Monday, 18 June 2007
Privacy Protection for Off-Shoring Bill 2007
Bill and explanatory memorandum presented by Ms Burke.
I present the Privacy Protection for Off-shoring Bill 2007, which seeks to amend the Financial Management and Accountability Act 1997 and the Trade Practices Act 1974 to regulate the transmission of personal identification data for processing outside Australia. It is to be seconded by the member for Lowe.
While most of us have declined the offer to surrender our bank details to email scams from members of the ‘Nigerian royal family’, the current trends in cutting the cost of managing personal data could render choices such as these obsolete. Numerous major Australian firms in the areas of banking, finance, IT, communications, airlines and other sectors have already been sending the jobs of workers who manage sensitive personal data to other countries—all in the name of cost cutting. You only need to look at the FSU’s bank cheque website to see that ANZ has sent off payment transaction processing, trade finance processing, international customs payments and other inquiries. The roles sent include customer inquiry and payment investigation processing. This means that associated customer details have already been sent offshore. And, on the whole, the consumer has not been informed about their private details leaving the country to be stored and managed by someone outside Australia and often outside the jurisdiction of Australian laws. The bill I present today seeks to ensure that consumers have the right to know if their personal information is being sent offshore before it is sent, are given the right to object to their information being sent offshore and will suffer no discrimination because of that refusal.
Offshoring refers to jobs and/or processes being moved overseas. Indeed, offshoring is a big business. It is estimated that the global market for outsourced IT and business process services was over $US322 billion in 2003 and is growing. The OECD recently predicted that close to 20 per cent of all work performed in Australia could potentially be offshored. This would equate to almost two million jobs leaving the country. Research by McNair Ingenuity in 2006 found that: 85 per cent of Australians are concerned about the security of their personal information being accessed in foreign countries, 85 per cent agree that the government should require all financial institutions to disclose whether they store customer information overseas, 90 per cent would choose a bank that kept their information in Australia rather than overseas and 91 per cent believe that their personal information should not be stored offshore without their written permission. The ‘right to know’ principle has been adopted in France, and legislation has been introduced into several state legislatures in the United States of America.
The level of data security may be inferior in the countries where jobs and/or processes are located. Currently in India, where most of this work is going, there is the Penal Code and the Information Technology Act 2000, which provide criminal penalties for unauthorised access to computer data. But there is no privacy legislation. Press reports in India have indicated that there will be greater privacy protection, because it is an area of concern in that country, particularly for overseas data. In the US there is no national comprehensive law on data protection, although several states have introduced some form of privacy protection. This lack of protection may expose consumers to an increased, and unknown, risk when dealing with companies that have call centres or other processes located in those countries.
Even in countries with strong data protection legislation there have been massive security breaches. During the first half of 2005, cybercriminals hacked into a credit card processing company in Arizona, USA; as a result, the private financial details of approximately 40 million people, including an estimated 130,000 Australians, were compromised. Interestingly, the fraud was actually detected by the National Australia Bank’s credit card fraud unit located in Melbourne, Australia.
A recent edition of the ABC program Four Corners highlighted the risks of cyberfraud and gave examples of personal details being offered for sale by people described as ‘data-harvesting brokers’ who have started to emerge in places such as India, where many call centres and back office processes are being located. The transcript of that program makes fascinating and very disturbing reading. Data containing the private details of many Australians was able to be bought for as little as $US5,000.
Consumers have undoubtedly benefited from advances in technology; however, these benefits also carry risks. Vast amounts of personal and financial details are processed and stored every day. Given the increase in identity theft and computer hacking, the importance of data security and the right to know where your details are held cannot be overstated.
My proposed amendment to the Trade Practices Act also seeks to prohibit agencies awarded Australian Commonwealth contracts from offshoring personal information. This will ensure that all work involving personal identification information undertaken by an agency on behalf of the federal government will be done in Australia by Australians. The Treasurer has recognised that this is an issue of concern. Last year he warned the banks that they needed to be wary and that they were not entitled to disclose any personal information without the permission of the customer. The Treasurer is in support of my bill here today. We have seen these jobs go overseas and we have seen people’s details go overseas. I believe we have the right to know where they are. (Time expired)
Bill read a first time.