Thursday, 6 June 2013
Privacy Amendment (Privacy Alerts) Bill 2013; Second Reading
The Privacy Amendment (Privacy Alerts) Bill 2013 provides for mandatory notification of data breaches by entities regulated by the Privacy Act 1998 as amended last year. The measure outlined in this bill was recommended by the Australian Law Reform Commission in 2008. The bill will introduce new protections to help keep personal information more secure in this digital age and ensure that companies notify their customers if they suffer a data breach. Whilst the coalition supports the passage of this bill through the House, we reserve the right to move amendments following any recommendations made by the Senate Legal and Constitutional Affairs Committee, which will inquire into the bill in a thorough manner.
This bill seeks to improve consumer privacy protection and will keep personal information more secure in this digital age, as well as encourage agencies and private sector organisations to improve their data security. As more and more personal information is collected online by both government agencies and private companies, there is inevitably an increased risk of data breaches.
There have been a number of high-profile data breaches in recent years, including in April 2011 when 77 million PlayStation Network accounts were hacked. This apparently cost Sony millions of dollars in profit while their site was down for an entire month. This is viewed as the worst gaming community data breach of all time. The hacker has still not been found, yet the person gained access to over 12 million unencrypted credit card numbers as well as full names, postal addresses, passwords and email addresses.
In February of this year, the Australian Broadcasting Corporation's main website was hacked, resulting in almost 50,000 people's personal details being exposed online. As these types of data breaches become more prevalent, it is important that consumers know when their privacy has been breached and their personal details compromised because of a data security breach. The bill will seek to make it a requirement for organisations to notify any affected individuals if they have a data breach.
The Privacy Act was extensively amended last year to harmonise the privacy principles regime for the public and private sector, provide for positive credit reporting, establish a regime for voluntary and mandatory privacy codes and increase the range of remedies for privacy breaches. The measures contained in this bill are intended to commence on 12 March 2014, immediately after the measures in the 2012 amendments.
The bill proposes that a mandatory data breach notification be sent to the affected person and the Privacy Commissioner if certain personal information is accessed, copied, obtained or modified by unauthorised persons. The personal information to which the regime is intended to apply is information of a type the unauthorised use or disclosure of which could give rise to a real risk of serious harm. This can include physical, psychological, financial or reputational harm. The regime does not apply to small businesses and intelligence agencies. A law enforcement agency that reasonably believes compliance would be likely to prejudice its law enforcement activities is able to seek exemption on a case by case basis.
There have been some possible issues identified with this bill and I wish to emphasise that the government would be wise to wait for the Senate Legal and Constitutional Affairs Committee to complete their inquiry and hand down their report on 24 June. There is widespread concern that the code process mandated under the 2012 amendments is facing a logjam in the Office of the Privacy Commissioner and with other regulators. The coalition has been informed that there is little confidence the transitional arrangements and consumer education campaign will be in place by September as required. This will have an adverse effect on the legislated commencement date for the scheme proper. As I foreshadowed, the coalition reserves the right to propose amendments following any issues that are identified by the Senate committee inquiry.
As more and more Australians provide their personal information to online organisations it is essential that these organisations have a certain level of responsibility when it comes to storing this information securely and reporting any data breaches to those customers that are affected. This bill will provide an incentive for businesses to keep their customers' personal information safe and secure. Whilst the coalition supports the broad principles in this bill there are still some concerns that require thorough investigation. That is why the coalition will wait for the Senate committee's report into this bill, and we reserve the right to propose appropriate amendments. I recommend that the government do wait for that Senate committee report to be handed down, and that should still give the government time to have the legislation passed before this parliament concludes.
I am pleased to speak in support of the Privacy Amendment (Privacy Alerts) Bill. I do so as a former practitioner in this area, acting not only for corporations, dealing with their privacy practices and compliance measures, but also for individuals, advising often on a pro bono basis on potential privacy breaches. I can fully appreciate from the corporate perspective what sort of an impact privacy breaches have on organisations that are subject to the Privacy Act but I also understand how important it is for individuals who are affected by such practices.
It is useful to go back to first principles when we are discussing privacy. Once upon a time—the member for Banks will know this as well—when we talked about privacy it used to be about the right to be left alone. Many cases in Australia involving privacy had to do with trespass, and in some cases contract. We need to recognise today, in the digital age, that it is virtually an untenable concept with how far we have progressed in terms of information sharing and the ability of individuals and organisations to collect, use, store and disclose personal information.
It is important to recognise when we talk about privacy that Australia has had some of the world's pre-eminent privacy thinkers—people like Justice Kirby and many others have contributed to the formation of what have become standardised privacy benchmarks in the EU and elsewhere. I do believe privacy is the here and now frontier when we are talking about the digital age. The amount of personal information being stored and traded and the acquiescence of many people, freely giving away personal information but at the same time expecting a certain level of protection, pose great challenges for the law. This bill is an important development arising from the landmark ALRC review, and it is important that it be implemented.
It is useful to remember that 'risk management' and 'sound privacy practices' are no longer terms that are tacked on the end of a due diligence—they have become a fundamental part of corporate life and a fundamental part of due diligence. Even before the Privacy Act 1988 was extended to cover private sector entities rather than just government entities, we still had a system of disparate privacy laws in Australia that exists today. There is telco-specific privacy legislation contained both in the Telecommunications Act and in the various interception and access regimes. We have specific rules relating to tax file numbers, and of course we have specific rules relating to government and to the private sector in general. It is important to recognise that Australia has some of the most rigorous privacy regimes when it comes to personal information.
Turning now to the bill, this is an introduction of a mandatory data-breach notification scheme so that government agencies and private sector entities that are covered by the Privacy Act will be required to notify the Office of the Australian Information Commissioner and affected individuals of serious data breaches. These will be breaches that give rise to—and it is an important term—a real risk of serious harm to an affected individual, with 'a real risk' being defined as a risk that is not remote. It will also give the opportunity to affected individuals to take action—to put in some remedial steps to prevent things like identity theft and fraud. In a practical sense, this could include changing passwords, cancelling credit cards or the like.
As I mentioned, the development of this bill has been the subject of wide-ranging consultation. Consultation arose from the ALRC's landmark 2008 report. Also, the bill's development was subject to consultation in a discussion paper in October 2012 with a number of key stakeholders.
This bill is important because, in practice, it will provide a lot of incentive to encourage government agencies and private sector organisations to lift their standards and improve transparency about how they handle people's personal information. This will be a very important step in giving people not only more confidence in how their information is handled but also opportunities to remedy any breaches as they occur.
Those breaches can occur in a number of ways. There can be hacking or poor security and carelessness. I note the Attorney-General's media release of 28 May where he stated—and I think this is a very important point:
To make sure that the new laws have teeth, the Information Commissioner will be able to direct agencies and business to notify individuals of data breaches.
And the commissioner does have the option of seeking civil penalties if there is serious or repeated non-compliance with the notification requirements.
Unfortunately, it is rare for a week to go past where there is not an expose on the television or in the newspapers about a large organisation that has had an inadvertent breach. One was reported recently on 16 May where someone doing a Google search actually found a lot of private Telstra customer data, and this was a person who was looking for what you can find quite freely: telco carrier access codes. So, for a very legitimate purpose, this person was doing a search and all of a sudden discovered a wide range of data, including customer names, telephone numbers and, in some cases, home and business addresses. And that was a case of Telstra, but it could just as easily, as I think everyone here knows, be any big organisation, such as a bank or an insurer—any large entity that holds a lot of information.
I note that the Australian Privacy Commissioner, Timothy Pilgrim, has welcomed the release of these mandatory breach notification laws. He has been a strong supporter of them, ever since they were first proposed as a recommendation in the ALRC report. In a media release dated 28 May, Mr Pilgrim noted:
The last couple of years have seen a number of high-profile data breaches and subsequent own motion investigations initiated by me, and research suggests that the frequency of data breaches in Australia has continued to grow over the past three years …
Interestingly, though, as the media release says:
Despite this upward trend, the Office of the Australian Information Commissioner … only received 46 data breach notifications in the 2011–12 financial year …
That was actually a decrease of 18 per cent from the previous year. So I can understand his comments that:
I am concerned that we are only being notified of a small percentage of serious data breaches that are occurring. Many critical incidents may be going unreported and consumers may be unaware when their personal information could be compromised …
I would also note that since 2008 we have had an OAIC guide on voluntary data breach notification processes, on how to assess privacy breaches and respond. I am referring to the current version, of April 2012, Data breach notification—A guide to handling personal information security breaches. Again, I think there are a couple of first principles in it that are useful to go to, including the definition of a data breach, because 'data' is not actually referred to in the Privacy Act; it is really more a common term. 'Data breach', it says in this guide, means:
… for the purpose of this guide, when personal information held by an agency or organisation is lost or subjected to unauthorised access, use, modification, disclosure, or other misuse.
As mentioned, there is a note to this definition:
The Privacy Act regulates the handling of personal information, and does not generally refer to ‘data'. As such, in the interest of consistency with the Act, the previous edition of this guide used the term ‘personal information security breach',
However, the term ‘data breach' has since entered into common usage in Australia and in various other jurisdictions. Accordingly, in the interests of clarity and simplicity, this guide uses the term ‘data breach' rather than ‘personal information security breach'.
Coming off that, it is also useful to remember what personal information is. This is set out in section 6 of the Privacy Act. It probably has three key components. It needs to be:
… information or an opinion—
so it can be something that can be tested in fact or a comment about that—
whether true or not and whether recorded in material form or not, about an individual—
this is an important point—
whose identity is apparent, or can reasonably be ascertained, from that information or opinion.
I think the term 'personal information' has come to be misunderstood in common usage, but certainly the term 'data breach' has entered popular language.
It is useful also to look at the four key steps that are set out in the guide that are probably also quite accurate in the commercial world for what is done when an organisation suspects or is intending to respond to a breach. Step one is to contain the breach and do preliminary assessments. If you are doing something wrong you stop or if there is something that needs to be done you do it straight away. The second step is to evaluate the risks associated with the breach. Risk assessment, again, is a very commercial action that needs to be taken but also a very reputational intensive issue. The third step is notification—whether you notify the individual or notify the Privacy Commissioner. In the various seminars that I have been to and on occasions where I have had the opportunity to interact with the Privacy Commissioner one point became very clear—and I am sure the Attorney-General would not disagree with me—and that is if you realise there is a problem the best thing to do is to own up to it. I think any organisation that does that probably has a greater ability to re-establish trust with its customers and clients compared to somebody who chooses to cover it up. The fourth step, which is very important, is to prevent future breaches. So you put in place any necessary steps to ensure that the breach does not happen again. Again, in my experience, if this can be demonstrated to the Privacy Commissioner if an investigation is going on by being able to say, 'We are actually doing something about it,' that is far better than covering it up or trying to claim that nothing is wrong.
In the remaining time I have I would like to refer to someone who I have had the pleasure of working with and who is very eminent in the private sector area of privacy law—Peter Leonard of Gilbert + Tobin. He, along with Michael Burnett, a lawyer in his group, has written an excellent brief which I would be very happy to provide to the Attorney-General about the new mandatory data breach notification scheme for Australia. That points out some practical compliance issues. I think that these are very valid compliance issues that any firm would want to have a look at.
Regulated entities are likely to face a number of challenging practical issues in their efforts to comply with the new scheme; not least of which will be determining whether there are reasonable grounds to believe that there has been a serious data breach in respect of personal information it holds.
I also note that when we are looking at the definition of 'serious harm' a lot of this does require guidance because a lot of this needs to be very practical in nature. The brief says:
Helpfully, the OAIC Guide provides some insight into the Commissioner's views as to what might fall within the scope of serious harm. The Guide suggest that serious harm may include identity theft, financial fraud, the disclosure of credit card details, and the stigma and discrimination that may result from the misuse of health information.
I believe it is very important—I raised this myself in writings when the ALRC report came out and a lot of its recommendations referred to the need for the Privacy Commissioner to issue guidelines—for the Office of the Privacy Commission to have all the resources it needs to implement these laws if this is going to be practical, incentive regulation and if it is going to encourage good best practice in the commercial world. I know there has been a very strong focus on that by this government.
I am very pleased that this government has been able to do that, and has demonstrated an ongoing commitment to do that. I think that the ability of the OAIC to issue and keep updating its data-breach notification guidelines, and still have very useful guidance—as has been noted by the authors I have referred to—is a very good thing. I am sure that will continue under the Attorney-General.
I rise in support of the Privacy Amendment (Privacy Alerts) Bill 2013. It gives me great pleasure to be able to speak on a bill that secures the protection of consumers and strengthens consumer laws and the Privacy Act itself. These are very important for the individuals that do business with big firms, companies, banks, telcos, et cetera.
We should remind ourselves at this point that it was Labor, back in 1988, that passed one of the first privacy laws that this country had seen. Again, we see Labor acting to strengthen these laws. No doubt, back in 1988, one of my predecessors, the member for Hawker, Ralph Jacobi—Hawker was a neighbouring seat to Hindmarsh and has now merged with Hindmarsh—had a lot to do with this bill, as he had a very keen interest in consumer affairs, insurance laws and protecting the rights of consumers.
As I said, in today's world, where we do business with multinational firms and internet companies, we all have usernames, databases, pass codes. I might have half a dozen passwords which, if I did not write them down and keep them somewhere safe, I would forget. But all these passwords give us access to our banking accounts, to our telephone accounts, to our taxation accounts and to a whole range of things that keep this world going. That is why I am very pleased to see that this bill will strengthen these laws and introduce a mandatory data-breach notification provision for agencies and organisations that are regulated by the act. That means that if these particular organisations, agencies or businesses have their databases breached then the consumer or the individual will have to be notified immediately of that breach.
These reforms will strengthen the Privacy Act. We have also seen bills that will give more power to the Commonwealth Privacy Commissioner, so that individuals can get enforceable remedies—for example, in the courts—rather than just make a complaint. That is real action that helps people all over Australia.
As I said, the bill before us will implement key recommendations of the Australian Law Reform Commission's report into privacy and it will implement a mandatory reporting scheme that will enable the individuals affected by a data breach to take action to prevent identity theft and fraud, by taking action such as cancelling their credit cards or changing their passwords et cetera.
It will also encourage private sector organisations, individuals and government agencies to lift their on-line security standards. No big bank or organisation wants to risk its reputation by having its data breached at any time. This bill is all about more transparency. It will ensure that organisations are more transparent about how they handle people's very private and personal information.
We have seen events such as the hacking of the ABC online site, which someone got into and was able to access thousands of passwords. You know at that point there is a legal requirement to notify the consumers that that privacy has been breached. That is one example of a breach of privacy. Another example that comes to mind is the security breach that was sustained by Sony on the PlayStation network that led to the possible disclosure of hundreds of thousands of consumers' personal data. If there is not a system in place that ensures consumers are notified when their personal data is vulnerable then consumers are not able to remedy the situation. That is what this bill does: it allows the consumer to remedy the situation by changing a password, cancelling a credit card or doing whatever needs to be done. In an example where you have your credit card stolen, if you work it out immediately then you are able to cancel that credit card, but, if it takes you about two weeks to work out, a lot of damage can be done in those two weeks.
This proposal has strong support from the information and privacy commissioners, consumer advocates and IT security companies. It is the right time to implement these reforms. I am very proud to be part of a government that is committed to the privacy of Australians. This bill is a big win for consumers. It enhances their privacy protection in an ever-advancing digital landscape. I commend the bill to the House.
I thank honourable members for their contributions to the second reading debate on the Privacy Amendment (Privacy Alerts) Bill 2013. I thank the member for Stirling, the member for Greenway and the member for Hindmarsh for their support. I also note the support that has been expressed for this bill by Microsoft, OzHub, the Office of the Australian Information Commissioner, Electronic Frontiers Australia and Choice.
This bill is an important step in consumer protection in Australia. It will create a safe and transparent online environment that will help grow Australia's digital economy. In an increasingly digital world, more and more personal information and data is being collected from Australians. The government believes it is time that companies and agencies which hold that personal data were under an obligation to tell consumers when the security of that personal information has been breached. While it is impossible to tell exactly how many breaches are occurring, international studies suggest that there has been an upward trend in the occurrence of data breaches worldwide. Meanwhile, as the member for Greenway observed correctly in her speech, the Office of the Australian Information Commissioner received fewer notifications in the 2011-12 year than the year before. In the face of this and other information suggesting underreporting, Australia's current system of voluntary reporting of data breaches by companies and agencies is not working for Australians. It is also clearly unacceptable that a number of recent high-profile data breaches involving Australians' personal information have come to light through the media. This is why this bill is so important.
As a result of these amendments, Australians will be better able to mitigate the risks resulting from data breaches and reduce the risk of identity fraud and cybercrime. In the face of a data breach, Australians must have the knowledge and power to change their passwords, improve their security settings online, cancel credit cards or completely change businesses. Many other places around the world are introducing or considering mandatory data breach laws: New Zealand, the United States, Canada and the European Union. As a world leader in many important areas of reform, Australia cannot afford to be left behind on consumer privacy protections. This bill represents the latest in a number of landmark privacy reforms that this government has delivered on. These achievements will ensure that Australians will continue to have a modern, adaptable and robust privacy framework, one that continues to provide the high standards of privacy protection that we envisaged Australians should have when the Privacy Act was enacted in 1988. I commend the bill to the House.
Question agreed to.
Bill read a second time.
Ordered that this bill be reported to the House without amendment.