Scott Ludlam (WA, Australian Greens) Share this | Hansard source

That being the case, I move, on behalf of the Australian Greens, amendment (1) on sheet 8055:

(1) Schedule 1, item 3, page 11 (line 19), omit "30 days", substitute "3 days".

This amendment relates to how long entities that are caught by this bill have to notify people that their interests might have been compromised. I quoted from item 80 in the explanatory memorandum a little earlier and pointed out data that was presented there—and I presume that 'the last 12 months' represents 2016 or 2015-16—that shows:

… the average number of days between a data breach and an individual being notified of the breach was 405 days …

So the primary intention of this bill is to bring that notification period way down.

It goes on:

… whereas the average time between a data breach and the misuse of compromised information was 72 hours—

three days. Why has the government set 30 days, which, as its own explanatory memorandum acknowledges, is 10 times longer than the average time between a breach and the misuse of compromised information?