Thursday, 6 June 2013
Privacy Amendment (Privacy Alerts) Bill 2013; Second Reading
The Privacy Amendment (Privacy Alerts) Bill 2013 provides for mandatory notification of data breaches by entities regulated by the Privacy Act 1998 as amended last year. The measure outlined in this bill was recommended by the Australian Law Reform Commission in 2008. The bill will introduce new protections to help keep personal information more secure in this digital age and ensure that companies notify their customers if they suffer a data breach. Whilst the coalition supports the passage of this bill through the House, we reserve the right to move amendments following any recommendations made by the Senate Legal and Constitutional Affairs Committee, which will inquire into the bill in a thorough manner.
This bill seeks to improve consumer privacy protection and will keep personal information more secure in this digital age, as well as encourage agencies and private sector organisations to improve their data security. As more and more personal information is collected online by both government agencies and private companies, there is inevitably an increased risk of data breaches.
There have been a number of high-profile data breaches in recent years, including in April 2011 when 77 million PlayStation Network accounts were hacked. This apparently cost Sony millions of dollars in profit while their site was down for an entire month. This is viewed as the worst gaming community data breach of all time. The hacker has still not been found, yet the person gained access to over 12 million unencrypted credit card numbers as well as full names, postal addresses, passwords and email addresses.
In February of this year, the Australian Broadcasting Corporation's main website was hacked, resulting in almost 50,000 people's personal details being exposed online. As these types of data breaches become more prevalent, it is important that consumers know when their privacy has been breached and their personal details compromised because of a data security breach. The bill will seek to make it a requirement for organisations to notify any affected individuals if they have a data breach.
The Privacy Act was extensively amended last year to harmonise the privacy principles regime for the public and private sector, provide for positive credit reporting, establish a regime for voluntary and mandatory privacy codes and increase the range of remedies for privacy breaches. The measures contained in this bill are intended to commence on 12 March 2014, immediately after the measures in the 2012 amendments.
The bill proposes that a mandatory data breach notification be sent to the affected person and the Privacy Commissioner if certain personal information is accessed, copied, obtained or modified by unauthorised persons. The personal information to which the regime is intended to apply is information of a type the unauthorised use or disclosure of which could give rise to a real risk of serious harm. This can include physical, psychological, financial or reputational harm. The regime does not apply to small businesses and intelligence agencies. A law enforcement agency that reasonably believes compliance would be likely to prejudice its law enforcement activities is able to seek exemption on a case by case basis.
There have been some possible issues identified with this bill and I wish to emphasise that the government would be wise to wait for the Senate Legal and Constitutional Affairs Committee to complete their inquiry and hand down their report on 24 June. There is widespread concern that the code process mandated under the 2012 amendments is facing a logjam in the Office of the Privacy Commissioner and with other regulators. The coalition has been informed that there is little confidence the transitional arrangements and consumer education campaign will be in place by September as required. This will have an adverse effect on the legislated commencement date for the scheme proper. As I foreshadowed, the coalition reserves the right to propose amendments following any issues that are identified by the Senate committee inquiry.
As more and more Australians provide their personal information to online organisations it is essential that these organisations have a certain level of responsibility when it comes to storing this information securely and reporting any data breaches to those customers that are affected. This bill will provide an incentive for businesses to keep their customers' personal information safe and secure. Whilst the coalition supports the broad principles in this bill there are still some concerns that require thorough investigation. That is why the coalition will wait for the Senate committee's report into this bill, and we reserve the right to propose appropriate amendments. I recommend that the government do wait for that Senate committee report to be handed down, and that should still give the government time to have the legislation passed before this parliament concludes.