Stirling Griff (SA, Nick Xenophon Team) Share this | Hansard source

I am very pleased to see the government has kept its promise to introduce the Privacy Amendment (Notifiable Data Breaches) Bill 2016 which will enforce mandatory data breach notifications for organisations that inadvertently lose or release sensitive consumer data. Senators will recall that during last year's debate on the national cancer-screening register bills we moved an amendment and sought a commitment from the government to strengthen privacy laws as recommended by the Australian Law Reform Commission some eight years ago. Since that time there have been three different data breach models proposed.

This bill currently before us is an important piece of legislation because, in contrast to previous incarnations and the existing voluntary notification scheme, it finally obliges organisations to report potentially harmful data breaches, which is very much an area where Australian privacy laws have fallen well behind. It will ensure the public are notified should there be a breach of personal information, such as that contained in the cancer-screening records managed by Telstra or indeed any other entities subject to and regulated by the Privacy Act.

As we have recently seen with the inadvertent release of passwords and other personal information at organisations as diverse as Yahoo!, the Red Cross Blood Service and Telstra itself in 2011 and again in 2012 and 2013, we cannot assume that electronic data will always be kept safe. As more and more of our personal data is stored online, we also become more susceptible to the risks of identity theft. Whether it is through phishing, hacking, remote access scams, malware and ransomware or document theft, identity theft has become an extremely sophisticated and lucrative business worth upwards of a staggering $1.6 billion per year in Australia alone.

According to the Australian Federal Police, identity crime is also a key enabler of serious and organised crime, costing Australia around $15 billion annually. According to cyber experts, the 2016 Red Cross Blood Service data breach—which, by the way, was Australia's largest security breach—was a perfect example of how the personal data of some 550,000 Australians could potentially have been used for identity theft if it had fallen into the wrong hands and been sold on the underground black market. The data disclosed included personal details and identifying information, including names, gender, addresses and dates of birth—all material that could be easily used to falsify a person's identity to access bank accounts and to obtain loans, credit cards, phone contracts and even government benefits. Luckily, this data breach was well managed by the Red Cross and these potential risks were mitigated.

The proliferation of online personal data storage by public and private entities alike has made it absolutely necessary to ensure that, whenever unauthorised events happen, affected members of the public are informed in a timely manner so that they are aware that their private data has been compromised and are in a position to act as soon as possible and hopefully before any damage is done. It will very much be a comfort for the public to know that the corporations and agencies that are entrusted with their personal data must from now on act with more accountability and transparency in the event of a privacy breach. With these few words, the Nick Xenophon Team supports this bill.