Tuesday, 11 October 2016
National Cancer Screening Register Bill 2016, National Cancer Screening Register (Consequential and Transitional Provisions) Bill 2016; Consideration in Detail
by leave—I move opposition amendments (1) to (9) together:
(1) Clause 4, page 6 (line 12), after "personal information", insert ", key information".
(2) Clause 11, page 9 (lines 24 and 25), omit paragraph (e), substitute:
(e) claims information, to the extent that the information relates to whether or not the individual has undergone or should undergo screening;
(3) Clause 12, page 11 (lines 5 and 6), omit paragraph (1) (n).
(4) Clause 12, page 11 (line 7), omit paragraph (1) (o), substitute:
(o) any other purpose that is directly related to a purpose mentioned in one of the above paragraphs.
(5) Clause 17, page 18 (after line 21), after paragraph (3) (g), insert:
(ga) the person does so:
(i) for the purposes of conducting medical research, and in accordance with the Australian Privacy Principles or any guidelines issued by the CEO of the National Health and Medical Research Council under subsection 95(1) of the Privacy Act 1988; or
(ii) in a permitted health situation, as defined in subsection 16B(2), (3) or (4) of the Privacy Act 1988; or
(6) Clause 18, page 19 (line 8), omit "120 penalty units", substitute "600 penalty units".
(7) Page 20 (after line 16), at the end of Part 3, add:
22A Data breaches
(1) This section applies to an entity if:
(a) the entity is:
(i) the Commonwealth, the Minister or the Commonwealth Chief Medical Officer, performing functions under this Act; or
(ii) engaged by the Minister, on behalf of the Commonwealth, to perform services for or on behalf of the Commonwealth in connection with functions of the Commonwealth, the Minister or the Commonwealth Chief Medical Officer under this Act; or
(iii) any other person performing work relating to the purposes of the register; and
(b) the entity becomes aware that:
(i) a person has, or may have, contravened this Act in a manner involving an unauthorised collection, recording, disclosure or other use of information about an individual; or
(ii) an event has, or may have, occurred (whether or not involving a contravention of this Act) that compromises, may compromise, has compromised or may have compromised, the security or integrity of the register; or
(iii) circumstances have, or may have, arisen (whether or not involving a contravention of this Act) that compromise, may compromise, have compromised or may have compromised, the security or integrity of the register; and
(c) the contravention, event or circumstances directly involved, may have involved or may involve the entity.
Note: This section applies to an entity when the entity becomes aware of a matter referred to in paragraph (b) regardless of when that matter arose or occurred or if the matter is ongoing at the time the entity became aware of the matter.
Notifying the Information Commissioner
(2) The entity must, as soon as practicable after becoming aware of the contravention, event or circumstances, notify the Information Commissioner of the contravention, event or circumstances.
Civil penalty: 600 penalty units.
(3) If an entity has given notice under subsection (2) on becoming aware that a contravention, event or circumstances may have occurred or arisen then, despite subsection (2), the entity need not give notice again on becoming aware that the contravention, event or circumstances has occurred or arisen.
Steps to be taken if contravention, event or circumstances may have occurred or arisen
(4) The entity must, as soon as practicable after becoming aware that the contravention, event or circumstances may have occurred or arisen, do the following things:
(a) so far as is reasonably practicable contain the potential contravention, event or circumstances;
(b) evaluate any risks that, if the contravention, event or circumstances has occurred or arisen, may be related to or arise out of the contravention, event or circumstances;
(c) if there is a reasonable likelihood that the contravention, event or circumstance has occurred or arisen and the effects of the contravention, event or circumstances might be serious for at least one individual—notify all individuals who would be affected.
Civil penalty: 600 penalty units.
Steps to be taken if contravention or event has occurred or the circumstances have arisen
(5) The entity must, as soon as practicable after becoming aware that the contravention or event has occurred or the circumstances have arisen, do the following things:
(a) so far as is reasonably practicable, contain the contravention, event or circumstances and undertake a preliminary assessment of the causes;
(b) evaluate any risks that may be related to or arise out of the contravention, event or circumstances;
(c) notify all affected individuals;
(d) if a significant number of individuals are affected—notify the general public;
(e) take steps to prevent or mitigate the effects of further contraventions, events or circumstances described in paragraphs (1) (b).
Civil penalty: 600 penalty units.
(6) If an entity has given notice under paragraph (4) (c), then despite paragraph (5) (c), the entity need not give notice under paragraph (5) (c).
(8) Page 20, after Part 3, insert:
Part 3A—Interaction with the Privacy Act 1988
22B Contravention of this Act is an interference with privacy
(1) An act or practice that contravenes this Act in connection with personal information or key informationabout an individual included on the register is taken to be:
(a) for the purposes of the Privacy Act 1988, an interference with the privacy of the individual; and
(b) covered by section 13 of that Act.
(2) The respondent to a complaint under the Privacy Act 1988 about an act or practice, other than an act or practice of an agency or organisation, is the individual who engaged in the act or practice.
(3) In addition to the Information Commissioner's functions under the Privacy Act 1988, the Information Commissioner has the following functions in relation to the register:
(a) to investigate an act or practice that may be an interference with the privacy of an individual under subsection (1) and, if the Information Commissioner considers it appropriate to do so, to attempt by conciliation to effect a settlement of the matters that gave rise to the investigation;
(b) to do anything incidental or conducive to the performance of those functions.
(4) The Information Commissioner has power to do all things that are necessary or convenient to be done for or in connection with the performance of his or her functions under subsection (3).
Note: An act or practice that is an interference with privacy may be the subject of a complaint under section 36 of the Privacy Act 1988.
22C Information Commissioner may disclose details of investigations to the Minister
The Information Commissioner is authorised to disclose to the Minister any information or documents that relate to an investigation the Information Commissioner conducts because of the operation of section 22B, if the Information Commissioner is satisfied that to do so will enable the Minister to monitor or improve the operation or security of the register.
(9) Clause 26, page 22, after subclause (1), insert:
(2) Ownership of information included in the register or otherwise obtained under, or in accordance with, this Act is retained by the Commonwealth despite any agreement under subsection (1).
I understand that the government has its own amendments which largely support Labor's amendments. I look forward to the government actually supporting these amendments, but I suspect not. Again, these are all improvements to the bill that have occurred through Labor's intervention to make sure the Senate had proper scrutiny of these bills.
When we raised concerns about data breaches, they said I was engaging in some hysterical tirade. Apart from the nature of the gendered language that imbues, I have to say that the government now has, embarrassingly, a bit of egg on its face. It now has to come into this place—or it will do shortly—and move substantial amendments to this bill, which go to the heart of data protection. In the amendments we are moving today we believe very firmly that, when there are breaches of data, the individuals who are affected by those breaches of data need to be informed about them. You could get no more sensitive data than is in this bill: your Pap smear results; your bowel screening cancer results; your Medicare item number usage when it comes to cancer testing, cancer screening and cancer treatment. Or perhaps you are a transgender individual; or you may have had some other issues in relation to sexually transmitted diseases. You could not get more sensitive data. We accept that the government wants the Privacy Commissioner to decide whether to disclose that data that has been breached to the individual. We believe that you should, but it should be occur automatically.
We do not believe that the penalties in this bill or in the government's amendments go far enough. We have recently seen a massive breach of healthcare data where the Department of Health put Medicare item number data up on myGov. The way this government handled it was frankly appalling. Some 16 days after they were notified of the breach, on the floor of the Royal College of General Practitioners conference, the minister goes to all of the GP providers—some of whom potentially had had their provider numbers breached by the downloading of this data—and says: 'I'm really sorry about it and 16 days later we're going to inform you. We haven't informed the individual providers, the individual GPs who may have had that data breached. We'll do an investigation. We're going to try and close a loophole in the law.' It was not good enough. The doctors themselves have to inform their patients if there has been a breach of their privacy, but the government itself took 16 or 17 days to basically inform GPs that their data may have been breached. We think there needs to be mandatory data breach reporting. We have actually tried to get the government to do that in the previous parliament. We really think they need to move on it.
When it comes to the penalties, particularly given that the government signed a contract with a for-profit provider four days before the election, they are miniscule in this bill—$21,000 for a breach of data for a for-profit organisation like Telstra is simply not good enough. So the amendments that we are moving say very clearly that there needs to be higher penalty units within the bill itself and they should not deferred by seeking reparation through the Privacy Act.
We actually think they need to be within this bill itself.
We understand that the government has come some way to accepting some of Labor's amendments. But it has had, literally, the government's own body—its own body—having to inform it that it has some problems with this bill. We have through the Senate process managed to get the government to come part way, but again that we are moving these amendments here this afternoon because we do not think the government amendments go far enough.
As I said, penalty units of $21,600 when you come to a for-profit provider are simply not enough to discourage the potential misuse of this data—this highly sensitive data. I think, again, that when it comes to breaches of data the government has not protected individuals enough—not within its own legislation. It is all very well and good to inform the Privacy Commissioner that you have breached. We have seen that the government has form on this, with the recent health data breach, and we simply think that individuals have a right to know if this data has got into the public domain. If it has got into the public domain it should not be that the first time individuals know about it is when they read about it on the front page of a newspaper. I commend the amendments to the House.