Anne Stanley (Werriwa, Australian Labor Party) Share this | Hansard source

Over the past few months, we've seen significant, high-profile data breaches, with the personal data of millions of Australians being compromised. Many have been forced to suspend their lives to avoid serious financial consequences. And, unfortunately, this is becoming more common and will continue in frequency if nothing is done about it.

According to the 2020 Australian Community Attitudes to Privacy Survey conducted by the Office of the Australian Information Commissioner, Australians were already concerned about their data. Seventy per cent saw the protection of their personal information as a concern in their life, and yet only 24 per cent felt that their privacy was well protected.

Australians deserve to feel that their data is safe, because often the information at risk is about their identity. It's passport numbers, bank account details, licence numbers and Medicare details, and, with the latest Medibank Private breach, even health records. A leak has the potential to cause immeasurable damage to a person's life, and that potential can cause extreme stress. We've seen that in the recent high-profile data breaches at Optus and Medibank.

I've had affected constituents tell me that they are in a constant loop of anxiety and fear. They're unsure about what has been compromised, when it was compromised and whether the fact that they have changed their licences or passports will make a difference if the compromise continues.

These data breaches cost Australians not just financially but socially, and the companies that require personal information from their customers must ensure that it is secure. The industries most at risk are those that hold incredibly sensitive information, with health making up 18 per cent of the breaches that occurred between July and December 2021 and financial institutions coming second. Australians must be assured that these vital industries are protecting their data, and the government is doing all it can to ensure this is the case. That's why this legislation is so important. We can't let the breaches that have already occurred go by without a reaction, and we cannot ignore this moment; we must learn from it.

The Albanese government has introduced this bill as a targeted response, incorporating the lessons from the past data breaches. Unfortunately, despite the increased sensitivity and awareness of the personal data companies hold, it is users that are still being left to organise what has happened to them, and so many companies are still very underprepared both proactively to protect this data and reactively to ensure that, in the event of a breach, they assist their customers. That is what this legislation seeks to enact. That is why the bill will increase the penalties for privacy breaches from $2.22 million to $50 million. Companies that hold the personal data of Australians must know there are significant consequences if they fail to protect it. There is no longer an excuse for this.

The increased penalties will send a serious message to companies and to Australians that personal data is just that: personal, and it should be kept safe. Increasing penalties are important. However, in the absence of other measures, it will not be enough. The bill contains several measures to modernise the Privacy Act to better protect Australia. Enhanced enforcement powers will be given to the Australian Information Commissioner. The commissioner will have greater power and will be able to require entities to undertake external reviews in the event of the data breach and conduct assessments on compliance and obligation, even if they do not collect the data of Australians information directly.

In an increasingly interconnected world, data collection can be complex and intricate, and data can be transferred between entities that may not operate servers in Australia. It's time Australia's privacy laws were modernised to account for this type of data management. Australians can be assured that our government is doing what it can to ensure that data breaches do not occur and that, in the event they do, the regulatory bodies will be able to act fast to reduce the damage. It's the least that Australians can expect.

Two reiterate the point, this is not trivial. If leaked, it could be potentially destructive to a person's life and their financial security. In 2020, 59 per cent of Australians experienced issues with the handling of their personal data in the previous 12 months, including unsolicited marketing without consent and the collection of data that was unnecessary. That number is far too high, and this bill is the first step in reassuring Australians in the face of these latest data breaches, which unfortunately are not exceptional.

Between 1 April 2018 and 31 March 2019, the OAIC received approximately 1,000 data breach notifications. Between 1 July 2019 and 21 March 2020, it was almost 60,000. IBM has estimated in a report that they recently released that the average cost to businesses of a data breach is $4.1 billion. The report highlights the fact that many companies are deploying greater security frameworks, but there are still a substantial number of businesses who just aren't. The longer it takes a company to detect a breach, the worst off Australians are, and this metric isn't improving, with the report noting detection now takes weeks longer to be noticed. The increase to the penalty will incentivise companies to act proactively. And, if need be, our regulatory bodies will use the power given to them by the legislation to address the failings of entities that do not provide the information required by them under the Privacy Act.

Additionally, Australians expect all levels of government and regulatory bodies to work together when faced with a large-scale data breach. The commissioner will have increased powers to share and disclose information with enforcement bodies, complaint bodies and privacy regulators. Again, their situations are time sensitive, and information sharing between different levels of government and different regulators is essential for containing the potential damage.

Importantly, this legislation will only be the beginning. With a review of the Privacy Act due by the end of the year, the government will work to further strengthen and modernise our existing laws to suit the fast-growing digital environment. I, and I think many in my community, will be glad to see our government act to prevent future data breaches and to hold these companies to account. I commend the bill to the House.

See this speech in context