George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Hansard source

Thank you, Senator Xenophon. I am glad you asked, because I'm able to give you an answer in some detail. The government is committed to ensuring that all Australians can have confidence in the security of telecommunications data irrespective of where the data is located or stored, and that is one of the most important policy values underlying this legislation.

The key risk in relation to data holdings is the extent to which they are appropriately secured. Unsecured data holdings in Australia are as vulnerable to attack or unauthorised access as data holdings held overseas. Focusing on offshoring disproportionately emphasises the risk proposed by offshoring arrangements above other types of security risks such as outsourcing arrangements, network access arrangements by persons located outside of Australia or the location of equipment. So the offshoring of data is merely one of the variety of considerations to be borne in mind in ensuring the security of data. The assessment of security risks for individual providers should be based on the full suite of risks and information available on a case-by-case basis. Australia's existing legal framework provides strong protections for information, including requirements under the Privacy Act and requirements under the data retention legislation to protect and encrypt data. Any proposal to mandate reporting of all offshoring arrangements would place a significantly greater regulatory burden on the telecommunications industry. There are approximately 280 carriers and nominated carriage service providers.

In addition to the regulatory burden on industry, assessing large datasets of baseline information would divert departmental and agency resources and focus from the more significant national security risks targeted by the reforms, including espionage, sabotage and unauthorised access and interference. This would undermine the intent of the reforms to enable greater collaboration between industry and government to identify national security risks, having regard to the particular circumstances of a provider. Where there are concerns about the extent to which an individual provider was compliant with its protection obligations, the department can use its information-gathering powers to compel the provider to provide information about the location of its data holdings, including on a retrospective basis.

The government has in any event agreed to implement all of the recommendations of the Parliamentary Joint Committee on Intelligence and Security, which includes recommendation 10, which is a recommendation that the bill specify annual reporting requirements including the number of times directions powers have been exercised, the number of industry notifications and security capability plans that have been received, regulatory performance measures, details of the government's information-sharing arrangements with industry and a summary of feedback or complaints, and which also recommended that the annual report indicate any trends or issues. And it includes recommendation 11, which will expand the scope of the review of the data retention regime commencing in 2019 to include examination of security of data that is stored outside Australia.