Zed Seselja (ACT, Liberal Party) Share this | Hansard source

It does not matter if I do not hear them. It is hard to respond to them—it is hard to know whether you want to respond—if you cannot hear. Please heckle louder next time so that we can be clear on what it is you are heckling me on!

I would like to lend my support to what has been said. Senator McKenzie put it really well, and I want to pick up where she left off and where much of her contribution was aimed—that is, in relation to the fact that this government does not want to make the same mistakes that the previous government made. Those mistakes were often about very poor policy—about dumb ideas and not getting a mandate—but they were also very often about very, very poor process. That very poor process, when coupled with some very dumb ideas, led to some very poor outcomes. I want to touch on some of those poor processes because we do not want to make the same mistakes.

There are many things on which we want to differentiate ourselves from the opposition. One of those is that we do not want to follow the poor processes of the previous Labor-Greens government. Senator McKenzie touched on some of those poor processes, and I will expand on some of them. We are hearing right now about one of the poorest processes ever put in place—the pink batts scheme. There were two days for public servants to go away and design a scheme to spend billions of dollars of tax payers' money.

We know about the disastrous results of that very poorly conceived and executed policy. Whether it was a good idea in the first place is one thing; we can all agree that the implementation was a disaster. That is what happens when you do not get it right and when you rush things.

The National Broadband Network was designed on the back of a beer coaster on a VIP flight. That has led to taxpayers forking out billions of dollars for very little delivery. That scheme would have led, had the Labor Party been returned to office, to at least $30 billion extra being spent on the National Broadband Network because of the poor design and because of the poor rollout.

We know that, in the time the Labor Party had in office, they had time to do damage because of that process. The NBN is another example of where we do not want to be. We do not want to end up doing things like the former, Labor-Greens government did.

The mining tax mark 1 was brought in without proper consultation with industry. It was dumped on industry as a fait accompli. It was not properly consulted on. That led to the chaos that we saw with the removal of a first-term Prime Minister. Then we saw a hastily cobbled together replacement mining tax which ended up getting very little revenue while still doing damage to investment because of the concerns about that type of process and the concerns about that kind of attack on an industry that was so important to Australia.

That is another example of how we do not how to do things. That is the Labor way. The Labor way was to rush things. They would often tell us about how much legislation they had passed—the great success of the previous parliament was just how many pages of legislation they had passed. I put it to senators that the mark of a good government is not how many pages of legislation they pass; it is whether they manage the country effectively. The test is: when they pass legislation does it make things better? Does it make things better for families? Does it make things better for business? Does it make it easier to do business? Does it make us freer as a people? It is not about how many pieces of legislation and regulation you put in place.

So, not content, it seems, with passing ill-conceived and ill-thought-through legislation and policy from government, we now have the Labor Party seeking to impose that model on us from opposition. That is at the heart of our concerns.

I will go to some of the substance of the bill. As has already been stated by government senators, the government has always supported the principles of privacy protection for individuals. In this digital age, protection of personal information is important. We have seen in recent years many serious data breaches which have led to the compromising of personal information. The government understands how serious the issues of financial and identity theft are, but the government will not be pressured into agreeing to a proposal without giving it full and proper consideration. That is where we believe that the introduction of a bill by Senator Singh without appropriate consultation is premature.

If we look back at the criticisms made by coalition senators when a similar bill was introduced last year—criticisms about the lack of due process, time and scrutiny—we believe they still stand. There was a short timeframe for submissions in the original inquiry. The Cyberspace Law and Policy Centre at the University of New South Wales expressed concerned about the lack of time to submit. They said that they had had only around 10 working hours to draft and finalise a submission. The Australian Privacy Foundation also expressed concern about having only 1½ days to draft and finalise their submission.

There is also a lack of clarity around the terms 'serious breach' or 'serious harm'. The Australian Privacy Foundation did not support the real risk of serious harm threshold. They argue that the threshold should not be set at too high a risk of harm and risk of harm should not be the only trigger for notification. The AFP said:

Aggregation of terms limiting the nature of the harm that triggers notification increases the risk that organizations will argue that one or other aggregated term do not apply to them. For example, a phrase such as "real risk of serious harm" is a very high threshold, because of the combination of 'real' (i.e. 'not remote') risk, 'serious' harm (with no clear notion of seriousness) and ‘harm’ which may be given a limited definition …

In addition, a second trigger is necessary. Any significant breach should be subject to notification in any case. If that were not the case, then a significant insecurity would not become apparent, and would not be addressed, and it would be very likely that it would later give rise to a serious breach that was eminently avoidable. A single threshold test would result in a scheme which was a failure.

There is also industry concern about the mandatory notification provisions. The proposed bill requires three specific actions. As soon as practicable, after forming a reasonable belief that a serious data breach has occurred, they must prepare a detailed statement concerning the breach, provide a copy of the statement to the commissioner and take reasonable steps to notify the contents of the statement to each significantly affected individual, and publish a copy of the statement on the entity's website and in at least one newspaper circulating generally in each state and territory if the prescribed general publication conditions are satisfied.

The Communications Alliance argued that these specific actions were contrary to good business practice. They said:

… good business practice would be to (a) contain the breach and do an assessment; (b) evaluate the risks; and then, if necessary, notify those affected by the breach. It is concerning that the Bill places more emphasis on notifying—and potentially confusing or alarming customers—than containing the breach, rectifying the issue and preventing its reoccurrence.

At the heart of the Communications Alliance's argument is that the bill will not do what is claimed it will do. What it could do in practice is cause more harm than good—not focusing on the outcome, which is about containing the breach; rather, potentially confusing customers. Sometimes these bills and Labor Party policies are about being seen to do something rather than actually dealing with the problem at hand. The Communications Alliance makes a good point.

The Australian Bankers Association raised concerns about the final condition of notification and the uncertain scope of the general publication conditions and notification model. Their submission said:

There is a critical element of the notification model in the Bill that is missing because it is unclear what “general publication conditions” will mean if these conditions are satisfied. Without this definition, the real impact of the Bill cannot be assessed because the meaning of this expression will be covered by a regulation-making power in the Bill. Regulations dealing with this aspect have not been provided with the Bill.

It is also important to note the additional regulatory burden this will place on the industry. Without proper consultation it is difficult to assess just how significant this burden is.

The concerns of key stakeholders should not be set aside, and further time to scrutinise the bill and consult with stakeholders is crucial before the bill is passed. The government is not opposed to considering proposals that improve data security practices. Measures that enhance the protection and security of the personal information of Australians are critical, particularly in this digital environment.

In conclusion, the coalition certainly agrees that we need to find ways to ensure data security, but we do not believe that the Labor-Greens way of doing things—which is to rush legislation through, which is to not properly consult with affected stakeholders and which is to not properly take account of serious industry concerns—is the right way to go. That path leads to poor policy, poor legislation and, ultimately, very poor outcomes for consumers in Australia. Those are the concerns that the coalition and I share.