Mark Dreyfus (Isaacs, Australian Labor Party, Shadow Attorney General) Share this | Hansard source

Labor supports the Privacy Amendment (Notifiable Data Breaches) Bill 2016. We support this bill because, in fact, it is our own bill. In 2013, Labor in government introduced the Privacy Amendment (Privacy Alerts) Bill 2013. That bill, like this one, made it mandatory for regulated entities under the Privacy Act to alert consumers when their personal data had been breached—whether through accident or malice. That 2013 bill followed an extensive report by the Australian Law Reform Commission in 2008, which recommended the Privacy Act be amended to provide as follows:

An agency or organisation is required to notify the Privacy Commissioner and affected individuals when specified personal information has been, or is reasonably believed to have been, acquired by an unauthorised person and the agency, organisation or Privacy Commissioner believes that the unauthorised acquisition may give rise to a real risk of serious harm to any affected individual.

A failure to notify it would result in a civil penalty. The ALRC went on to clarify that 'specified personal information' should include personal information as well as sensitive personal information—for instance, a unique identifier that links someone's Medicare number to their name and address.

After extensive consultation, Labor responded to that recommendation with our privacy alerts bill, which I introduced as Attorney-General on 29 May 2013. That bill had bipartisan support and passed in this House but, sadly, lapsed at the 2013 election before it could pass in the Senate. With the total absence of action from the Abbott government, Labor introduced a private senators' bill in 2014 to the same effect as the 2013 bill. That, again, lapsed at the 2016 election. The best we got from the Abbott-Turnbull government in the 43rd Parliament was an exposure draft released in 2015, which went nowhere. That followed the February 2015 recommendation of the Parliamentary Joint Committee on Intelligence and Security—as part of that committee's report on mandatory data retention—to the effect that a mandatory data breach notification scheme be introduced by the end of 2015. The coalition government agreed, in its response to the intelligence committee's recommendation, that it would do so, but it failed.

The government's inertia has been baffling. It has taken the government more than three years to introduce a simple, straightforward bill that has bipartisan support. The reasons for this delay are totally beyond me. Many Australians would be shocked to learn that it is not already mandatory for agencies or companies to notify them when their personal data has been breached. For example, the Department of Health, Department of Social Services, a bank or an online store could accidentally leak your data today, and you may not hear about for another few years—or at all. That is the current situation.

If consumers are not informed that their personal data has been breached until months or even years after the fact, it removes their ability to take remedial action. They cannot change their credit card details and they cannot keep a watch for suspicious activity; they are totally powerless because they are unaware. This is clearly unacceptable.

And while the government has waited and delayed, the situation has worsened. We have had example after example of data breaches—sometimes serious and sometimes not notified until a very lengthy period has elapsed. A prime example is the Catch of the Day case, where the personal data of some or all of its two million customers was hacked and stolen in 2011, but the customers were not told until 2014. This, rightly, caused outrage when it came to light. Moreover, the company did not report the hack to the Australian Federal Police when it happened in 2011.

This bill is designed to prevent exactly this kind of situation. Corporations—or, indeed, Public Service departments—must not be allowed to delay reporting of a serious breach of personal data because of fear of the damage it might cause to the reputation of the company or organisation. They must disclose to affected customers as soon as the breach is known. Australians deserve to know so they can act to protect themselves.

The threshold test for an eligible data breach is outlined in proposed section 26WA of the bill. It provides that an eligible data breach happens if it is 'likely to result in serious harm'. In contrast, the threshold test in the Privacy Amendment (Privacy Alerts) Bill 2013 was 'real risk of serious harm'. The test 'likely to result in serious harm' could be seen as a slightly higher threshold, particularly when combined with the list of relevant matters for consideration to help guide whether harm is likely or unlikely. However, the ALRC report For your information: Australian privacy law and practice noted that in international law the terms 'likelihood' and 'real risk' are similar and related. The term 'a real risk of serious harm' has been defined to mean 'a reasonable degree of likelihood', 'real and substantial danger' and 'a real and substantial risk'.

The Law Council in their submission on the exposure draft of the bill expressed concern that the 'real risk' test was unclear. They view the 2016 bill as an improvement on the exposure draft version of the bill. The new test responds to stakeholder concerns about the practicability of determining what degree of probability and what kind of harm would be captured in the phrase 'real risk of serious harm'. It will provide greater certainty for regulated entities to be able to comply with their obligations.

The protections for consumers contained in this bill become even more vital with the worrying trend of this government to outsource the handling of personal data from the public sector to the private sector. This includes the sell-off of ASIC's corporate registry, which holds critical information on more than two million companies in Australia. It holds the names of directors of companies, company names and corporate histories. It is a key resource for journalists and the public who wish to find out more about Australian companies. Business owners are required to lodge a lot of detail with ASIC, not all of which is made public, which undoubtedly they would not want to fall into the wrong hands.

In the midst of the election last year, we heard that the Turnbull government would award the contract for managing sensitive medical records to Telstra, which will be in charge of the new national cancer screening registry from next year. The contract, estimated to be worth $180 million over three years, is the first time such sensitive data will have been in corporate hands. Telstra does not have a spotless history in terms of taking care of its customers' data, and has had a number of breaches looked at by the Office of the Australian Information Commissioner. In 2014, Telstra was fined $10,200 for exposing the personal data of nearly 16,000 customers online. I quote from The Australian in an article dated 11 March 2014:

The finding is the latest stain on Telstra's lax privacy record. In 2012 the telco received a similar warning from the Privacy Commissioner for publishing the personal information of more than 730,000 customers online. It also received warnings for breaches of customer data in 2010 when a mailing list error resulted in about 220,000 letters with incorrect addresses being mailed out.

In an era such as this, when personal health data is being handed over to a big corporate with a patchy privacy record, the passage of this bill is more important than ever.

Then we have the proposed privatisation of the Medicare data system, which the government pledges is no longer going ahead—but who knows whether they will keep to that promise. If it did go ahead, this would possibly be the largest transfer of personal health and financial data from public to private hands ever undertaken by a government. It is vitally important that the protections contained in this bill are in place before that happens—if, indeed, it does happen.

To conclude, it is extraordinary that it has taken the coalition government more than 3½ years to introduce a bill almost identical to one passed by this House with bipartisan support in June 2013. I regret that it has taken the government so long to act, but I am glad that it has finally done so. I commend this bill to the House.

See this speech in context