Sussan Ley (Farrer, Liberal Party, Minister for Sport) Share this | Hansard source

I present a supplementary explanatory memorandum to the bill and I ask leave of the House to move government amendments (1) to (12) on sheet HE125, as circulated, together.

Leave granted.

by leave—I move government amendments (1) to (12):

(1) Clause 4, page 3 (after line 20), after the definition of commercial-in-confidence, insert:

contracted service provider has the meaning given by subsection 22A(10).

[data breaches]

(2) Clause 4, page 6 (lines 1 and 2), omit the definition of prescribed body.

[prescribed body]

(3) Clause 11, page 9 (line 25), at the end of paragraph (e), add "associated with a designated cancer".

[claims information]

(4) Clause 12, page 11 (line 6), omit "cancer;", substitute "cancer.".

[purposes of the register]

(5) Clause 12, page 11 (line 7), omit paragraph (1) (o).

[purposes of the register]

(6) Clause 17, page 17 (line 15), omit subparagraph (3) (a) (iv).

[prescribed body]

(7) Clause 17, page 18 (after line 36), at the end of the clause, add:

(5) Collection, recording, disclosure or use of personal information for the purposes of research of a kind to which guidelines approved under section 95 or 95A of the Privacy Act 1988 relate is authorised under paragraph (3) (a) or (f) only if the collection, recording, use or disclosure is in accordance with the guidelines.

[research guidelines]

(8) Page 20 (after line 16), at the end of Part 3, add:

22A Data breaches

Notification of contraventions and possible contraventions

(1) If the Secretary becomes aware (otherwise than because of a notice under subsection (2)) that a person has, or may have, contravened section 18 in a manner involving an unauthorised recording, use or disclosure of personal information included in the register, the Secretary must, as soon as practicable, notify the Information Commissioner.

Note: This subsection applies when the Secretary becomes aware of the contravention or possible contravention, regardless of when it occurred or whether it is ongoing.

(2) If a contracted service provider or a former contracted service provider becomes aware that a person has, or may have, contravened section 18 in a manner involving an unauthorised recording, use or disclosure of personal information included in the register, the contracted service provider or former contracted service provider must, as soon as practicable, notify:

(a) the Secretary; and

(b) the Information Commissioner.

Note: This subsection applies when the contracted service provider or former contracted service provider becomes aware of the contravention or possible contravention, regardless of when it occurred or whether it is ongoing.

Civil penalty: 100 penalty units.

(3) A notice given under subsection (1) or (2) must set out the following:

(a) a description of the contravention that has occurred or may have occurred;

(b) the kind or kinds of information concerned;

(c) if the notice is given under subsection (2)—the identity and contact details of the contracted service provider or former contracted service provider.

Handling possible contraventions

(4) If the Secretary, or a contracted service provider or former contracted service provider, becomes aware that a person may have contravened section 18 in a manner involving an unauthorised recording, use or disclosure of personal information included in the register, the Secretary, or the contracted service provider or former contracted service provider, must do the following:

(a) so far as is reasonably practicable, contain the possible contravention;

(b) evaluate any risks that, if the contravention has occurred, may be related to or arise out of the contravention;

(c) if there is a reasonable likelihood that the contravention has occurred and the effects of the contravention might be serious for at least one individual whose details are included in the register:

  (i) in the case of the Secretary—consult the Information Commissioner about notifying individuals who may be affected; or

  (ii) in the case of a contracted service provider or former contracted service provider—ask the Secretary to consult the Information Commissioner about notifying individuals who may be affected.

Note: This subsection applies when the Secretary, contracted service provider or former contracted service provider becomes aware of the possible contravention, regardless of when it occurred or whether it is ongoing.

Handling contraventions

(5) If the Secretary, or a contracted service provider or former contracted service provider, becomes aware that a person has contravened section 18 in a manner involving an unauthorised recording, use or disclosure of personal information included in the register, the Secretary, or the contracted service provider or former contracted service provider, must do the following:

(a) so far as is reasonably practicable, contain the contravention and undertake a preliminary assessment of the causes;

(b) evaluate any risks that may be related to or arise out of the contravention;

(c) in the case of the Secretary—consult the Information Commissioner about notifying individuals who may be affected;

(d) in the case of a contracted service provider or former contracted service provider—ask the Secretary to consult the Information Commissioner about notifying individuals who may be affected;

(e) take steps to prevent or mitigate the effects of further contraventions.

Note: This subsection applies when the Secretary, contracted service provider or former contracted service provider becomes aware of the contravention, regardless of when it occurred or whether it is ongoing.

Secretary ' s duty

(6) The Secretary must comply with a request under subparagraph (4) (c) (ii) or paragraph (5) (d).

No need to report or consult if already done

(7) A person is not required to comply with subsection (1) or (2) in relation to a contravention that has occurred if the person has already given notice under that subsection that the contravention may have occurred.

(8) A person is not required to comply with paragraph (5) (c) or (d) in relation to a contravention if the person has already consulted, or asked the Secretary to consult, the Information Commissioner under paragraph (4) (c) in relation to the contravention.

(9) A contracted service provider or former contracted service provider is not required to comply with subsection (2), subparagraph (4) (c) (ii) or paragraph (5) (d) in relation to a contravention that has, or may have, occurred if another person has already:

(a) given notice in relation to the contravention under subsection (1) or (2); or

(b) consulted, or asked the Secretary to consult, the Information Commissioner in relation to the contravention under paragraph (4) (c) or (5) (c) or (d).

Contracted service providers

(10) In this Act:

contracted service provider means a person who:

(a) is engaged under an agreement referred to in section 26; and

(b) obtains protected information in the course of performing services under the agreement.

[data breaches]

(9) Page 20, at the end of Part 3 (after proposed clause 22A), add:

22B Contravention is an interference with privacy

(1) An act or practice that contravenes section 18 or subsection 22A(1), (2), (4), (5) or (6) is taken to be:

(a) for the purposes of the Privacy Act 1988, an interference with the privacy of an individual; and

(b) covered by section 13 of that Act.

(2) The respondent to a complaint under the Privacy Act 1988 about an act or practice, other than an act or practice of an agency or organisation, is the person who engaged in the act or practice.

(3) In addition to the Information Commissioner's functions under the Privacy Act 1988, the Information Commissioner has the following functions in relation to the register:

(a) to investigate an act or practice that may be an interference with the privacy of an individual under subsection (1) and, if the Information Commissioner considers it appropriate to do so, to attempt by conciliation to effect a settlement of the matters that gave rise to the investigation;

(b) to do anything incidental or conducive to the performance of those functions.

(4) The Information Commissioner has power to do all things that are necessary or convenient to be done for or in connection with the performance of his or her functions under subsection (3).

Note: An act or practice that is an interference with privacy may be the subject of a complaint under section 36 of the Privacy Act 1988.

[interference with privacy]

(10) Page 20, at the end of Part 3 (after proposed clause 22B), add:

22C Information Commissioner may disclose details of investigations to the Secretary

The Information Commissioner is authorised to disclose to the Secretary any information or documents that relate to an investigation the Information Commissioner conducts because of the operation of section 22B, if the Information Commissioner is satisfied that to do so will enable the Commonwealth to monitor or improve the operation or security of the register.

[interference with privacy]

(11) Clause 27, page 23 (lines 1 to 3), omit subclause (2), substitute:

(2) The Secretary may, in writing, delegate his or her functions or powers under:

(a) paragraph 17(3) (g) (about disclosing information); or

(b) section 22A (about data breaches);

to an SES employee, or an acting SES employee, in the Department.

[data breaches]

(12) Clause 28, page 23 (after line 13), after subclause (1), insert:

(1A) Before making rules for the purposes of:

(a) paragraph (l) of the definition of key information in section 4; or

(b) paragraph 11(g);

the Minister must consult the Information Commissioner in relation to matters that relate to the privacy functions (within the meaning of the Australian Information Commissioner Act 2010) and have regard to any submissions made by the Information Commissioner because of that consultation.

[consultation with Information Commissioner]

As members know, the need for these bills arose from the 2015-16 federal budget announcement to establish a National Cancer Screening Register aimed at saving more lives through increased detection, treatment and prevention of some of the country's biggest killers. The National Cancer Screening Register Bill provides for the establishment of the register and authorises the collection, use and disclosure of information for the purposes of the register and certain other purposes. It will allow Medicare enrolment and claims data and healthcare identifiers for individuals and healthcare providers to be collected by the register for the initial system build as well as on an ongoing basis.

The Turnbull government is serious about increasing cancer screening rates in the fight against cancers, as well as to improve survival rates. This legislation is critical for this government priority. These bills will serve to benefit the health of Australians through more efficient cervical and bowel screening pathways made possible by the establishment of a national register. The bills will facilitate monitoring of the effectiveness, quality and safety of screening and diagnoses associated with bowel cancer and cervical cancer. They will assist general practitioners and healthcare providers in their clinical decision making and contribute to cancer detection, treatment and prevention. They are very important.

I have proposed some changes to the National Cancer Screening Register Bill to provide clarity in some of its provisions, as discussed with the Office of The Australian Information Commissioner. These include a new provision requiring the contracted service provider to notify data breaches to the secretary of my department and to the Information Commissioner, and for the secretary of my department to notify data breaches to the Information Commissioner and for certain actions to be taken in relation to data breaches. These amendments will achieve an appropriate balance between protecting privacy and retaining the flexibility required to deliver these world-class screening programs.

The protection of personal information held in the register is of paramount importance. I have proposed to make unauthorised recording, use or disclosure of personal information in the register, or a contravention of the requirement to notify data breaches, an interference with privacy for the purpose of the Privacy Act 1988. Although the department or affected individuals would have recourse to engage the Information Commissioner in any matter related to a privacy breach, this amendment would make it explicitly clear that the Information Commissioner could undertake an investigation as required.

The opposition has proposed amendments to the legislation to limit operation of the register to a not-for-profit organisation or government agency. Successive governments have successfully partnered with the private sector to deliver many programs. This amendment would be an extraordinary limitation on government's ability to continue with these partnerships, and it would send a concerning message to the private sector.

Changes to the National Cervical Cancer Screening Program from 1 May 2017 will introduce a more effective cervical cancer test, the human papillomavirus test, to replace the two-yearly Pap test. Cervical cancer claims the lives of 250 women a year, despite being one of the most preventable cancers.

Bowel cancer is the second most common cause of cancer deaths in Australia, with about 4,000 Australians dying each year. The expanded National Bowel Cancer Screening Program will roll out a free, at-home bowel cancer screening kit to Australians aged 50 to 74 years every two years by 2020.

I know that the heart of this legislation, the principles and the creation of the register, is not disagreed by the opposition, and I appreciate that. Quite frankly, it is a no-brainer that this legislation get passed and that this register come into operation. Everyone who appeared before the Senate committee inquiry initiated by the opposition said those things. They expressed their views and concerns, as they should, about privacy, and sought those reassurances which I believe my department has provided but which I am happy to strengthen with these amendments that I am moving. While all of those messages took place at the Senate inquiry, the very strong view of all those who appeared before it was that we need this legislation passed. We need the register in place because the current system is not geared to take on the five-yearly HPV test for cervical cancer.

It is quite clear that this legislation, this register, will save women's lives, and I look forward to its smooth passage through the other place. I commend my amendments to the House.

See this speech in context