Michelle Rowland (Greenway, Australian Labor Party) Share this | Hansard source

I am pleased to speak in support of the Privacy Amendment (Privacy Alerts) Bill. I do so as a former practitioner in this area, acting not only for corporations, dealing with their privacy practices and compliance measures, but also for individuals, advising often on a pro bono basis on potential privacy breaches. I can fully appreciate from the corporate perspective what sort of an impact privacy breaches have on organisations that are subject to the Privacy Act but I also understand how important it is for individuals who are affected by such practices.

It is useful to go back to first principles when we are discussing privacy. Once upon a time—the member for Banks will know this as well—when we talked about privacy it used to be about the right to be left alone. Many cases in Australia involving privacy had to do with trespass, and in some cases contract. We need to recognise today, in the digital age, that it is virtually an untenable concept with how far we have progressed in terms of information sharing and the ability of individuals and organisations to collect, use, store and disclose personal information.

It is important to recognise when we talk about privacy that Australia has had some of the world's pre-eminent privacy thinkers—people like Justice Kirby and many others have contributed to the formation of what have become standardised privacy benchmarks in the EU and elsewhere. I do believe privacy is the here and now frontier when we are talking about the digital age. The amount of personal information being stored and traded and the acquiescence of many people, freely giving away personal information but at the same time expecting a certain level of protection, pose great challenges for the law. This bill is an important development arising from the landmark ALRC review, and it is important that it be implemented.

It is useful to remember that 'risk management' and 'sound privacy practices' are no longer terms that are tacked on the end of a due diligence—they have become a fundamental part of corporate life and a fundamental part of due diligence. Even before the Privacy Act 1988 was extended to cover private sector entities rather than just government entities, we still had a system of disparate privacy laws in Australia that exists today. There is telco-specific privacy legislation contained both in the Telecommunications Act and in the various interception and access regimes. We have specific rules relating to tax file numbers, and of course we have specific rules relating to government and to the private sector in general. It is important to recognise that Australia has some of the most rigorous privacy regimes when it comes to personal information.

Turning now to the bill, this is an introduction of a mandatory data-breach notification scheme so that government agencies and private sector entities that are covered by the Privacy Act will be required to notify the Office of the Australian Information Commissioner and affected individuals of serious data breaches. These will be breaches that give rise to—and it is an important term—a real risk of serious harm to an affected individual, with 'a real risk' being defined as a risk that is not remote. It will also give the opportunity to affected individuals to take action—to put in some remedial steps to prevent things like identity theft and fraud. In a practical sense, this could include changing passwords, cancelling credit cards or the like.

As I mentioned, the development of this bill has been the subject of wide-ranging consultation. Consultation arose from the ALRC's landmark 2008 report. Also, the bill's development was subject to consultation in a discussion paper in October 2012 with a number of key stakeholders.

This bill is important because, in practice, it will provide a lot of incentive to encourage government agencies and private sector organisations to lift their standards and improve transparency about how they handle people's personal information. This will be a very important step in giving people not only more confidence in how their information is handled but also opportunities to remedy any breaches as they occur.

Those breaches can occur in a number of ways. There can be hacking or poor security and carelessness. I note the Attorney-General's media release of 28 May where he stated—and I think this is a very important point:

To make sure that the new laws have teeth, the Information Commissioner will be able to direct agencies and business to notify individuals of data breaches.

And the commissioner does have the option of seeking civil penalties if there is serious or repeated non-compliance with the notification requirements.

Unfortunately, it is rare for a week to go past where there is not an expose on the television or in the newspapers about a large organisation that has had an inadvertent breach. One was reported recently on 16 May where someone doing a Google search actually found a lot of private Telstra customer data, and this was a person who was looking for what you can find quite freely: telco carrier access codes. So, for a very legitimate purpose, this person was doing a search and all of a sudden discovered a wide range of data, including customer names, telephone numbers and, in some cases, home and business addresses. And that was a case of Telstra, but it could just as easily, as I think everyone here knows, be any big organisation, such as a bank or an insurer—any large entity that holds a lot of information.

I note that the Australian Privacy Commissioner, Timothy Pilgrim, has welcomed the release of these mandatory breach notification laws. He has been a strong supporter of them, ever since they were first proposed as a recommendation in the ALRC report. In a media release dated 28 May, Mr Pilgrim noted:

The last couple of years have seen a number of high-profile data breaches and subsequent own motion investigations initiated by me, and research suggests that the frequency of data breaches in Australia has continued to grow over the past three years …

Interestingly, though, as the media release says:

Despite this upward trend, the Office of the Australian Information Commissioner … only received 46 data breach notifications in the 2011–12 financial year …

That was actually a decrease of 18 per cent from the previous year. So I can understand his comments that:

I am concerned that we are only being notified of a small percentage of serious data breaches that are occurring. Many critical incidents may be going unreported and consumers may be unaware when their personal information could be compromised …

I would also note that since 2008 we have had an OAIC guide on voluntary data breach notification processes, on how to assess privacy breaches and respond. I am referring to the current version, of April 2012, Data breach notification—A guide to handling personal information security breaches. Again, I think there are a couple of first principles in it that are useful to go to, including the definition of a data breach, because 'data' is not actually referred to in the Privacy Act; it is really more a common term. 'Data breach', it says in this guide, means:

… for the purpose of this guide, when personal information held by an agency or organisation is lost or subjected to unauthorised access, use, modification, disclosure, or other misuse.

As mentioned, there is a note to this definition:

The Privacy Act regulates the handling of personal information, and does not generally refer to ‘data'. As such, in the interest of consistency with the Act, the previous edition of this guide used the term ‘personal information security breach',

However, the term ‘data breach' has since entered into common usage in Australia and in various other jurisdictions. Accordingly, in the interests of clarity and simplicity, this guide uses the term ‘data breach' rather than ‘personal information security breach'.

Coming off that, it is also useful to remember what personal information is. This is set out in section 6 of the Privacy Act. It probably has three key components. It needs to be:

… information or an opinion—

so it can be something that can be tested in fact or a comment about that—

whether true or not and whether recorded in material form or not, about an individual—

this is an important point—

whose identity is apparent, or can reasonably be ascertained, from that information or opinion.

I think the term 'personal information' has come to be misunderstood in common usage, but certainly the term 'data breach' has entered popular language.

It is useful also to look at the four key steps that are set out in the guide that are probably also quite accurate in the commercial world for what is done when an organisation suspects or is intending to respond to a breach. Step one is to contain the breach and do preliminary assessments. If you are doing something wrong you stop or if there is something that needs to be done you do it straight away. The second step is to evaluate the risks associated with the breach. Risk assessment, again, is a very commercial action that needs to be taken but also a very reputational intensive issue. The third step is notification—whether you notify the individual or notify the Privacy Commissioner. In the various seminars that I have been to and on occasions where I have had the opportunity to interact with the Privacy Commissioner one point became very clear—and I am sure the Attorney-General would not disagree with me—and that is if you realise there is a problem the best thing to do is to own up to it. I think any organisation that does that probably has a greater ability to re-establish trust with its customers and clients compared to somebody who chooses to cover it up. The fourth step, which is very important, is to prevent future breaches. So you put in place any necessary steps to ensure that the breach does not happen again. Again, in my experience, if this can be demonstrated to the Privacy Commissioner if an investigation is going on by being able to say, 'We are actually doing something about it,' that is far better than covering it up or trying to claim that nothing is wrong.

In the remaining time I have I would like to refer to someone who I have had the pleasure of working with and who is very eminent in the private sector area of privacy law—Peter Leonard of Gilbert + Tobin. He, along with Michael Burnett, a lawyer in his group, has written an excellent brief which I would be very happy to provide to the Attorney-General about the new mandatory data breach notification scheme for Australia. That points out some practical compliance issues. I think that these are very valid compliance issues that any firm would want to have a look at.

It says:

Regulated entities are likely to face a number of challenging practical issues in their efforts to comply with the new scheme; not least of which will be determining whether there are reasonable grounds to believe that there has been a serious data breach in respect of personal information it holds.

I also note that when we are looking at the definition of 'serious harm' a lot of this does require guidance because a lot of this needs to be very practical in nature. The brief says:

Helpfully, the OAIC Guide provides some insight into the Commissioner's views as to what might fall within the scope of serious harm. The Guide suggest that serious harm may include identity theft, financial fraud, the disclosure of credit card details, and the stigma and discrimination that may result from the misuse of health information.

I believe it is very important—I raised this myself in writings when the ALRC report came out and a lot of its recommendations referred to the need for the Privacy Commissioner to issue guidelines—for the Office of the Privacy Commission to have all the resources it needs to implement these laws if this is going to be practical, incentive regulation and if it is going to encourage good best practice in the commercial world. I know there has been a very strong focus on that by this government.

I am very pleased that this government has been able to do that, and has demonstrated an ongoing commitment to do that. I think that the ability of the OAIC to issue and keep updating its data-breach notification guidelines, and still have very useful guidance—as has been noted by the authors I have referred to—is a very good thing. I am sure that will continue under the Attorney-General.

See this speech in context