Scott Ludlam (WA, Australian Greens) Share this | Hansard source

by leave—I move together amendments (1) to (3) on sheet 8053 revised:

(1) Schedule 1, item 3, page 4 (line 1), omit "is likely to result in serious", substitute "results in".

[significant data breach]

(2) Schedule 1, item 3, page 6 (lines 25 to 28), omit subparagraph 26WE(2) (a) (ii), substitute:

  (ii) a reasonable person would conclude that the access or disclosure:

(A) would be likely to result in harm to any of the individuals to whom the information relates; or

(B) is a significant data breach; or

[significant data breach]

(3) Schedule 1, item 3, page 6 (lines 32 to 36), omit subparagraph 26WE(2) (b) (ii), substitute:

  (ii) assuming that unauthorised access to, or unauthorised disclosure of, the information were to occur, a reasonable person would conclude that the access or disclosure:

(A) would be likely to result in harm to any of the individuals to whom the information relates; or

(B) is a significant data breach;

[significant data breach]

I will explain the nature of the revision because there will be earlier copies of this sheet floating around the chamber. These amendments go to the issues I foreshadowed in my speech during the second reading debate. How serious should the breach have to be before you have to disclose it to the people at risk? This relates to the amendment the chamber has just disposed of relating to how long people should be given to think about whether they are caught by this act or not.

The threshold has shifted around a little bit since the 2013 bill and the exposure draft that informed this bill. The issue to me is crucial. It defines whether the bill works as intended. If the threshold is set too high then almost nothing will get reported and we can pat our backs and say that we all worked here in a very crosspartisan way to improve the law but in real life almost nothing will have changed because these breaches can still occur and people will not be notified. If the threshold is set too low then you risk what some submitters have identified as notification fatigue. If you get emailed by your bank every couple of days that something might have happened then eventually you will start ignoring those messages.

The Australian Privacy Foundation's very detailed submission goes into this issue at length. What they have said really is that the term 'serious' is a big part of the problem. They have said:

In practical terms what is the difference between harm and serious harm?

I think, Mr Temporary Chair Bernardi, when you made a contribution earlier you alluded to this issue as well. There is confusion about whether you have obligations under this act or not. The Privacy Foundation continued:

The intent of this distinction seems to raise the threshold for reporting. What it is more likely to do is to create confusion as to where the threshold lies. Vaguely drafted and ambiguous terms such as this invariably reduce the effectiveness of the operative provisions when enacted.

We do not want to pass this bill into law if the threshold is set so high that people will be given their 30 days and will decide that serious harm has not been done. These amendments effectively amend two different parts of the bill to say that if the disclosure 'would be likely to result in harm to any of the individuals to whom the information relates or is a significant data breach' then you are caught, then you report, then you disclose, then you notify. That should really cut down on some of the red tape that Senator Bernardi was referring to. It should cut down on the need for 30 days. The assumption is one of disclosure, and we think that is entirely appropriate.