Michelle Rowland (Greenway, Australian Labor Party) Share this | Hansard source

As a former practitioner in this area I have believed for quite some time that the issue of privacy and privacy law is the big frontier for not only Australia but the world. When amendments made to the Privacy Act 1988 came in more than 10 years ago to extend privacy protections to the private sector, I believe there was a tendency to regard privacy as an issue you would tack on to the end of a commercial deal. You would consider it at the last minute. It was on a checklist of things you knew you were going to be able to tick so you did not pay very much attention to it. It is largely thanks to the amendments in 2000-01, when the Privacy Act was extended to cover organisations as eligible entities, that we have had a very strong commercial focus on privacy and its importance to people.

Even prior to that, I remember in the late 1990s, when the term 'e-commerce' was only starting to emerge, there were a number of government institutions and advisory committees set up to advise on how Australia would be able to harness this relatively new thing called the internet; and, consistently, people's ability to trust the way their personal information would be collected, used and disclosed was rated as most important. It was considered to be the single most important factor in enabling participation in the online economy to flourish, and I do not think that has changed. The comments from other speakers this morning are consistent with that as well.

In terms of the collection, use and disclosure of information, there is a broader challenge today, and that is where someone has, so to speak, acquiesced to disclosing information—that is, the participation of individuals in the social media space and our willingness to give over personal information. If we counted the number of times a day that we give our personal information to complete strangers, both individuals and organisations, I think we would be alarmed—or, maybe, in some cases, not even surprised by the number of times we do that. And I think we would be horrified if we found out the exact ways in which organisations were going to use our personal information, if we had actual knowledge of how that information would be treated. Most of us probably would not know what those uses would be.

When I was first engaging in privacy law—again, this in the late 1990s—the first principle by which privacy would be explained was not only in terms of the UN convention upon which our Privacy Act is based but also in terms of the principle, harking back centuries, of privacy being the right to be left alone. I do not think there would be too many people in the information age who believe they have a right to be left alone or who would even concede that they wanted to be left alone—that is, locked out of the digital age. It is also important to remember that, back then, we would only deal with the issue of privacy as law if it came within the Privacy Act following 1988. In addition, privacy was largely dealt with in terms of civil claims. There is a celebrated case that all law students learn in torts where lights being shone on someone's backyard was a so-called interference with privacy. But a lot of these were simply cases of trespass.

I think a lot of people in Australia, when they think about the right to privacy, are largely informed by what they hear and see from overseas, such as the case in the UK of Naomi Campbell being photographed here or superstars having their weddings photographed by someone when they had signed up to an exclusive arrangement with another organisation for the photos. A lot of people in Australia think about privacy in those terms. However, I think you would find most people consider privacy in terms of what is going to happen to their personal information when they disclose it, and what means of redress they have if they believe those rights have been infringed.

And so we come to the legislation before us today, the Privacy Amendment (Enhancing Privacy Protection) Bill 2012. It is worth reminding ourselves that there are whole other regimes of privacy law that cover a number of different areas. For example, even before the amendments to the Privacy Act that included private sector organisations, the telecommunications industry had its own, telco-specific privacy regulations and has for as long as I can remember. They include things like part 13 of the Telecommunications Act, dealing with how data could be used; the integrated public number database, the IPND, which contains the numbers of everyone in Australia with a telco device; and the Telecommunications (Interception and Access) Act. There are specific schedules in the Criminal Code Act which deal with privacy in telecommunications. We have surveillance legislation covering things like listening devices, not only federally but across state and territory jurisdictions. Further, there are specific privacy laws relating to things like tax file numbers, and, under the Corporations Act, how you can use shareholder details. So privacy protections are not novel, which is something I am very proud of. We have very specific privacy rules around information that are always considered to be important.

I think that what a lot of people are particularly concerned about today, when I talk about privacy being the next big frontier, is the way in which sensitive information is dealt with. The National Privacy Principles, as they previously stood, did recognise that sensitive information, which includes health information, warranted its own set of standards. That is something I have always believed, because, when you think about it, sensitive information includes not only health information but also things like sexual orientation. Those are factors that can be distorted or used to exclude people from certain things, and that people have a right to consider even more important than their name and address.

I thought about this recently when my baby was born: within a week, her personal information had been disclosed to any number of entities. She had her blue book and a tag around her leg which gave her a specific number, and we also chose to have a sample of her cord blood stored.

This baby was barely a couple of weeks old and already she had so much personal information, and sensitive information at that, being stored.

It also goes to the very important issue of data profiling, something which has not been looked at closely in Australia compared to in the US. I would hope we could minimise and avoid in Australia the opportunity to undertake often insidious activities such as data profiling based on personal information.

Some of the issues I raised in the inquiry into this bill by the Standing Committee on Social Policy and Legal Affairs arise from my experiences as a practitioner in this area. One of the areas on which I often had cause to reflect was the practical implications of potential or actual breaches of data disclosure. Mr Pilgrim, the Australian Privacy Commissioner from the Office of the Australian Information Commissioner, confirmed a lot of what I believed operated in a very practical sense—that is, often, if there is a data breach by an organisation, the key steps of demonstrating that that breach was inadvertent lead to the Privacy Commissioner not pursuing the matter. Some people might think, 'That defeats the whole purpose of having a law; it should have very strong enforcement powers for any breaches, particularly breaches by large organisations.' We have seen a number of those large organisations in the media in the past, from the financial services sector even to telecommunications. But it is very important for the Privacy Act to continue to operate to provide a very strong incentive in the two respects I mentioned earlier. If a consumer has confidence that an organisation is going to treat their personal information with appropriate collection, use and disclosure practices, I believe that provides a very strong incentive for consumers to want to continue doing business with that organisation. Also, we need to bear in mind that there are often cases in which data breaches are inadvertent which need to have a proportionate response from the Privacy Commissioner in those respects. It is also very important to recognise that the Australian Privacy Commissioner continues to take a very active role in educating organisations as to their obligations.

I would like to end by talking about some of the credit reporting provisions mentioned previously. As someone who quite often had to advise on this area, as they currently stand today I believe the provisions in the Privacy Act regarding credit reporting are some of the most complicated and onerous provisions you could deal with. The Privacy Commissioner and others involved in legislative drafting would agree that it is not the clearest law possible. I welcome the amendments in relation to credit reporting, again recognising that someone's credit record can follow them around for the rest of their lives. We have all heard of cases where someone with a poor credit record from having forgotten to pay a mobile phone bill when they were 18 years old has followed them through life and maybe even prohibited them from getting a home loan. It is essential that these reforms go through.

I would also like to say something about the transborder flow of information. Again this is something people do not have visibility of in everyday transactions because companies engage with offshore providers in providing back-end office services and there is no privity of contract as between the consumer and the outsourced entity.

As a practitioner—and I was taught very well by Peter Jones, a partner at Gilbert + Tobin—whenever we were advising clients on determining whether or not a transaction involving the offshoring of personal information was to occur, we had to ask ourselves what this was going to do to our reputation. Peter's starting point in any advice to clients was always, 'We will do everything we can in other areas to improve services, but if you believe that we will not be able to obtain the best and most robust security and guarantee as to how this information would be used, you might want to rethink entering into this transaction.'

I was even involved in cases where the exchange of data would occur between companies. When acting for multinational corporations, this was par for the course. Often people on the other side and the lawyers acting in other countries could not understand how robust the Australian privacy regime was. That bodes well for our Privacy Act. This bill will only add to that, and I commend the bill to the House.

See this speech in context