Senate debates

Thursday, 27 March 2014

Bills

Privacy Amendment (Privacy Alerts) Bill 2014; Second Reading

9:31 am

Photo of Lisa SinghLisa Singh (Tasmania, Australian Labor Party, Shadow Parliamentary Secretary to the Shadow Attorney General) Share this | Hansard source

I rise to speak to the Privacy Amendment (Privacy Alerts) Bill 2014. Labor believes Australians should be told when there has been a breach of their privacy. It is time that companies who are required to protect Australians' personal data should also have the complementary duty to tell a consumer when their personal data has been the subject of unauthorised public release. Businesses that already implement good privacy practices and comply with current voluntary guides from the Office of the Australian Information Commissioner, the OAIC, will have little difficulty in transitioning to the new scheme.

A consumer should have the right to know if their personal information has become compromised or if their bank or telecommunications provider has lax security standards. Consumers need to have the power to change their passwords, improve their security settings online, cancel credit cards or completely change providers such as banks and telecommunications companies.

In an increasingly digital world, more and more data and personal information is being collected from Australian families. This bill puts in place a compulsory notification regime in order to strengthen the protections around this information and build on the privacy regime Labor implemented when it was in government. The bill will require all entities currently regulated by the act to notify affected individuals and the OAIC when there has been a data breach that gives rise to a real risk of serious harm to an affected individual. A real risk is defined as a risk that is not a remote risk. Therefore, only the more serious data breaches will need to be notified—a responsible approach to implementing this important privacy regulation.

The OAIC will have the power to compel notification to affected individuals were it becomes aware of a serious data breach that has not been notified. The OAIC will also be given the power to exempt an entity from the notification requirement where it is in the public interest to do so. The bill ensures that the victims of a data breach will receive comprehensive and useful information about the circumstances of the relevant breach. Firstly, it must contain a description of the breach. Secondly, it must contain a list of the types of personal information that were accessed or disclosed. Thirdly, the notification must contain recommendations about the steps that individuals should take in response to the breach. Finally, contact information for affected individuals to obtain more information and assistance must also be included.

Noncompliance with the scheme would attract the normal Privacy Act remedies. These include public or personal apologies, compensation payments or enforceable undertakings. Under the new privacy regime enacted by the Gillard Labor government, a civil penalty can be sought where there has been serious or repeated noncompliance with mandatory notification requirements.

This bill is in substantially similar terms to the Privacy Amendment (Privacy Alerts) Bill 2013 previously introduced into the parliament in 2013 by the Gillard Labor government. It was to be the next step in the important reforms of Australia's privacy legislation being delivered by the Labor government, but the bill lapsed when parliament was prorogued ahead of the 2013 federal election.

The privacy reforms passed in the last parliament were significant Labor reforms to an area of law about which Australians are deeply concerned, and rightly so. That legislation, which has recently begun operation, delivered a number of important changes. The Privacy Act now contains a set of 13 Australian Privacy Principles which apply to Australian and Norfolk Island governments and some private sector organisations. The APPs harmonised and replaced the two sets of principles which previously applied to government and the private sector. The Office of the Australian Information Commissioner has been given new powers to assess and enforce privacy compliance and to seek civil penalties where serious breaches occur.

There are new provisions in the Privacy Act governing credit reporting. The law now provides for both more comprehensive credit reporting and an improved process for correcting reporting errors and dealing with complaints. Civil penalties now apply for certain breaches of the credit reporting provisions. The Privacy Act now provides for the recognition of external dispute resolution schemes for handling privacy complaints and for the registration of binding privacy codes.

These are all important reforms. They are important Labor reforms. It took a Labor government to enact the Privacy Act 1988 and it took a Labor government to deliver the most significant reforms to that act in the decade and a half since. Labor understands that privacy is a human right. Labor understands that technological change has made privacy a pressing everyday concern for many, many Australians. These reforms are well within the long and proud Labor tradition of consumer protection. They are an example of Labor's commitment to responsible regulation which protects rights which make a real and positive difference in the way Australians work and live.

The bill I speak to today is the next step in that package of reforms. The bill will introduce a new consumer privacy protection for Australians that will keep their personal information more secure in the digital age. It will also encourage agencies and private sector organisations to improve their data security practices. The risk of data breaches and the seriousness of their consequences have grown as new technology has allowed government and the private sector to collect more and more personal information about Australians. A data breach can severely affect an individual whose personal information has been compromised. People can lose money. The identity can be stolen. They can be embarrassed and distressed by the release of sensitive personal information.

Labor believes that individuals should know when their privacy has been interfered with. Currently, the law imposes no obligation on organisations who suffer a data breach to notify those whose privacy has been compromised. Labor thinks that is manifestly inadequate. It is out of step with what our community expects. It is out of step with the way that technology has changed the way we live our lives. Labor is committed to act to remedy this gap in our privacy laws. We were committed to doing this in government and we remain committed to doing it in opposition.

Data breaches are of significant concern to modern Australia. There have been a number of high-profile breaches in Australia in recent times. One that comes to mind recently was the Department of Immigration in February this year, which published personal details of around 10,000 asylum seekers held in Australia. Similarly, between February 2012 and May 2013, the information of 15,775 of a telco's customers from 2009 and earlier were accessible on the internet. This included the information of 1,257 active silent customers. Previously, the personal information of approximately 734,000 customers had been made publicly available online in December 2011. Other large companies have had data breach issues as well, and the OAIC is aware of 56 data breaches in 2011-12.

But data breaches are a concern not only for individuals. The security of personal data is of commercial importance to Australian companies. Data breaches are bad for business and can be incredibly costly due to the errors that come about from them. Companies stand to lose not just time and money rectifying a data breach but also their reputation, and in a modern information economy the important trust of consumers in a company's privacy compliance is an incredibly important part of a company's goodwill. In 2012, the ABC reported that the average data breach incident in Australia cost the organisation in question some $2 million. What is more, that average cost has been steadily rising year on year.

Labor understands the importance of this issue not only to individuals but also to business and to the competitiveness of Australian companies and we have introduced this bill from opposition to ensure that appropriate action is now taken. This bill, rightly, has strong support from Australia's various information and privacy commissioners, from relevant industries, from IT security experts and from privacy and consumer advocates. But most importantly, the Australian public demand the protection this bill will provide. In a survey conducted last year, the OAIC reported that some 96 per cent of Australians believed that they should be notified of data breaches if they are affected by them.

In government, Labor consulted extensively with relevant stakeholders. We focused on making these reforms as flexible as possible. We focused on minimising the compliance burden on companies and agencies while making sure that the privacy rights of individuals are steadfastly protected. We took both industry and consumer concerns on board, and the widespread support for the bill very much reflects this. So given that the hard work of this bill has been done by Labor and given that consumers and industry support its passage, we might wonder why the new Attorney-General has sat on his hands. This month the suite of privacy reforms that were passed by the Gillard Labor government entered into force and this bill comprises an important addition to that package of reforms.

So why hasn't the government acted? Industry and the community are ready for this reform and, indeed, it will be easier for compliance if this bill could enter into operation more or less alongside the other major changes to the Privacy Act which have just now come into force. Delaying the passage of this bill would leave Australia behind developments in comparable jurisdictions, notably jurisdictions like the US and the EU. Australian consumers deserve protection every bit as good as that which the citizens of other nations enjoy, and Australian businesses must stay ahead of the curve to be competitive.

The Liberals did support this bill, though, when last in parliament and, when the bills lapsed at the conclusion of the 43rd Parliament, there were reports in the press that an incoming Liberal government would continue this important work and work towards the enactment of a privacy alert law when in government. Well, they have now had six months in power, and yet we have heard nothing from this government. Nor is it the case that the Abbott government or the Attorney-General, Senator Brandis, have more important things to do. Senator Brandis's only legislative work in the time he has been in office has been the bills he contributed to the Abbott government's repeal day media event. In many cases the main function of these bills was the correction of typographical errors and grammatical mistakes: a worthy enterprise, but not one that carries much legislative weight. As my colleagues in another place pointed out yesterday, the Attorney-General is yet to introduce any legislation of substance.

I hope that the Attorney-General's unedifying recent appearance on Alan Jones's show on 2GB radio does not indicate that he is now preparing to walk away from privacy law reform. On 14 March, in a display of disingenuousness, Senator Brandis appeared to disown the privacy laws that he and his party had voted for in the last parliament. Mr Jones put a number of confused complaints to the Attorney-General about the operation of the new credit reporting provisions of the privacy legislation, and this is what our bold Attorney-General said in the course of his response:

… these were measures that were introduced by the Gillard Government.

He said that the new privacy laws were:

… something we inherited from Gillard.

What a shameless act of buck-passing, when they supported the privacy reforms in the last parliament. The Liberal Party supported these privacy reforms in the last parliament. So though it was Labor that spearheaded these reforms, and Labor that did the hard yards, the Liberal Party did do the right thing in supporting our privacy reforms in the last parliament. They were right to do that at that time and so that is why it is now disappointing that they should not have the integrity to continue to hold to that responsible policy position—some six months have passed and they have had so many opportunities in the time we have been sitting in parliament for them to have done so.

When Australians want to know their Attorney-General's position on issues that matter to them, should they trust the way he votes in this parliament, or should they trust his throwaway lines on talkback radio? The only thing the public can count on is the opportunism of the Attorney-General. Why doesn't he have the courage of his convictions to stick by the Labor reforms that he so rightly supported? And why doesn't he explain the operation of legislation that he did vote for, rather than slinking away from it at the slightest hint of public debate—like the example I just gave of him on talkback radio? Does the Attorney-General support privacy law reform again, now that he is back in the cloisters of the parliament? What is his position on this issue which is of such importance to Australians in their everyday lives, and will continue to be important to them as we continue into this age of the digital economy?

Given the paucity of his own legislative record as Attorney-General, I would have thought Senator Brandis would be desperate to claim some credit for any good policy that had passed through this place. Now the Attorney-General has another chance to support good privacy policy with the introduction of this privacy alerts bill. This privacy alerts bill is a constructive policy proposal. It is ready to go. The people want it. Industry wants it. But where is our Attorney-General and where is the Abbott government on privacy law reforms? Why has it fallen to the opposition to provide this parliament with some real policy substance? The Liberal Party has been in government for some time now. There have been a number of opportunities for the new Abbott government to introduce privacy law reforms, to continue on with the good work started by the Labor government in this area of privacy reform. It is something that Australian consumers want. It is something that industry wants. In fact, it is something that ensures that industry has better data hygiene, if you like, around the way that its data complies with privacy laws.

This government and this Attorney-General might be a policy-free zone, but the Labor opposition is here to help. I sincerely hope that, as they rightly did when they were in opposition, the Liberals will support this prudent bill—this bill that is needed; this bill that will put us in step with other jurisdictions such as the EU and the US; this bill that will ensure we have certainty for consumers and for industry as we move further into this digital age. I hope the government will help us continue the good work in this area of the previous Labor government and I hope they will support this bill. I commend the bill to the Senate.

Comments

No comments