Natasha Stott Despoja (SA, Australian Democrats) Share this | Link to this | Hansard source

I move:

That this bill be now read a second time.

I seek leave to table an explanatory memorandum and to have the second reading speech incorporated in Hansard.

Leave granted.

The speech read as follows—

The Privacy (Data Security Breach Notification) Amendment Bill 2007 marks an important reform to the Commonwealth Privacy Act 1988 by introducing a requirement that organisations and agencies notify affected individuals of a breach of data security where their personal information is accessed by, or disclosed to, an unauthorised person, and for related purposes.

As it stands, the Privacy Act 1988 does not currently have a specific requirement that compels agencies and organisations to notify affected individuals where there has been a data security breach.

The Sydney Morning Herald reported in an article this year titled ‘A sensitive issue’, the results of research conducted by the IT Policy Compliance Group which show that more than two-thirds of Australian organisations experience six losses of sensitive data each year. Further, the report states one in five organisations loses sensitive data 22 or more times a year. These breaches reportedly include customer, financial, corporate employee and IT security data which is stolen, leaked or inappropriately destroyed.

In May 2006, an Australian Computer Crime and Security Survey reported that in Australia the average annual losses from electronic attacks, computer crime, and computer access misuse or abuse rose 63% over 12 months, reaching AUD$241,150 per organisation in 2006.

Requiring agencies and organisations to implement an effective data security breach notification scheme is essential for private sector agencies and Commonwealth Government organisations to fulfil their fair information handling responsibilities towards the persons who entrust such bodies with their personal and often delicate information.

It is now imperative that agencies and organisations tell Australians where things have, or are suspected of having, gone wrong in regards to individuals’ personal information, to reduce the risk to individuals of possible identity theft and enable individuals to mitigate any other adverse impacts.

In Australia we have clear evidence of just how much of an impact lax or inadequate data security measures around personal information can have on individuals. To illustrate, I will refer to two recent examples of what is estimated to be thousands of cases.

The first incident concerns the loss of a CD containing the report into the death of Private Jake Kovko at Melbourne airport, where it was found and handed to broadcaster Derryn Hinch. This incident had consequences for Private Kovko’s family, the image and reputation of the defence force, and the individual staff member involved.

The second incident occurred in April where, because of a technical stuff-up on reality show Big Brother’s website, the personal details of fans who signed up for its special features were exposed. Behind Big Brother revealed the official site was not using encryption technology on its credit card sign-up page, exposing users to having their sensitive financial details intercepted.

It is also worth remembering that such breaches are occurring at a time where the Government is considering several proposals to rationalise, centralise and streamline many government services and databases, including the billion dollar Access Card project. This activity is creating several databases that contain delicate personal information which is a target for criminals in particular identity theft-related crimes. Such large databases also have the potential to magnify the data breaches and harm which can be suffered by individuals where there are security breaches.

This Bill will require agencies and organisations to give individuals early warning when their personal information is compromised.

The proposed Bill is partly based on several data security breach notification schemes already operating successfully in the United States. Beginning with California in 2002, at least 36 states have enacted laws which require certain agencies that experience a data breach to notify individuals whose personal information was lost or stolen.

The proposed Bill is also partly a response to activity by various Privacy Commissioners in Australia and Canada. The Victorian, Ontario, and British Columbia Privacy Commissioners have all issued guidelines for security breach notification schemes. The Australian Federal Privacy Commissioner in her latest submission to the Australian Law Reform Commission in April this year has also stated that she supports the notion of public reporting or notification of security breaches, in certain circumstances, whether it is in relation to personal credit information or personal information in general.

The Bill defines a breach of data security as an interference with privacy in accordance with section 13 of the Privacy Act. Specifically, a data security breach will be incorporated into this section. Any unauthorised acquisition, transmission, use or disclosure of personal information involving an unauthorised party will constitute a data security breach and potentially be an interference with an individual’s privacy.

The question of who is an unauthorised party has been answered in this Bill. There are two types of unauthorised parties: the first type involves a person, agency or organisation that is not employed by an agency or organisation subject to the Privacy Act.

The second type of unauthorised party has two limbs. The first limb applies to an employee of the agency or organisation who exceeds his or her authority to access personal information. In such instances that employee will be considered an unauthorised party.

The second limb will apply to employees who use information for purposes unrelated to his or her professional duties, or outside the scope of authorised use under the privacy principles.

The Democrats have designed the definition of unauthorised party so as not to take into account the legitimate and lawful actions of employees, agencies and organisations involving individuals’ personal information.

The mechanism for the notification to a person of a breach of their data security is contained in clause 13AB of the Bill.

It is a requirement that an agency or organisation that holds personal information notify any person, in accordance with subsections (2) and (3), when there has been a confirmed or reasonably suspected breach of data security involving that person’s personal information following the discovery of the breach.

The Bill recognises that “time is of the essence” and requires organisations to notify persons affected by a confirmed or suspected data security breach promptly and without unnecessary delay. It is important that there be a written record of the notification and that the individual bears no cost related to the notification.

The Bill also emphasises that agencies and organisations must cooperate with persons affected by a data security breach. The Democrats recognise that agencies and organisations are in a unique position to assist individuals in the aftermath of a data security breach and to alleviate any potential harm which may be experienced by an individual.

To avoid any doubt that agencies and organisations must assist individuals in the event of an actual or suspected data breach, the Bill contains several provisions which guide agencies and organisations as to what information they should provide to affected individuals.

Agencies and organisations will have to provide copies of the information disclosed or suspected of having been disclosed, and advise persons of known or likely recipients of the information, any action taken by the agency or organisation to recover or attempt to recover the information disclosed, and any measures taken to prevent a re-occurrence of the breach.

This Bill seeks to balance the economic interests of agencies and organisations in needing personal information with the responsibilities that come with the fair handling of individuals’ personal information, not least of which is keeping the information secure.

In 2004, the then Minister for Justice and Customs Senator Chris Ellison released an Identity Kit aimed at assisting Australians with identity theft. In the introduction to that kit Senator Ellison stated:

“An individual’s identity is a personal part of who they are. Having their identity stolen can have a devastating effect, both emotionally and financially. Victims can often spend years and thousands of dollars trying to restore their good names.”

Information security has always been an essential element of Australia’s Federal and State information privacy laws. It is one of the core privacy principles of fair information handling practices: organisations that collect, hold and share personal information must take reasonable steps to protect personal information against unauthorised access, use, disclosure, modification or destruction.

The Bill will remedy existing privacy legislation which does not give individuals enough control over their personal information in instances of data security breaches. In order to protect brand, reputation, and trust, there are too many instances of agencies and organisations erring on the side of secrecy and cover-ups rather than openness and transparency.

My Bill changes this. It will also bring the Privacy Act into line with current community beliefs. A 2004 survey commissioned by the Office of the Federal Privacy Commissioner found that 94% of people would consider a business that they did not know having access to their personal information an invasion of privacy and 93% believed that it would be an invasion of privacy for a business to use the information that they supplied to them for a specific purpose to be used for another purpose.

The Data Security Breach Notification Bill represents a significant step towards strengthening privacy laws, assisting to minimise the risk of identity theft and improve overall agencies’ and organisations’ compliance with Federal privacy principles.

I thank Brent Carey for his assistance in the preparation of this legislation. I commend this bill to the Senate.

I seek leave to continue my remarks later.

Leave granted; debate adjourned.