Thursday, 13 October 2016
National Cancer Screening Register Bill 2016, National Cancer Screening Register (Consequential and Transitional Provisions) Bill 2016; In Committee
by leave—I move amendments (1) through to (8) on sheet 7946 together:
(1) Clause 4, page 3 (lines 21 and 22), omit the definition of contracted service provider.
(2 ) Clause 4, page 6 (line 10), definition of protected information, 'after "personal information ", insert ", key information ".
(3) Clause 18, page 19 (line 13), omit "120 penalty units ", substitute "600 penalty units ".
(4)Clause 22A, page 20 (line 24) to page 23 (line 31), omit the clause, substitute:
22A Data breaches
(1) This section applies to an entity if:
(a) the entity is:
(i) the Commonwealth, the Minister or the Commonwealth Chief Medical Officer, performing functions under this Act; or
(ii) engaged by the Minister, on behalf of the Commonwealth, to perform services for or on behalf of the Commonwealth in connection with functions of the Commonwealth, the Minister or the Commonwealth Chief Medical Officer under this Act; or
(iii) any other person performing work relating to the purposes of the register; and
(b) the entity becomes aware that:
(i) a person has, or may have, contravened this Act in a manner involving an unauthorised collection, recording, disclosure or other use of information about an individual; or
(ii) an event has, or may have, occurred (whether or not involving a contravention of this Act) that compromises, may compromise, has compromised or may have compromised, the security or integrity of the register; or
(iii) circumstances have, or may have, arisen (whether or not involving a contravention of this Act) that compromise, may compromise, have compromised or may have compromised, the security or integrity of the register; and
(c) the contravention, event or circumstances directly involved, may have involved or may involve the entity.
Note: This section applies to an entity when the entity becomes aware of a matter referred to in paragraph (b) regardless of when that matter arose or occurred or if the matter is ongoing at the time the entity became aware of the matter.
Notifying the Information Commissioner
(2) The entity must, as soon as practicable after becoming aware of the contravention, event or circumstances, notify the Information Commissioner of the contravention, event or circumstances.
Civil penalty: 600 penalty units.
(3) If an entity has given notice under subsection (2) on becoming aware that a contravention, event or circumstances may have occurred or arisen then, despite subsection (2), the entity need not give notice again on becoming aware that the contravention, event or circumstances has occurred or arisen.
Steps to be taken if contravention, event or circumstances may have occurred or arisen
(4) The entity must, as soon as practicable after becoming aware that the contravention, event or circumstances may have occurred or arisen, do the following things:
(a) so far as is reasonably practicable contain the potential contravention, event or circumstances;
(b) evaluate any risks that, if the contravention, event or circumstances has occurred or arisen, may be related to or arise out of the contravention, event or circumstances;
(c) if there is a reasonable likelihood that the contravention, event or circumstance has occurred or arisen and the effects of the contravention, event or circumstances might be serious for at least one individual—notify all individuals who would be affected.
Civil penalty: 600 penalty units.
Steps to be taken if contravention or event has occurred or the circumstances have arisen
(5) The entity must, as soon as practicable after becoming aware that the contravention or
event has occurred or the circumstances have arisen, do the following things:
(a) so far as is reasonably practicable, contain the contravention, event or circumstances and undertake a preliminary assessment of the causes;
(b) evaluate any risks that may be related to or arise out of the contravention, event or circumstances;
(c) notify all affected individuals;
(d) if a significant number of individuals are affected—notify the general public;
(e) take steps to prevent or mitigate the effects of further contraventions, events or circumstances described in paragraphs (1) (b).
Civil penalty: 600 penalty units.
(6) If an entity has given notice under paragraph (4) (c), then despite paragraph (5) (c), the entity need not give notice under paragraph (5) (c).
(5) Clause 22B, page 24 (lines 2 and 3), omit "section 18 or subsection 22A(1), (2), (4), (5) or (6) ", substitute "this Act in connection with personal information or key information about an individual included on the register ".
(6) Clause 26, page 26 (line 16), omit "The Minister ", substitute "(1) The Minister ".
(7) Clause 26, page 26, after subclause (1), insert:
(2) Ownership of information included in the register or otherwise obtained under, or in accordance with, this Act is retained by the Commonwealth despite any agreement under subsection (1).
(8) Clause 27, page 27 (lines 1 to 6), omit subclause (2), substitute:
(2) The Secretary may, in writing, delegate his or her functions or powers under
paragraph 17(3) (g) (about disclosing information) to an SES employee, or an acting SES employee, in the Department.
(d) a person who holds or performs the duties of an office or position established by or under a law of the Commonwealth, a State or a Territory; or
(e) an entity (whether incorporated or unincorporated) established for a charitable purpose.
(4) This section has no effect to the extent (if any) to which its operation would result in the acquisition of property (within the meaning of paragraph 51(xxxi) of the Constitution) otherwise than on just terms (within the meaning of that paragraph).
These are essential amendments which go to the heart of protecting Australia's most sensitive health information. Let's remember the government did not want this legislation scrutinised. When Labor and the crossbenchers referred the legislation to a committee they said it was unnecessary, and the health minister went so far as to label it 'hysterical'.
This is an inquiry which has forced the government to make amendments to their own legislation after the Information Commissioner identified critical issues and potential loopholes. No wonder the government did not want parliament to examine the legislation closely; they had completely botched it. This is their reputation. After all, they had signed a contract with Telstra before passing or even introducing the legislation.
While Labor is pleased the government has finally come, kicking and screaming, to make some of these adjustments to their legislation there is more that needs to be done. Firstly, individuals should be notified when their most sensitive health data is breached. Under the government's draft legislation, if and when there are data breaches, Telstra only has to tell the Department of Health. This is the same department that had a breach of health information recently, which took weeks to be made public, with the health minister only standing up and mentioning it in a speech at a GP conference. While we understand the government will not accept Labor's amendments to ensure that the Privacy Commissioner is notified of breaches, it is not enough. Individuals deserve to be told if their most private health information is accessed inappropriately, so Labor's amendments will mandate disclosure of data breaches to affected individuals.
The government will argue that the Privacy Commissioner can notify individuals if he chooses but, again, not good enough. Individuals must be told. It simply beggars belief that the government does not consider this important enough to make the change. This is consistent with Labor's position across all portfolios. The government says it agrees, but is dragging its feet on mandatory disclosure legislation. Despite many promises, the government is yet to implement data breach notification laws that would make it mandatory to let Australians know when their personal information has been compromised.
Secondly, Labor has already proposed an amendment to increase the penalty for unauthorised use or disclosure of information. Under these bills the penalty for recording, using or disclosing information without authority is only $21,600. That is a drop in the ocean for an organisation like Telstra, which reported profits of almost $2.1 billion in the six months to 31 December 2015. Labor's amendments would increase the penalty for unauthorised use or disclosure of information from 120 penalty units, which is $21,600, to 600 penalty units, which is $108,000. Under the Crimes Act 1914 a court can impose a penalty up to five times this amount on a corporation. So if Telstra is the register operator it could be fined up to $540,000 for breaching the legislation. Again, the government will argue that the Privacy Commissioner can seek tougher penalties, but this should not be discretionary. If individuals or organisations inappropriately use Australians' most sensitive health data, they should be punished severely and automatically.
Thirdly, Labor has proposed an amendment to make explicit that the Commonwealth will be custodians of data in the register. The explanatory memorandum states:
Although the bill does not address issues of ownership or custodianship of information, the Commonwealth will be custodian of data in the register.
There should be no question of explicitly outlining this in the bill as well, yet the government is refusing to include it. This raises several questions about why the government does not want to clearly state that the Commonwealth is the custodian of the data. This is an important consideration in relation to access and use of this data and, given the sensitive information at hand here, Labor's amendment is essential. These amendments are crucial. I ask that the Senate properly consider the repercussions if they are not agreed to.