Rebekha Sharkie (Mayo, Nick Xenophon Team) Share this | Hansard source

This bill is important because it contributes to increased accountability and transparency—a key issue for the Nick Xenophon Team. In particular, its aim is to protect the rights of individuals in an increasingly complex digital world. When passed, it will ensure that an entity that holds data must take action to inform an individual if there is a likely risk of serious harm as a result of unauthorised access or unauthorised disclosure of their information. The Nick Xenophon Team default position is to support legislation that seeks to rebalance the power between corporations and individuals by giving greater protection to ordinary people.

This bill has a long history. Its genesis can be traced back to Nick Xenophon and his concerns about safeguards, or lack thereof, in the legislation about data retention and access to metadata—and we remember the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015. At the time my colleague Senator Nick Xenophon expressed concern because the capacity of the state to have everyone's information, in terms of who they have contacted, should carry with it a need for much greater scrutiny and protections. Unfortunately, adequate protections were not built into the legislation at that time. While not completely addressing our concerns about the retention of metadata, this bill attempts to reduce the risk to individuals of their data being accessed or disclosed in an unauthorised way, meaning that they have an opportunity to take their own action to minimise the damage.

Of broad concern to the community would be the security of health data. This comes into sharp focus in the context of legislation to establish a cancer screening register that was recently passed by this parliament. Understandably, there have been concerns expressed about the privacy and security of the data held, because the register will be established and operated by a private sector company—Telstra, which won the tender to operate the register.

Telstra does not have a good track record in relation to protection of customer data. In 2013 Telstra accidentally released the personal information of almost 16,000 customers, including names, addresses and phone numbers. This information was accessible via Google search for almost a month. At the time the breach was discovered, Telstra was already subject to a direction from the communications watchdog to improve its customer data protection following a 2011 breach which involved 234,000 customers.

The National Cancer Screening Register will have two main purposes. The first will be to manage a contact database linked to reminders to undertake cancer screening. The second is of greater concern, because it will hold a further personal cancer health record containing test results, treatments and other sensitive information. The latter is why it is important to have the provisions in this bill before us so that if a breach were to occur, Telstra would be obligated to notify affected individuals.

The Red Cross blood donor service recently experienced one of the most significant data breaches ever seen in the health sector. It affected more than 500,000 blood donors. Personal information, including being identified, whether correctly or incorrectly, as having at-risk sexual behaviour was accidentally placed on an insecure computer environment due to human error. The Red Cross acted appropriately under the current voluntary code; it informed individuals and set up an information site. This legislation will ensure that in any similar situation the organisation will be obligated to take such action.

Closer to home for me, the South Australian Health Service is experiencing serious internal breaches, resulting in five staff being sacked for inappropriately accessing patient records. Up to 20 additional staff have also been disciplined. It is unclear whether the patients in each of those circumstances were notified of the breach of their privacy.

One of the core principles of the Nick Xenophon Team is transparency and, of course, accountability. This must apply to governments, and also corporations must accept the social contract they have with the community. When individuals provide data to companies they expect those companies to protect the privacy of that data. That is at the heart of the social contract.

This bill brings corporations to account and forces them to take responsibility for their social contract, especially when things go wrong—as they sometimes do. This is a win for the Nick Xenophon Team; but, more importantly, it is a win for the average citizen who puts their trust in companies to protect the integrity of their personal data. The Nick Xenophon Team will continue to push for increased government and corporate accountability. We have recently negotiated with the government during the passage of the registered organisations legislation to deliver increased whistleblower protections. That will protect informants who shed light on unconscionable dealings.

We will continue to push for measures such as a national anticorruption commission. We want to see political donations declared in a more timely manner and we want to review duplicated services at a federal, state and local government level, and to determine the most appropriate entity to deliver those services. We will continue to fight for ordinary Australians who have lost trust in their government.

To conclude: members of the public must be advised when there is a privacy breach involving their personal data so that they can access what action they may take to minimise harm to themselves. In an increasingly digital environment, corporations must take responsibility for protecting the data of their clients and their customers, and to do it effectively. And if they fail, they must be held to account. Thank you.

See this speech in context