James Stevens (Sturt, Liberal Party) Share this | Hansard source

I start by sharing the extreme apprehension, concern and anger of members of my electorate who have been affected by data breaches in recent times. Obviously there have been two very high-profile examples—Optus and Medibank. In the case of Medibank we're still seeing the consequences of that unravel before our eyes. Many might be aware of the threats that have been reported in the media that the release of information could still possibly be imminent. People quite reasonably should expect their personal medical information to be protected. It is very much a concern that we could see—and I hope we don't—data that was stolen from Medibank released publicly and the privacy of potentially millions of people breached as a result of that. Like I said, medical information in particular is very sensitive and personal. We should have very great concern for people who may be potentially affected by that.

These two breaches have really shone a spotlight on the information that is collected by private companies, the apparent ease—evidently—of it being plundered by criminals and that fact that we probably haven't fully appreciated what information is recorded and retained by private companies. It has evidently been straightforward and easy for that information to be accessed. Why is there such a flimsy regime of protection in place for such sensitive data? I'm not defending either company involved, but we should also remember that clearly and obviously these are not two isolated examples. In fact, the examples we know about are a lot less concerning than the ones we don't know about.

The data breaches in recent times have shown that there is an enormous public relations impact on companies when it is revealed that they have lost important sensitive information on their customers. There is some indication now that Optus have lost about 10 per cent of their customer base since the revelation that they lost sensitive information on their customers. That 10 per cent may well increase in the future by way of reputational damage. I'm not aware of what the impact on Medibank has been, but I would think it's reasonable to assume that there will be an apprehensiveness amongst their existing customers and their future customers.

In the case of Optus we know that it was not only existing customers but also previous customers—in some cases going back years. They were no longer even customers of Optus, yet their information was stolen from a private telecommunications company, which you would think would have some of the highest data protection standards, given the line of business that they're in.

These are extremely concerning events that have happened in recent times. The point I make on reputational damage is that I'm also concerned, without any evidence, that there could be other companies that have suffered breaches that have considered—or will in the future consider—concealing those breaches on the basis that the damage to their business would be so significant, as they've seen the reputational impact on those businesses that have in different circumstances gone public on the data breach that they've had. That indicates even more that we need to respond by making sure that we've got the strongest possible regime in place.

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 is really an interim bill. The Attorney-General has indicated that the review into the Privacy Act that was initiated a few years ago is hopefully progressing as rapidly as possible and that more comprehensive legislative change will be able to be brought to this parliament as soon as possible, because what is proposed in this bill by no means addresses a whole range of other issues that I am certain will be identified through that review into the Privacy Act. The Privacy Act was really conceived in the 1980s and has no doubt been amended piecemeal on an ad hoc basis over the intervening decades, but the fundamental legislation was conceived in a time before all sorts of technologies and all sorts of abilities to retain data, particularly in the digital world, that now exist.

I certainly look forward to an opportunity to participate in legislating a dramatic overhaul of the Privacy Act insofar as what's required to better protect data, and also to put a much higher onus on all those that retain data, particularly major companies with major customer bases of Australians that keep information that can be used in a very harmful way against those people if misplaced or stolen. We know that data theft, particularly in the digital world, and the impersonation of people in the digital world is going to become an ever-growing area of crime to be greatly concerned about. We need to be acting to make sure that our legislative processes are as strong and robust as possible.

In the last parliament, we debated a number of bills related to critical infrastructure. I really think that data protection is in that same sort of place. I recall, in contributing on those debates, that we put significant requirements in place around critical infrastructure that was not in the government's hands as well as critical infrastructure that's in the government's hands. For privatised critical infrastructure we put a serious regime in place for reporting cyberattacks and other risks to those assets. The data of Australians is very much an asset and is very much critical. It's not just incumbent upon us; it's vital and it's a responsibility we have to the people of Australia to make sure that we've got the strongest protections in place. That includes making sure that penalties are in place. Where we're dealing with companies that keep a lot of data, there has to be a framework around what they can keep; what strength and hardening of the storage of that data is in place, perhaps putting stronger standards around what they can keep, what they can't keep and for what periods of time; and what the penalties are for them when, through clear negligence and not following those requirements, there is a breach.

I accept that in this bill there are some interim measures, but we are very much waiting for, as rapidly as possible, a broader set of legislative reform to come forward to the parliament. I definitely support the shadow Attorney-General's amendment on this bill. Nonetheless, we will support the bill beyond that through the parliament and look forward to further reform in this area and hopefully in the near future. I commend the bill to the chamber.

See this speech in context