader in this place, does seem to be looking over his shoulder. I think—
If the Attorney-General were serious, he would be in the business of actual law reform. The privacy legislation was ready to go, but it has been sitting on the Attorney-General's windowsill, yellowing with age. Mr Acting Deputy President, you can picture the Attorney-General sitting in his office—or, as he called it yesterday, his 'chambers'—probably wearing his robe and wig, calling public servants to 'come hither'. And up they would run, with their briefs in their arms. But there would be not one brief about reform, not one that the first law officer of the land could sign off on that deals with privacy or protections for individuals. Instead, there would be one about commas and hyphens. Frankly, I think we need an Attorney-General who is a little bit more in touch. The bill will implement—
The introduction of a mandatory data breach notification requirement will be a major consumer privacy protection reform. It will enable individuals affected by a data breach to take action to prevent identity theft and fraud by taking actions such as cancelling credit cards or changing passwords. It will encourage government agencies and private sector organisations to lift their security standards and be more transparent about how they handle personal information.
The proposals in the bill had been developed over a long period of time in consultation with a diverse range of industry groups and privacy and consumer advocates—unlike what the previous speaker spoke of. The bill will require all entities currently regulated by the act to notify affected individuals and the Office of the Australian Information Commissioner where there has been a data breach that gives rise to 'a real risk of serious harm' to an affected individual. A 'real risk' is defined as 'a risk that is not a remote risk'. That is one matter that was raised a number of times by Senator Boyce in her contribution. But if the good senator had done her homework she would have gone back to the ALRC's original report dealing with data breach notifications. In that report, the ALRC provided guidance about this particular matter—real risk of serious harm. I draw the Senate's attention to provision 51.85 of the ALRC's 2008 review No.108. It says:
In international law, the term 'a real risk of serious harm' has been refined to mean 'a reasonable degree of likelihood', 'real and substantial danger' and 'a real and substantial risk'.
In its draft voluntary information security breach notification guide the OPC sets out a number of questions to evaluate the risk associated with the breach: 'What personal information is involved and how sensitive is it? Could the information be used for fraudulent purposes? What is the cause and extent of the breach—for example, is there a risk of ongoing breaches? Is the information easily accessible? Was the breach deliberate, or inadvertent? Who is affected, how many people are affected, and are they particularly at risk of harm? What harm could result—for example, who is the recipient of the information; could the breach lead to fraud, financial loss or humiliation; and what impact would the breach have on the organisation or agency concerned?'
This is a matter that has been well thought through. The OAIC will have the power to compel notification to affected individuals where it becomes aware, as a result of complaints by individuals or otherwise, of serious data breaches that have not been notified. The OAIC will also be given the power to exempt an entity from the notification requirements where it is in the public interest to do so.
This is a scheme that has not only had extensive consultation; it has effectively already been embodied in a guide for the Public Service since April 2012. It is certainly not new to the Public Service or, more broadly, to those who work in the privacy area, including those companies which already take steps to protect people's privacy—for the obvious reason that it is good business practice.
Notification is ultimately about empowering the consumers, the individuals, where there have been breaches. The notification itself must contain at least four key pieces of information. It should contain a description of the breach, a list of the types of personal information that were accessed or disclosed, recommendations about the steps that individuals should take in response to the breach and, finally, contact information to allow affected individuals to obtain more information or assistance. It is quite a simple scheme that allows individuals to take appropriate action where their privacy may have been compromised.
Noncompliance with the scheme would attract normal Privacy Act remedies. These could include public or personal apologies, compensation payments or enforceable undertakings. A civil penalty could be sought where there has been serious or repeated noncompliance with the mandatory notification scheme.
This proposal has strong support from state and federal information privacy commissioners, from IT security companies and from privacy and consumer advocates. Some industry groups have asked for the proposals to be delayed, citing a large privacy law workload. Most, however, believe that it would easier for compliance purposes if the proposals were to commence with the other major privacy reforms in March 2014—which I agree with. Implementing this bill alongside those reforms would add to, not detract from, business certainty. It would help with compliance obligations for businesses as well as, more importantly, providing appropriate protections for individuals.
Delaying the proposals until the impact of the 2014 privacy reforms have been assessed would effectively postpone this action until around 2015 or 2016. This would attract, I think, significant negative criticism from consumer and privacy advocates and leave Australian developments well behind those of the US and EU in this important area. Some of the concerns raised by industry groups have been addressed in this bill, particularly those relating to the cost impacts. As a result, the bill now contains concessions to industry concerns, including more flexible notification and more clarity around the process for seeking exemption from notification requirements.
It is instructive on these issues to go back to the original ALRC report of May 2008, For your information—Australian privacy laws and practice. It said:
The Privacy Act should provide for notification by agencies and organisations to individuals affected by a data breach.
It is not simply about data breaches as an esoteric concept in the broad. As the ALRC report goes on to say:
… the primary rationale for data breach notification laws is that notifying people that their personal information has been breached can help to minimise the damage caused by the breach. Notification acknowledges the fact that a data breach potentially can expose an individual to a serious risk of harm. By arming individuals with the necessary information, they have the opportunity, for example, ‘to monitor their accounts, take preventative measures such as new accounts, and be ready to correct any damage done’.
But the risks are not limited to financial matters. The ALRC report continues:
Other types of personal information, such as health information, if disclosed, could subject a person to discriminatory treatment or damage to his or her reputation. Informing a person that such information has been disclosed makes that person aware of what may be the possible consequences of the breach.
All of that points to the importance of ensuring that personal information is maintained in the appropriate way and, if it is not—if there is either an inadvertent breach or a deliberate breach—to the importance of notification. Individuals, once notified, can take appropriate action. By notifying them, you arm them—you give the individual the power to do something rather than just be a target.
A data breach notification also provides incentives to businesses to improve their data security. There are a range of reasons why some companies might not want to notify consumers. The reputational damage that could follow a high-profile data breach, or the commercial consequences of such a breach, provides a powerful incentive not to notify. This bill will ensure that they do notify and give them the proactive ability to arm individuals with the necessary things to help them deal with such a data breach. Overall, it also creates a market incentive. Those companies with good, strong data protection notification regimes or privacy alert regimes and those with good information on privacy practices will have a competitive advantage in the marketplace. Consumers and individuals will feel more confident in dealing with those types of businesses, amongst an array of competing businesses, who can stand out and say: 'When you give us your personal information, feel confident that we will protect it. If we inadvertently fail in that, we have a privacy alert in place that will proactively deal with it in a range of ways.' In today's modern business world, I think that is a far better way to deal with areas of privacy.
One of the disappointing things is that there is a long list of speakers for this bill. I assume many from those opposite want to contribute to such a positive bill from Senator Singh. I do not think they ultimately disagree with it, but I do worry that they might simply be talking it out so we do not get on to another bill, the environmental bill dealing with supertrawlers. I would not think that ordinarily; I would think everyone has a positive view about dealing with privacy. I would encourage those on the other side to support what is good public policy and what provides for good outcomes for privacy. Ultimately, I think that the government will pass the bill in this form or a similar form when the Attorney-General gets off his hands and that they will be back in this chamber supporting it.
I start my contribution by suggesting to Senator Ludwig that his attempt at humour at the expense of the Attorney-General was not only tawdry but a complete failure. I am sure Senator Brandis enjoyed it! I can see him now trembling at the vicious attack with a lettuce leaf! I suggest to Senator Ludwig that he sticks to his day job, like single-handedly destroying the northern beef cattle industry. I have been here awhile and Senator Brandis is one of the best attorneys-general I have seen in this parliament. Certainly in the last six years there is no comparison. He is a lawyer, a deep thinker and someone who understands the importance of his role. He is able to contribute not only with style but with expertise, common sense and a deep understanding of the law. Senator Ludwig's attempt at a humorous attack on the best Attorney-General I have seen was a complete failure.
Senator Ludwig did suggest that the Privacy Amendment (Privacy Alerts) Bill 2014 was sitting on the Attorney's windowsill going yellow in the sunlight, or some other such analogy. If this bill is so important, why did the former government leave it until the dying days of the Rudd-Gillard-Rudd governments to try to get it through? If it is as important as Senator Ludwig is saying, one wonders why it took the Labor Party 5½ years to get to where it is?
I do want to comment on the provisions of the bill. Before I do that, I pose this question to the other speakers in this debate, particularly to the Greens political party. I would guess that because it is a Labor bill, the Greens political party will be supporting it. I have no rationale for that, except Labor and the Greens seem to vote together on everything and have done for years. I wonder what Senator Ludlam will say in his contribution to this bill? It might be a little hard for him to contribute to the bill because I understand he is wagging it from his paid job in the Senate these last couple of weeks and is in Western Australian campaigning in a political campaign. As I understand it, he is being paid to be here working in this chamber.
He is not here contributing to the debate, but perhaps other Greens senators who will speak might be able to answer this query. What do the Greens say about Senator Ludwig's attempt to bring into the parliament two people of questionable legality to give evidence at a parliamentary committee? I refer to Senator Ludwig's attempt to call as witnesses Mr Assange and Mr Snowdon. Mr Snowdon has been described in this chamber as a traitor to his country. Those two gentlemen, as I understand it, have no respect for anyone's privacy and certainly no respect for their nation's privacy—that is, their nation's security. Yet, here we have the Greens talking about privacy, indicating how important it is, when they are wanting to bring to a parliamentary committee two people who do not respect privacy at all and in fact disrespect privacy to the highest degree in that they have no regard for the security of their own nations.
So it will be interesting to see how the Greens will distinguish their support for their friends in the Labor Party on this and every other bill with their attempt to destroy everyone's privacy by getting Snowdon and Assange to give evidence. If they do give evidence, it might be interesting if they tell the world just how they hacked into everyone's privacy, into the national privacy. Perhaps we can all learn something from them if we can get the details on how they hacked into the nation's privacy. So I will be listening to the debate very keenly to hear how the Greens address those issues.
The Privacy Amendment (Privacy Alerts) Bill 2014 is similar to a bill that, as I mentioned, was introduced by the Labor government in 2013. I again repeat the point that if there is a concern about the passage of this bill, why didn't the Labor government do something about it in the previous six years rather than leaving it to a couple of days before the last parliament was prorogued? It did actually pass through the House of Representatives in June last year.
The bill was considered by the Senate Legal and Constitutional Legislation Committee, which reported to the Senate on 24 June. Senator Boyce in her quite distinguished and perceptive contribution—she was a member of the Senate Legal and Constitutional Legislation Committee at the time it considered the bill—to this debate spoke with some authority. She had actually sat through the hearings of the legislation committee's inquiry into the forerunner of this bill.
Senator Boyce and then Senator Humphries provided some additional comments to the report of the committee, which of course had a Labor majority. They expressed some concern at the lack of definition of the terms 'serious breach' or 'serious harm' in the legislation. As I read their report and listened to Senator Boyce, they also cited concerns about the regulatory overload for business.
The regulatory overload for business is costing our country money. We have made it quite clear in our pre-election commitments and by actions since then that we understand the impost of regulatory burden on business, particularly small business, and we are trying to do something about it. We have introduced several bills into the other house trying to get rid of some of the regulation that costs Australia so dearly, that makes Australia uncompetitive in its trading activities around the world and uncompetitive within our own country.
Here we are, as a government, trying to reduce the regulatory burden to encourage business activity—that is, to encourage employment, to heighten our standard of living in this country. At the same time, the Labor Party and the Greens are doing everything possible to, again, impose regulation on the Australian public, and particularly on business. That is because the Labor Party and the Greens particularly have this inflated view that people are not capable of looking after themselves; that they in the Labor Party and the Greens know better how to regulate people's lives and people's businesses than people, business men and women. A classic example of this was the embarrassment of the Senate inquiries into the Qantas issue where the Green senators tried to suggest to one of the biggest businesses in the world how they should run a business. It was laughable. If anyone had a look at the transcript of those two Senate inquiries, they would appreciate just how embarrassing it is to sit in on those committees and hear some of the inane questions that were asked by Greens and Labor senators about a multinational business—I digress slightly. I want to get back to my point: we are trying to reduce regulation; the Labor Party and the Greens are trying to increase it.
Comment on the regulatory impact of this bill was made in the dissenting report of coalition senators when this bill last came before the parliament. The last bill was intended to strengthen the existing voluntary data breach notification framework in order to counter underreporting of data breaches and to help prevent or reduce the effects of serious crimes like identity theft. The previous bill, on which this bill is based, was predicated on the general requirements of the Australian Privacy Principle 11, which requires regulated entities to hold personal information to prevent loss, unauthorised disclosure or misuse of that personal information. The 2014 bill, the one we are debating today, operates in much the same way.
The proposed model would create a requirement to identify the Office of the Australian Information Commissioner, which I will subsequently refer to as OAIC, and affected individuals where there has been a data breach which has given rise to a real risk of serious harm to the affected individual. That was the ALRC's recommended approach. A 'real risk' is defined as a risk that is not a remote risk. This would mean that entities would not be required to report less serious privacy breaches to affected individuals or to the OAIC.
If I can pause there again and refer to the Assange and Snowden issue, where the Greens are trying to get these people to give evidence in some Senate inquiry about electronic security, electronic transmission of data and electronic storage of data. As I say, it is going to be fascinating to see what the Greens think that Mr Assange and Mr Snowden can tell us about maintaining people's privacy when, quite clearly, they are two persons who have no regard for anyone's privacy.
The bill before us has a requirement to notify that would apply to data breaches involving personal information, credit-reporting information, credit eligibility information and tax file number information. So where there were breaches relating to those things there would be a requirement to notify. I wonder whether—again, referring to Assange and Snowden—we should perhaps even put into the legislation where there are data breaches for the nation's personal information; that is, its security.
But the content requirements of the notification are, at a minimum, a description of the breach, a list of the kinds of personal information concerned, contact information for affected individuals to obtain more information and assistance, and recommendations about the steps that individuals would take in response to the breach. There are several other provisions of this bill, which my colleague Senator Boyce has explained and which, I am sure, others will as well during their contribution.
I believe that this is a bill that the parliament should not be pressured into agreeing to without giving it full and proper consideration. I would suggest that the move by the Labor Party to introduce the bill without appropriate consultation is premature. This was the thought of coalition senators on the committee that inquired into a similar bill last year.
Can I suggest that, if the opposition were serious about privacy issues and this bill in particular, they might have introduced this bill in a proper way, which would have included informing us a bit earlier of their proposals to bring this forward. I understand there was very little notice given by the opposition to anyone or to the government generally that this bill was to be introduced. If they wanted to really address the issue, I suggest that they should have taken the opportunity to consult more widely.
It is clear that the government is not opposed to considering proposals that improve data security practices. Measures that enhance the protection of security of personal information of Australians are critical. However, I do refer the Senate to some comments made by business figures when the matter came before the Senate committee last time. The Communications Alliance argued that specific actions outlined in one of the provisions are contrary to good business practice, as reflected in the OAIC guide. Indeed, they said:
… good business practice would be to (a) contain the breach and do an assessment; (b) evaluate the risks; and then, if necessary, notify those affected by the breach. It is concerning that the Bill places more emphasis on notifying—and potentially confusing or alarming customers—than containing the breach, rectifying the issue and preventing its reoccurrence.
That indicates the sort of concerns that were raised, which I think are still current.
As I say, I am not opposed and I understand that the government is not opposed to considering proposals that improve data security services. But a lot more work has to be done, including consulting broadly on the implications of a mandatory notification scheme. I suggest to the mover of this motion that this has not been done and that we need to consult broadly with both community and industry. Until that is done and until all of the matters that were raised and, I might say, highlighted in the additional comments by coalition senators in the report of the committee that looked at the previous bill have been considered, then I do not think we should be rushed into this.
The government is not prepared to agree to a proposal without giving it full and proper consideration. I emphasise that we on this side of the chamber have always thought of the broader principles of privacy protection for individuals. We have previously expressed concerns about the detail of this bill. Given the importance of the matter, we continue to express those same concerns, including that a thorough and detailed scrutiny be afforded to this bill.
I too rise to speak on the Privacy Amendment (Privacy Alerts) Bill 2014, which contains proposed amendments to the Privacy Act. It is really disappointing that for the second time in a week we are standing here and discussing a bill that we support in principle. The concept of improving the provisions of security around privacy of information is something that I do not think anybody in this place would dispute as being a terribly important thing for us to do to maximise the protection of individuals. It is very frustrating that, instead of being able to stand up here today and say how fabulous this bill is and that we can support it, we cannot. Once again, there has been a lack consultation and a lack of regard by those on the other side for the reasonably simple and sensible changes that we would have expected.
As you have probably heard in previous contributions, Mr Acting Deputy President, this bill was substantively put before the House of Representatives in 2013. That bill was passed in the House of Representatives but the coalition, which was in opposition at the time, expressed a level of concern about a number of things in it. So the bill was subsequently sent up to this place and referred off to the appropriate committee for investigation. A report came back from the coalition senators—who, at the time, were a minority on the Legal and Constitutional Affairs Legislation Committee looking into bill—with additional comments suggesting that they would like to see some things done to make the bill more appealing in order for them to support it. Now in 2014 we find that the bill has just been plonked down again, without those opposite taking any of the issues that were raised at that time into account. Once again, there has been no consultation and no attempt to address any of those issues raised—and many of them were quite simple.
I was just reading through the comments made by the coalition senators about the 2013 bill, and I would have thought that those opposite might have thought those comments warranted further investigation. The Cyberspace Law and Policy Centre of the University of New South Wales Faculty of Law highlighted that it had around 10 working hours in which to collaborate on a draft on the bill and finalise its submission. The Australian Privacy Foundation also made the comment:
... seriously negative impact on the democratic process that is inherent in the provision by the Parliament of 1-1/2 working days, during which civil society organisations are expected to discuss, draft and finalise a Submission to your Committee.
It seems to me that it would not actually be all that difficult to go out and deal with a number of these organisations, which obviously have a major input and a major interest in this area, to find out what their concerns are in relation to this bill, because they are the ones who actually have to deal with the fall-out when this legislation is passed without consultation and fails. I would have thought that it was a pretty simple thing for us to be able to do that. I condemn those opposite for not having dealt with their concerns, albeit minor as they may well have seemed at the time, in the reintroduction of a very similar bill to that which was before this place in 2013.
The really sad thing is that this seems to be a bit of trend. Only last week we were before this place speaking on a bill about the Woomera prohibited area. As a fellow South Australian, Mr Acting Deputy President Fawcett, I am sure you would have had concerns about it, because we would like to see the economic potential of this area unlocked for the benefit of our fellow citizens in South Australia. But, once again, we had a bill that was rushed into this place without the appropriate consultation with the wide range of people who are interested in this area, particularly when we had made it quite clear that we were very keen to see legislation passed to assist with the unlocking of this land. I believe it was only this week that the government's bill in relation to the Woomera prohibited area was introduced in the other place. We see these silly, rushed political exercises by those opposite in bringing these sorts of bills into this place when there is a proper process. A sensible consultation process needs to be undertaken and it is very, very frustrating that we are seeing silly politics being played when it would be really nice to see some good outcomes instead.
This whole concept of policy on the run probably warrants a little more comment because it does have some very, very serious implications. Even with the best intent and the best of ideas, if you do not actually get the details sorted out, you can cause yourself amazing and significant problems. You have often heard the saying, 'the devil is in the detail'—and that is often the case with legislation and regulation. The unintended consequences of ill-conceived or not properly researched and consulted policy can have major impacts. I can assure you, Mr Acting Deputy President, having been a business person before I came into this place, I have seen the consequences of policy that has not been properly thought out and the people who were the recipients of that policy affected by it, because nobody actually bothered to go out and speak to them. They are the people who will be able to tell you, 'If you do this, this is what the consequence will be in reality.' It is not something that you will find in a textbook. It is not something that you will learn at university. It is not something that your union mates will have told you about. You need to speak to the people who are going to be impacted by the changes in legislation.
I can think of millions of examples of this, but none more than current the debacle which was revealed last night in the NBN interim report. The problem with the NBN was not the concept of providing faster, more reliable and more affordable internet services to the majority of Australians. We all support that as a concept. There is no argument about that in any party, whether it be a minority party, a majority party or the Independents in this place. We would all like to see that as an outcome. But what we do not want to see is policy that is developed on the back of a serviette during a VIP flight from Perth, which ends up costing the Australian public way more than it can possibly afford or which makes promises that were never able to be kept because the capacity to keep them was never there—simply because nobody had thought through the details or the machinery behind the delivery of the particular promise. Last night we saw a terribly pathetic attempt to try to defend a legacy that was totally indefensible—a policy developed on the back of a serviette—whereby we have ended up spending nearly $8 billion and managed to provide less than three per cent of Australians with access to the NBN. We can go on: pink batts and the thought-bubble that was GroceryWatch.
It stresses the importance of doing two things: making sure you are properly researched and properly prepared; and making sure you speak to the people at the grassroots level who will be affected by the policy, regulation or legislation. There is no question that we came into this place saying that we would be a government that tried to reduce the regulatory burden—and no-one disagrees that there is a need for regulation in some areas—but there has been an extraordinary increase in the number of regulations placed on the Australian community over the last six years and before that by state governments. There is a need to ensure that, whenever you put legislation before this place, you have made a sensible and thorough assessment of the regulatory impact so that you are not simply putting in a regulation for the sake of regulation. There has to be a need, a benefit; and this confirms that.
We have made it clear that we are not going to regulate for anything unless we have to and that we are intending to reduce the level of regulation out there in the marketplace. Only last week the coalition introduced a suite of bills into the lower house that outlined areas where we think there has been unnecessary and burdensome regulation placed on the Australian public and businesses for too long. The concerns that have been raised about this particular bill are not insurmountable, but we draw attention to the constant attempts by those opposite to dump things into this place. You have to start wondering whether it is simply distracting and malicious activity.
The other issue that came out of this bill—and unlike others in this place, I am no lawyer—is that of definition. In the coalition senators' dissenting report in 2013, they noted the concerns expressed by a number of submissions on the lack of definition of the terms 'serious breach' or 'serious harm' in the legislation. I have had a quick look through the legislation and the explanatory memorandum this morning, and the memorandum refers to:
Serious harm, in this context, includes physical and psychological harm, as well as injury to feelings, humiliation, harm to reputation and financial or economic harm. The risk of harm must be real, that is, not remote, for it to give rise to a serious data breach.
That sounds interesting, but how would you assess that in your institution which holds cold private information for the people you look after. How does someone in one of these institutions make a determination about what constitutes 'psychological harm' or 'injury to feelings'?
If we went around this chamber and surveyed all 76 senators about whether something had injured their feelings, you would probably get 76 different responses. You only need to look at some of the comments from the South Australian election. A pamphlet was put out in relation to one of our candidates. I know this is not about a breach of privacy or security, but it does emphasise the point of how you determine whether something is criminal in nature or whether it is something to be legislated for. The pamphlet basically dog whistled that one of our candidates because of her surname might have been a Middle Eastern terrorist. That may have hurt her feelings—and it probably did—and it may have been humiliating, but the question has to be: did this cause her serious harm? She might have thought it did. It goes to the point of how do you define these sorts of spurious terminologies—'as well as injury to feelings'? I find that an extraordinary thing to put in the explanatory memorandum.
Most concerning of all in this bill—the Privacy Amendment (Privacy Alerts) Bill 2014, a bill for an act to amend the Privacy Act 1998 and related purposes—are the definitions found in division 3. Clause 26ZF 'real risk' is defined as:
For the purposes of this Part, real risk means a risk that is not aremote risk.
And 'harm' is defined as:
For the purposes of this Part, harm includes:
(a) harm to reputation; and
(b) economic harm; and
(c) financial harm.
However, there is also 'serious harm', so I am not sure whether we are talking about 'harm' or 'serious harm'. What is the difference between 'harm' or 'serious harm' in that context? It talks about 'serious harm' in one context and defines 'harm' in another context: does that mean we are not talking about the same thing? In the other schedule of amendments, it says 'the access or disclosure will result in real risk of serious harm', but we do not have a definition of 'serious harm'; we only have a definition of 'harm'.
That is one difficulty I picked up this morning. I would suggest the bill has been rushed. It would be nice to think that, in the future, we might be able to have a thorough and rigorous process that would allow us to deal with all those sorts of little, petty issues which, I am sure, the average person out there who was not affected or impacted on by this particular legislation probably would think we were just being pedantic about. But it highlights the fact that sometimes just the use of a word or a phrase, a comment here or there that has not been thought through properly, can actually have quite a significant impact.
In conclusion, I and all of my colleagues on this side of the chamber support the provisions that ensure and maximise the protection of the individual from security breaches. We have absolutely no issue whatsoever with making sure that people are protected—or, at least, advised if there is something that is likely to be a problem to them.
What we do not support is something that has been just put through, I believe, because of some political motivation, as a political trick. It is something that could have been very easily fixed by just coming back to this place and speaking in an adult way, and by going back through the committee process to make sure that the concerns of everybody on the committee were addressed and speaking to the people in the community who are most likely to be impacted on by these changes. If we had just gone through that very simple process, we could be standing here today and enabling an amended version of this bill to go through.
Instead, we are standing here today, once again, saying, 'Guys, you haven't done your homework, and if you don't do your homework you're not going to pass.' We all went to school and we all knew that, the harder you worked and the better the research you did, the better your pass mark would be. And, once again, regrettably, you on the other side have got a fail.
I, too, rise this morning to make my contribution to the debate on the Privacy Amendment (Privacy Alerts) Bill 2014. This bill deals with the very real issue of data security and citizens' relationship to that. It deals with how we protect the privacy of the individual in the internet age.
Predominantly, we are looking at data mining, for instance, being a quite a profitable business. The University of Newcastle has done a bit of work in this area. The data mined can be collected, traded, analysed et cetera to ascertain a lot of detailed information about the individual: their preferences, what they like to eat, what they like to purchase, what they like to do with their leisure time and even how they think. Putting all that data together can allow the state, businesses, other individuals, security agencies—a whole raft of individuals and organisations—to understand the individual in a new way that is very different from before.
I think it raises some serious questions for us as a government as to how we ensure that the privacy of the individual is maintained within this environment, as more and more individuals use social media and the internet for a wider and wider variety of purposes, disclosing more and more about their private lives. There used to be a very clear distinction between your public life, which government is allowed to have a role in, and, from my perspective, your private life, which government is not allowed to have a role in. That line is becoming increasingly blurred through the increasingly pervasive—though often useful—role which the internet plays in our everyday lives. So this bill before us looks at that. Also, the University of Newcastle says it is not just the information itself—because obviously there are technological ways in which we can protect identity—but also the patterns that are useful to purchasers. The patterns gleaned from databases can lead to identification of an individual. That is how sophisticated we have become. So it is not just the individual markers themselves but the patterns within the databases that can cause issues.
When we look at how businesses use databases, we like to consider what the Bank of America did during Davos. They watched social media and looked at what was trending on Twitter in order to promote the bank's brand among people interested in economic issues by publishing real-time content related to the conference. So the bank itself was using social media and data to reach those individuals with highly sophisticated messages. To quote the senior vice president of the bank:
The data comes into the room from many sources, and you have to use that data like a modern-day orchestra leader, blending the inputs in real time in a combination that is as much an art as a science …
So the sophistication is growing, and we are concerned to ensure that the privacy of the individual is maintained.
I share the concerns aired in Bruce Nolop's blog under the heading, 'Why I hate what big data means for privacy'. He says:
… I fear potential abuses by law enforcement and national-security surveillance programs, and find the threat of cyberattacks, a la the Target experience, to be disconcerting. As citizens and consumers, we should demand safeguards against these risks, but recognize that breaches will be inevitable.
… … …
I hate the fact that if I use a search engine to research a topic, my screen space becomes inundated with advertisements for related products or services.
So it is a problem. That problem is growing and it is one that I think all of us involved in this space are concerned about.
But what concerns me about the bill before us today is that this is a huge issue. It is an international issue. Yet, in typical Labor Party fashion, when a bill very similar to this one came before the 43rd Parliament, only two days were given for public comment. It opened on the 18th and closed on the 20th. When we look at the scope of the issue itself, this is an issue that other governments internationally are dealing with and grappling with. We had two days to get our heads around the issue itself and potential solutions and to decide whether a bill very similar to the bill before us was actually going to deal with those issues and was going to result in an outcome that did protect the citizens of Australia in a way that did not impinge or overregulate an environment.
But, you know, that is the Labor way. Putting the bill before us today is, quite simply, an attempt by Labor to keep pushing through their failed legislative agenda even though they are now in opposition—a fact that they are finding very difficult to come to terms with. We had six years to deal with this issue. Even though it passed the House of Representatives on 6 June 2013, prior to the last election, they could not find a way to get it onto the Senate agenda paper so that we could actually deal with it. That was the priority that the government held this piece of legislation in. It is simply evidence again of their denial of the outcome of the last election and refusal to visit the reasons for that—the reasons for the policy vacuum that they are now operating in where we have to just dig up the legislation that did not quite make it the last time.
So here, on a Thursday in the Senate, when we have time to reflect on opposition legislation, they have a chance to put up some bills that they are really keen on and that they want to take forward to address a real concern in the community, and they bring forward legislation that is like the Thursday thought bubble: 'Whoops! We've failed to deliver any significant policy again. Let's just dig out of the bucket beside our drawer.' They rustle around. 'What have we got here? What didn't we get through in six years? Man, the pile is enormous!' The pile of unlegislated issues from the previous government is enormous—so enormous that we, in fact, are having to put forward legislation to ensure that promises made in budgets two years ago are able to be enacted, because you failed to get the bread-and-butter stuff right. You could not even get the bread-and-butter stuff right.
Senator Macdonald mentioned previously that we must ask, if this bill is so important, why it did not get treated as a priority while Labor was in government. It is a pity Senator Macdonald is not quite here, but I am sure he is watching with keen intent, and I just would like to ask: while Labor was prioritising their leadership coups, they managed to prioritise misogynistic rants about blue ties, they managed to prioritise—and I am glad Senator Cameron is here—the failed media laws, they managed to prioritise a whole tranche of legislation that the Australian people were not interested in and that the Australian people did not want to see enacted. The Australian people voted you out because you kept pursuing a legislative agenda that was not in their best interests. You managed to prioritise that, and yet you could not prioritise something which, from all accounts—globally and, indeed, locally—is an issue that we must grapple with: how do we appropriately regulate the issue of big data?
Instead, the Rudd-Gillard government's six years of chaos, waste and mismanagement delivered higher taxes, record boat arrivals and debt and deficit as far as the eye could see. Labor inherited a $20 billion surplus and left behind a projected $30 billion deficit. It turned $50 billion in the bank into a projected net debt of well over $200 billion. It was the fastest deterioration in debt in dollar terms as a share of GDP in modern Australian history.
That is a lot of schools. That is a lot of teachers. Yet here we are. We are moving to scrap more than 10,000 unnecessary and counterproductive pieces of legislation and regulations. More than 50,000 pages of unnecessary and costly legislation that are a dead weight on business, community groups and households will go. The benefit will be significant. Removing these alone will save individuals and organisations more than $700 million a year—every single year.
Senator Cameron interjecting—
That saving, Senator Cameron, can actually be translated into things that I am sure you and the members of the AMWU will be concerned about: actual jobs. When we take the burden off business and when we ensure that the regulatory environment they are operating in gives them more cash in their hand, what they can do is employ the workers of Australia. They can actually get on with doing what they do well, which is producing fabulous product, produce and services, and get on with making our nation's economic base stronger. As I said, we will cut red tape costs by $1 billion a year. We are doing what we said we would do. What a direct contrast to those opposite. We are doing what we said we would do. This week had the first of what will be many days of repealing red tape—and hallelujah to that.
The bill before us today does raise a concern that not all regulation is bad. There are points where a government needs to ensure that appropriate regulation exists, and getting the balance right in this particular space is important to protect the privacy of the individual. Similarly, I was lucky to be on the cybersafety working group, and one of those areas that we looked at was how to get the balance right between ensuring the safety of young people and of young Australian children in the cyber environment. It is something that is responding directly to the concerns of Australian parents and, indeed, young people themselves. That does require very light regulation around how to get the balance right to ensure that we can take down quite quickly offensive material that damages and harms our young people. I have got several local examples in Victoria where the appropriate existing mechanisms were followed. I am thinking about a young girl of 12 where there was material up for a year on the website even though repeated requests had been made for it to be taken down. So there is a real need for appropriate regulation, and this may be an area where that exists. However, the way the Labor Party have proceeded to consult, to get their head around the issue and then formulate a cohesive policy response, again, beggars belief, but I should not be surprised—I feel like a broken record at times. When we talk about the process of consultation that the Labor Party underwent with the bill before us today, as I mentioned earlier, submissions opened on the 18th and closed on the 20th. When you are looking at privacy legislation, that is pretty private. In fact I do not think it gets much more private than that. That is what you do for preselection when you do not want anyone to nominate. That might be a tactic that is used more on the opposition side than on this side.
In relation to data breaches the legislation before us seeks to amend the Privacy Act 1988 to establish a framework for the mandatory notification by government agencies and certain private organisations to notify the Australian Information Commissioner and affected individuals of serious data breaches involving their personal information. Mandatory data breach notification commonly refers to a legal requirement to provide notice to affected persons and to the relevant regulator when certain types of personal information is accessed, obtained, used, disclosed, copied or modified by unauthorised persons. Such unauthorised access may occur following a malicious breach of the secure storage and handling of that information, for instance through a hacker attack, an accidental loss, most commonly of IT equipment or hard copy documents, a negligent or improper disclosure of information or otherwise. A data breach arises when there has been unauthorised access for this sort of information.
As I said earlier, a bill very similar to this was considered by the Senate Legal and Constitutional Affairs Legislation Committee and was reported on 24 June 2013.
Senator Cameron interjecting—
Senator Bilyk interjecting—
Mr Acting Deputy President Bernardi, I do thank you for your protection. The government will not be pressured into agreeing to a proposal without giving it full and proper consideration. There will be no back-of-the-envelope policy decisions on this side, Senator Cameron. The move by Labor Senator the hon. Lisa Singh to introduce such a bill without appropriate consultation is premature. The opposition could have done this in a proper way, including informing the government earlier of their proposal. If the opposition really wanted to address this issue they should have taken the opportunity to consult widely, because that is what you do: you bring people along with you for your good ideas. You could not bring the Australian people along with you for the mining tax; you could not bring the Australian people along with you for the carbon tax. That was last September—you have got to get over it; it is not working for you. So, start consulting, bring us along with you, and we can start dealing with these sorts of issues in a constructive way to make sure that we get the right policy outcomes, particularly for these types of privacy issues.
The government are not opposed to considering proposals that improve data security practices. Measures that enhance the protection and security of personal information of Australians are critical, particularly in the digital environment, as I have previously outlined. There is more work to be done, including—I know you do not want to hear it; it is against your DNA—consulting broadly on implications of a mandatory notification scheme and consulting broadly with the community and industry. The government are not to prepared to agree to a proposal without giving it full and proper consideration. That is nothing less than what the Australian people ask us to do, to ensure that the policy responses we develop in this place actually address the issue and include them in part of the solution. We have always supported broad principles of privacy protection for individuals.
The lack of consultation with the previous bill was raised by various submitters to the inquiry. I would like to quote one from my home state from Liberty Victoria:
… we note with extreme disappointment that public comment opened on 18 June 2013 and closed two days later on 20 June 2013. This is a not conducive to open and transparent Government and it is extremely unlikely that many members of the public or any other interested party will have had time to review the Bill let alone prepare submissions to this Committee. Privacy is an important issue and with increasing amounts of personal data being collected by both the private and public sectors, the issue as to how that information is used and protected is of high public interest.
It is Thursday Trash Day for the opposition: 'We'll dig around and pull out the privacy bill. We won't actually go out and consult any further and have a look to see if we need any amendment. We won't actually talk to the government. We'll just pull out what we've got because we've got no other policy to bring forward.' The Australian Privacy Foundation similarly said during the prior inquiry:
The APF draws attention to the seriously negative impact on the democratic process that is inherent in the provision by the Parliament of only 1-1/2 working days, during which civil society organisations are expected to discuss, draft and finalise a Submission to your Committee.
Hello, what a failure! In its submission the Cyberspace Law and Policy Centre of the University of New South Wales Faculty of Law highlighted that it had:
… around 10 working hours in which to collaborate on, draft and finalise a submission …
This is an international issue; it is of high public interest. You think you could have given people a little longer than two days to get their high-quality submissions together so that the Senate, through its Legal and Constitutional Committee, last year, could have drafted an appropriate piece of legislation, let alone put any of the thoughts that had come through that inquiry process into the current bill before us—but not from Labor.
Coalition senators believe the concerns raised by those stakeholders should be scrutinised, understood and acted upon by the relevant government agencies as this new privacy regime is rolled out. These concerns still hold for the bill before us today. Privacy is too important not to be considered fully and properly. The coalition remain committed to a considered and consultative approach to policy development and to an open and transparent approach to government. It is what we said we would do, it is what we promised we would do and it is exactly what we are doing.
I rise to add my voice to the voices of coalition senators in this debate. I commend the words of Senator McKenzie, who outlined the case against this bill very well. She did that, despite being heckled completely unreasonably by those opposite, particularly Senator Cameron. I think that was quite unfair and unreasonable. I think Senator McKenzie was being heckled by the honourable Senator Doug Cameron.
Senator Cameron interjecting—
It does not matter if I do not hear them. It is hard to respond to them—it is hard to know whether you want to respond—if you cannot hear. Please heckle louder next time so that we can be clear on what it is you are heckling me on!
I would like to lend my support to what has been said. Senator McKenzie put it really well, and I want to pick up where she left off and where much of her contribution was aimed—that is, in relation to the fact that this government does not want to make the same mistakes that the previous government made. Those mistakes were often about very poor policy—about dumb ideas and not getting a mandate—but they were also very often about very, very poor process. That very poor process, when coupled with some very dumb ideas, led to some very poor outcomes. I want to touch on some of those poor processes because we do not want to make the same mistakes.
There are many things on which we want to differentiate ourselves from the opposition. One of those is that we do not want to follow the poor processes of the previous Labor-Greens government. Senator McKenzie touched on some of those poor processes, and I will expand on some of them. We are hearing right now about one of the poorest processes ever put in place—the pink batts scheme. There were two days for public servants to go away and design a scheme to spend billions of dollars of tax payers' money.
We know about the disastrous results of that very poorly conceived and executed policy. Whether it was a good idea in the first place is one thing; we can all agree that the implementation was a disaster. That is what happens when you do not get it right and when you rush things.
The National Broadband Network was designed on the back of a beer coaster on a VIP flight. That has led to taxpayers forking out billions of dollars for very little delivery. That scheme would have led, had the Labor Party been returned to office, to at least $30 billion extra being spent on the National Broadband Network because of the poor design and because of the poor rollout.
We know that, in the time the Labor Party had in office, they had time to do damage because of that process. The NBN is another example of where we do not want to be. We do not want to end up doing things like the former, Labor-Greens government did.
The mining tax mark 1 was brought in without proper consultation with industry. It was dumped on industry as a fait accompli. It was not properly consulted on. That led to the chaos that we saw with the removal of a first-term Prime Minister. Then we saw a hastily cobbled together replacement mining tax which ended up getting very little revenue while still doing damage to investment because of the concerns about that type of process and the concerns about that kind of attack on an industry that was so important to Australia.
That is another example of how we do not how to do things. That is the Labor way. The Labor way was to rush things. They would often tell us about how much legislation they had passed—the great success of the previous parliament was just how many pages of legislation they had passed. I put it to senators that the mark of a good government is not how many pages of legislation they pass; it is whether they manage the country effectively. The test is: when they pass legislation does it make things better? Does it make things better for families? Does it make things better for business? Does it make it easier to do business? Does it make us freer as a people? It is not about how many pieces of legislation and regulation you put in place.
So, not content, it seems, with passing ill-conceived and ill-thought-through legislation and policy from government, we now have the Labor Party seeking to impose that model on us from opposition. That is at the heart of our concerns.
I will go to some of the substance of the bill. As has already been stated by government senators, the government has always supported the principles of privacy protection for individuals. In this digital age, protection of personal information is important. We have seen in recent years many serious data breaches which have led to the compromising of personal information. The government understands how serious the issues of financial and identity theft are, but the government will not be pressured into agreeing to a proposal without giving it full and proper consideration. That is where we believe that the introduction of a bill by Senator Singh without appropriate consultation is premature.
If we look back at the criticisms made by coalition senators when a similar bill was introduced last year—criticisms about the lack of due process, time and scrutiny—we believe they still stand. There was a short timeframe for submissions in the original inquiry. The Cyberspace Law and Policy Centre at the University of New South Wales expressed concerned about the lack of time to submit. They said that they had had only around 10 working hours to draft and finalise a submission. The Australian Privacy Foundation also expressed concern about having only 1½ days to draft and finalise their submission.
There is also a lack of clarity around the terms 'serious breach' or 'serious harm'. The Australian Privacy Foundation did not support the real risk of serious harm threshold. They argue that the threshold should not be set at too high a risk of harm and risk of harm should not be the only trigger for notification. The AFP said:
Aggregation of terms limiting the nature of the harm that triggers notification increases the risk that organizations will argue that one or other aggregated term do not apply to them. For example, a phrase such as "real risk of serious harm" is a very high threshold, because of the combination of 'real' (i.e. 'not remote') risk, 'serious' harm (with no clear notion of seriousness) and ‘harm’ which may be given a limited definition …
In addition, a second trigger is necessary. Any significant breach should be subject to notification in any case. If that were not the case, then a significant insecurity would not become apparent, and would not be addressed, and it would be very likely that it would later give rise to a serious breach that was eminently avoidable. A single threshold test would result in a scheme which was a failure.
There is also industry concern about the mandatory notification provisions. The proposed bill requires three specific actions. As soon as practicable, after forming a reasonable belief that a serious data breach has occurred, they must prepare a detailed statement concerning the breach, provide a copy of the statement to the commissioner and take reasonable steps to notify the contents of the statement to each significantly affected individual, and publish a copy of the statement on the entity's website and in at least one newspaper circulating generally in each state and territory if the prescribed general publication conditions are satisfied.
The Communications Alliance argued that these specific actions were contrary to good business practice. They said:
… good business practice would be to (a) contain the breach and do an assessment; (b) evaluate the risks; and then, if necessary, notify those affected by the breach. It is concerning that the Bill places more emphasis on notifying—and potentially confusing or alarming customers—than containing the breach, rectifying the issue and preventing its reoccurrence.
At the heart of the Communications Alliance's argument is that the bill will not do what is claimed it will do. What it could do in practice is cause more harm than good—not focusing on the outcome, which is about containing the breach; rather, potentially confusing customers. Sometimes these bills and Labor Party policies are about being seen to do something rather than actually dealing with the problem at hand. The Communications Alliance makes a good point.
The Australian Bankers Association raised concerns about the final condition of notification and the uncertain scope of the general publication conditions and notification model. Their submission said:
There is a critical element of the notification model in the Bill that is missing because it is unclear what “general publication conditions” will mean if these conditions are satisfied. Without this definition, the real impact of the Bill cannot be assessed because the meaning of this expression will be covered by a regulation-making power in the Bill. Regulations dealing with this aspect have not been provided with the Bill.
It is also important to note the additional regulatory burden this will place on the industry. Without proper consultation it is difficult to assess just how significant this burden is.
The concerns of key stakeholders should not be set aside, and further time to scrutinise the bill and consult with stakeholders is crucial before the bill is passed. The government is not opposed to considering proposals that improve data security practices. Measures that enhance the protection and security of the personal information of Australians are critical, particularly in this digital environment.
In conclusion, the coalition certainly agrees that we need to find ways to ensure data security, but we do not believe that the Labor-Greens way of doing things—which is to rush legislation through, which is to not properly consult with affected stakeholders and which is to not properly take account of serious industry concerns—is the right way to go. That path leads to poor policy, poor legislation and, ultimately, very poor outcomes for consumers in Australia. Those are the concerns that the coalition and I share.
I am delighted to rise to speak to the Privacy Amendment (Privacy Alerts) Bill 2014 as proposed by Senator Singh and to endorse the comments of my colleague Senator Seselja. It is a shame that Senator Singh is not here in the chamber to see the carriage of the discussion. Whether or not that is an indication of her interest in it I do not know, but, nevertheless, it can be taken along those lines. What was interesting to me—
I certainly would withdraw any suggestion that I was reflecting on another senator in my comment. Senator Moore, I withdraw, through you, Mr Deputy President. It was not my intention; it was simply to point out the importance of this particular bill and to make some comments on the coalition's points. Part of my reason for making that point was to allow Senator Singh an opportunity in having me respond to a comment that she made in introducing the bill. It was the comment she made to my colleagues about the adequacy of time that has been allowed for public consultation. Quite clearly, we see this as further evidence of the failure of the now Labor opposition in this very area. We are again going to see discussion in this place this afternoon about activity that has resulted from inadequate public consultation and opportunity for the wider community to have its say in these areas.
Senator Singh made the point that there had been adequate time for public consultation. I go to last year's submission of the Cyberspace Law and Policy Centre of the Faculty of Law at the University of New South Wales. This very august body highlighted that, despite the apparent adequacy of the time that had been given for consideration by members of the public, it had had just 10 working hours—not 10 days, not 10 weeks, but 10 hours—in which to collaborate, to draft and to finalise its submission. I would see that as a deep insult to any body whose views were genuinely being sought and who might be able to make a useful contribution.
The Australian Privacy Foundation is another body that one might think would make a useful contribution and that the wider community would have a view on and be particularly keen on hearing from. I know that there would be many people wanting to know what the Australian Privacy Foundation's interests are. They said a 'seriously negative impact on the democratic process' was inherent in the provision by the parliament of just 1½ working days—very close to that 10 hours of the Cyberspace Law and Policy Centre—for civil society organisations to discuss, draft and finalise a submission to the committee. I would say to anyone who thinks that 10 hours, or 1½ days, is adequate time for a reputable body to consider, discuss, draft and finalise a submission to the committee, that it as a deep insult. Indeed, regrettably, we on this side continue to regard it as a deep insult.
As we know, the proposed model would create a requirement to notify the Office of the Australian Information Commissioner and affected individuals where there has been a data breach that gives rise to a real risk of serious harm. I would go to your background, Mr Deputy President, in the law enforcement area in Australia. How would you regard the words 'real risk of serious harm'? What is real to you might not be real to me. What is serious to Senator Scullion might not be serious to me. If a crocodile were chasing me, I would be very worried. Senator Scullion, on the other hand, would possibly see it as an opportunity that he would relish. I do not use this term flippantly. I would make the point that it would mean entities would not be required to report less serious privacy breaches to affected individuals or to the commissioner.
Senator Seselja spoke eloquently when he referred to the Australian Federal Police in this same area. He made the point that an unintended consequence might be that it makes the issue more serious, rather than less serious, simply because of the point of definition: what constitutes a serious breach of privacy? The requirement to notify would apply to data breaches involving personal information, credit-reporting information, credit eligibility information and tax file information. All of us in the community would share that concern. We do not want to see our private information—tax file, credit eligibility, banking details and personal information—being made public. All of us in this chamber would support that. The wider community would definitely support that proposition.
The important point to make is that the coalition will not allow the Senate to descend into the failure of the Labor opposition, and that is to rush through the decision-making and consultation process. We will not be pressured into agreeing to a proposal without giving it full and proper consideration. I have considered the points that Senator Seselja has made and the comments by Senator Boyce and my colleague Senator McKenzie in the same context. Senator Singh has introduced this bill without proper consultation, and I say that that is premature. The opposition could have done this in a more timely fashion. They could have informed the government of their proposal earlier. There is no good reason why they did not. I heard Senator Singh adversely commenting on the Attorney-General and his apparent lack of speed in introducing legislation in this area. She could have approached him some time earlier. If the opposition had wanted to address this issue seriously and in a timely fashion, they could have taken the opportunity to consult more widely and more quickly.
We are not opposed to considering the proposals to improve data security practices. They are of universal concern. We see around the world now the ease and speed with which cyberhackers and others can interfere with private data and information. And there are no geographic or national borders when it comes to this situation. But we know that there is more work to be done. We know that we must collaborate with officials in other countries—in Europe, the United States, Canada, New Zealand, the Eastern bloc and Asian countries. But the government is not prepared to agree to a proposal without giving it full and proper consideration. I thank you for the opportunity to comment.