Kim Carr (Victoria, Australian Labor Party, Shadow Minister Assisting the Leader for Science) Share this | Link to this | Hansard source

by leave—I move opposition amendments (1), (2), (3) and (4):

(1) Schedule 1, item 34, page 7 (after line 27), after subsection 257A(7), insert:

Personal identifiers for minors or incapable persons

  (7A) If a minor or an incapable person (the person) is required to provide one or more personal identifiers under subsection (1), the personal identifiers must be provided:

  (a) in circumstances affording reasonable privacy to the person; and

  (b) in such a manner that ensures particular care is taken to treat the person with humanity and respect for human dignity.

(2) Schedule 1, item 50, page 9 (lines 24 and 25), omit the item, substitute:

50 Subsections 261AL(5) and (6)

  Repeal the subsections, substitute:

Persons present while identification test is carried out

(5) If a person who is a minor provides a personal identifier, in accordance with a requirement under Division 13AA of this Part, by way of an identification test carried out by an authorised officer, the test must be carried out in the presence of:

  (a) a parent or guardian of the minor; or

  (b) either:

     (i) if the minor is female—2 female independent persons; or

     (ii) if the minor is male—2 male independent persons.

(6) However, if the Minister is the minor's guardian, the test must be carried out in the presence of:

  (a) if the minor is female—2 female independent persons (other than the Minister); or

  (b) if the minor is male—2 male independent persons (other than the Minister).

(3) Schedule 1, item 53, page 10 (lines 3 and 4), omit the item, substitute:

53 Subsection 261AM(4)

  Repeal the subsection, substitute:

Persons present while identification test is carried out

(4) If a person who is an incapable person provides a personal identifier, in accordance with a requirement under Division 13AA of this Part, by way of an identification test carried out by an authorised officer, the test must be carried out in the presence of:

  (a) a parent or guardian of the incapable person; or

  (b) either:

     (i) if the incapable person is female—2 female independent persons; or

     (ii) if the incapable person is male—2 male independent persons.

(4) Schedule 1, page 10 (after line 4), after item 53, insert:

53A After section 336L

  Insert:

336M Identifying information—serious data breach

Serious data breach

(1) If:

  (a) a person is the responsible person for identifying information; and

  (b) the person holds identifying information; and

(c) there is unauthorised access to, or unauthorised disclosure of, the identifying information; and

  (d) the access or disclosure is in circumstances which may result in a real risk of:

     (i) the unauthorised use of the identifying information; or

     (ii) a serious interference with the privacy of an individual;

then:

  (e) the loss is a serious data breach in relation to the identifying information; and

  (f) an individual is significantly affected by the serious data breach, if, and only if, the individual is the person to whom the identifying information relates.

Notification

(2) If a responsible person believes on reasonable grounds that there has been a serious data breach in relation to identifying information, the responsible person must, as soon as practicable after forming that belief, notify, in writing:

  (a) the individual who is significantly affected by the serious data breach; and

  (b) the Information Commissioner;

of the following:

  (c) a description of the serious data breach that the responsible person believes has occurred;

  (d) the kinds of information concerned;

(e) recommendations about the steps that the individuals should take in response to the serious data breach that the responsible person believes has occurred;

  (f) such other information (if any) specified in the regulations.

Responsible person

(3) For the purposes of this section, responsible person has the same meaning as in section 336K.

Senator Brown, on behalf of the Labor Party, made a speech on the second reading pointing out Labor's position on this legislation—namely, that the collection of personal identifiers at the border is an important part of Australia's national security procedures; it is important that we know precisely who is entering and leaving Australia at any given time; and it is important too that we confirm the identities of those who apply for and those who are given visas to live and work in Australia. Preventing identity fraud is essential. Collecting biometric data allows us to do all of these things. However, we must do so in a way that respects human dignity and the privacy of those who provide biometric identifiers.

As has been previously indicated, Labor also believes that some measures in this bill need to be amended. Our amendments which I have moved today—and I am more than happy to have them voted on as a block, because they do complement one other—are amendments responding to the concerns raised by the Parliamentary Joint Committee on Human Rights and the submissions to the Senate inquiry into the bill by the Law Council and other groups. I know the government has acknowledged the essential truth of those submissions and has moved an amendment of its own, which Labor will be supporting. However, our amendments go further.

The amendments are intended to protect the privacy and the human dignity of minors and incapable persons. They are designed to provide a clear and appropriate response to a serious breach of security in the storage of biometric data. The Migration Act does contain protections for minors and incapable persons, but the human rights committee noted that there are no specific protections in this bill. The act requires biometric data to be collected in circumstances providing reasonable privacy, excludes the presence of unnecessary persons and states that the collection must not involve more visual inspection, or the removal of more clothing, than is necessary. You would have thought they were quite reasonable propositions to put to this chamber. This bill, however, allows the minister and authorised officers to require that data be collected in a way different to that that is set out in the act. The avowed intent is to allow quick finger scans, but nonetheless the lack of specific privacy protection remains a problem, and therefore we will be seeking the support of the chamber for the amendments that we have moved.

The amendments insert specific references to 'circumstances affording reasonable privacy' and taking care 'to treat the person with humanity and respect for human dignity'. The same requirement is also extended to the collection of data from noncitizens. The amendments also specify that the collection of data from minors and incapable persons should be carried out in the presence of a parent or guardian—again, not an unreasonable request—or two independent persons of the same gender as the person providing the data. If the minister remains the minor's guardian, the requirement is for the presence of two independent persons.

Amendment (4) defines what a serious data breach is, who a person considered to be 'significantly affected' by such a breach is and what action might be taken by a responsible person in the event of such a serious breach. A serious data breach occurs when there has been unauthorised access to, or disclosure of, identifying information that may result in serious interference with the privacy of an individual. A significantly affected person is an individual to whom the identifying information relates—again, a very straightforward proposition which I believe can be reasonably expected to enjoy the support of the chamber. If a responsible person has reasonable grounds for believing that a serious breach has occurred, that person must notify in writing the affected person and the Information Commissioner as soon as is practicable. The notification must include a full description of the breach and recommendations about the steps that an individual should take in response.

Labor is confident that amending the bill as we propose would allow it to operate more effectively, with more potential to protect the rights of individuals. I commend these amendments to the chamber.

Michaelia Cash (WA, Liberal Party, Assistant Minister for Immigration and Border Protection) Share this | Link to this | Hansard source

I commence by tabling a supplementary explanatory memorandum relating to the government amendment to be moved to this bill. I will now just briefly address the amendments that have been moved by Senator Carr on behalf of the opposition. Amendment (1) on sheet 7725 will amend the new broad power to introduce a requirement that, when a minor or an incapable person is required to provide a personal identifier, it be done in circumstances affording reasonable privacy and taking particular care to treat the person with humanity and respect for human dignity. The government will not be supporting this amendment, and I will just outline to the chamber why. One of the primary aims of this bill is to facilitate the use of new and emerging biometric technologies to conduct quick and non-intrusive checks of identity in public—for example, using a hand-held device to conduct a verification check of a person at Australia's border. The requirement outlined in this particular amendment to afford reasonable privacy will actually have the effect of undermining the ability to efficiently conduct these checks at Australia's border and in other circumstances. The whole purpose of what we are doing with this bill is to ensure we conduct a very quick and a non-intrusive check of identities, most importantly, in public.

The other reason as to why the government will not be supporting this amendment is, as I have already stated in my summing-up speech, that the government itself is going to be moving an amendment in relation to this bill. The proposed government amendment will ensure that the face of the legislation makes it clear that all persons who are required to provide personal identifiers under the broad power are treated with humanity and respect for human dignity, whilst the amendment moved by Senator Carr on behalf of the opposition is limited to just minors and incapable persons. So our amendment is far broader than that put forward by the opposition.

The government will not be supporting amendment (2) on revised sheet 7725. The amendment amends the safeguards in relation to the collection of personal identifiers from minors or incapable persons under the separate power to require personal identifiers from immigration detainees. These safeguards, for those in immigration detention, are not proposed to be amended by this bill. The Migration Act will continue to provide that when collecting personal identifiers from immigration detainees who are minors or incapable persons under division 13AA a parent, guardian or independent person is required to be present. Division 13AA of the Migration Act will continue to provide that an immigration detainee can request an independent person to be present during an identification test and that the test be carried out by an authorised officer of the same sex. The government considers that these safeguards are adequate and that it is not necessary to provide for the presence of two independent persons of the same gender as the minor or incapable person.

Finally, the government will not be supporting amendment (4) on revised sheet 7725. The bill does not amend the existing legislative framework and processes regarding the use and disclosure of identifying information under the Migration Act. The government's view is that the framework is appropriate and robust, and the amendment is unnecessary. The department is committed to openness and transparency in regard to data breaches. In the event of the authorised disclosure of personal information, including personal identifiers, the department's usual practice is to consult with the Australian Privacy Commissioner in relation to the breach and comply with the recommendations of the Australian Privacy Commissioner about notifying affected individuals of the breach.

Where a breach of privacy that meets the threshold for harm has occurred, as per the Australian Privacy Commissioner's guidelines, the department reports all such breaches to the Australian Privacy Commissioner for advice and feedback and guidance where required. The threshold for harm is where that breach would pose risk of harm, personal, financial or emotional to the individual; or is of a significant nature given the volume of the data disclosed. Those are the reasons the government will not be supporting these amendments.

Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

As Senators Carr and Cash have done, I will speak to all the amendments and then we can vote in sequence, if that is the will of the chamber. Before we do that, I have a two-part question to Minister Cash. In the privacy impact assessment that the minister tabled the other day on the bill, there were two recommendations relating to Australian Privacy Principles 3 and 5. The first one recommends that, to ensure staff compliance with the legislative requirements under the bill, appropriate training must be provided in addition to the new policy and procedural guidelines on the collection of personal identifiers under the bill. The second relates to administrative consequences of doing that—forms being reviewed and updated, as required, to ensure that Australian Privacy Principles 5 requirements are met. Then it goes through a number of points that are relevant to that. I am seeking from the minister some detail, firstly, as to whether she, on behalf of the government, agrees that those recommendations are sound and what the government will be doing to uphold those.

Michaelia Cash (WA, Liberal Party, Assistant Minister for Immigration and Border Protection) Share this | Link to this | Hansard source

I thank Senator Ludlam for his question. I did have the opportunity to address that during the debate on Monday, but given that I was cut off I am more than happy to address it again. The assessment was completed in consultation with the Australian Information Commissioner and I, therefore, tabled a copy of the statement, which you now have. The privacy impact assessment, you are correct, makes two recommendations in relation to Australian Privacy Principles 3 and 5.

In relation to Australian Privacy Principle 3, it is recommended that the department ensure that its officers are fully trained in using the new provisions under the bill. For Australian Privacy Principle 5, it is recommended that that department updates its relevant public notices in relation to identifying information and privacy and that signs are installed at airports where verification checks are being conducted. These signs will say that the checks are being conducted and that personal identifiers being collected will not be retained by the department. I am also advised by the department that these recommendations will be implemented shortly after the bill becomes law.

In relation to the training, I can provide you with advice that the Australian Border Force Act sets out that the Australian Border Force Commissioner can prescribe rules governing the conduct of Australian Border Force officers, including a strict integrity regime. The Australian Border Force college, the facility training Australian border force officers, has a number of arrangements and partnerships in place with government agencies and commercial partners for the provision of specialist training and facilities.

With regard to biometrics training, if I could just refer you to the undertaking that I have given to Senator Xenophon—and I am happy to go through that again during my summing-up speech—a report will be provided 12 months after the commencement of this particular piece of legislation and within 18 months. As part of this review, the department will look into the training that is being provided to officers and whether or not enhancements are required.

Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

I thank the minister for that additional information. I take it that that report, that 12-month review, would either be tabled in here or published.

Michaelia Cash (WA, Liberal Party, Assistant Minister for Immigration and Border Protection) Share this | Link to this | Hansard source

Yes, I have said it will be tabled in the parliament.

Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

I thank the minister. I will just quickly provide some comments on the three opposition amendments that Senator Carr has moved together and the government amendment. The Australian Greens will be supporting all four.

I think the government amendment in part goes some way towards upholding the principle and the spirit of some of the comments that were made by senators during the committee review process into the bill and some of the witnesses who spoke out quite strongly against some of the clauses in the bill. Nonetheless, we do not think that it goes far enough,

In fact I think the opposition amendment is more specific, probably has more teeth and will be more effective in terms of who is present when identification tests are being conducted on minors or incapable persons. I want to acknowledge and thank Senator Carr on behalf of the opposition for bringing those amendments forward. I think they are very worthy. They obviously do not go very far in satisfying the Greens' concerns about the bill which were echoed by many submitters as we expressed during the second reading debate.

I want to draw attention to the fourth opposition amendment around mandatory data breach notification—if anything, this is probably the most significant of the amendments that the opposition has brought forward. The idea that if agencies with considerable power over very, very highly personalised and intimate information, including this biometric data, lose control of it, they are not under any obligation at all to inform the people whose privacy has been breached that that has happened. This is not an abstract or hypothetical concern, given that the department in its former incarnation let slip personal identifiers of nearly 10,000 asylum seekers—people fleeing violent regimes in the region and in our part of the world—for whom the consequences were not merely inconvenient but potentially life threatening. This is a department that does not have excellent form as I identified in my second reading contribution.

Mandatory data breach notification exists in many—not quite all—similar jurisdictions to ours with three basic principles: you collect the minimum data that you require; you protect it with systems of robustness and integrity; and, if those protection mechanisms fail, you have an obligation to the people whose privacy has been violated—or potentially their safety—to let them know so that they can take countermeasures or at least be aware of what is going on.

We are strongly in support of the fourth opposition amendment on the running sheet and, were Senator Singh here, through you, Mr Chair, I would encourage her to bring forward mandatory data breach notification—and I believe she still has a private senator's bill on the Notice Paperso that these mandatory data breach provisions do not simply apply narrowly to Border Force's operations but in fact to any entity of the Commonwealth that is holding people's private information in trust. I am very happy to commend all of these amendments to the chamber.

The CHAIRMAN: The question is that opposition amendments (1) to (4) on sheet 7725 revised be agreed to.

Michaelia Cash (WA, Liberal Party, Assistant Minister for Immigration and Border Protection) Share this | Link to this | Hansard source

I move government amendment (1) on sheet GN118:

(1) Schedule 1, item 45, page 9 (lines 13 to 15), omit the item, substitute:

45 Section 258F

  Repeal the section, substitute:

258F Person must not be required to provide personal identifiers in a cruel, inhuman or degrading way etc.

     For the purposes of this Act, a requirement to provide a personal identifier, or the provision of a personal identifier, in a particular way under section 257A is not of itself taken:

  (a) to be cruel, inhuman or degrading; or

  (b) to be a failure to treat a person with humanity and with respect for human dignity.

However, nothing in this Act authorises the Minister or an officer to require a person to provide a personal identifier under section 257A in a cruel, inhuman or degrading way, or in a way that fails to treat the person with humanity and with respect for human dignity.

The Senate Legal and Constitutional Affairs Legislation Committee reported on the bill on 5 June 2015, and I thank the committee for their consideration of the bill and their report. The committee recommended that consideration be given to ensuring that the protections in line with those found in sections 258E and 258F of the Migration Act apply to any means of collecting personal identifiers under the proposed broad power contained in the bill. In response to that recommendation I move an amendment to schedule 1 item 45 of the bill. That amendment will omit the current section 258F and substitute for it the proposed wording extending the protections found in that section to any means of collecting personal identifiers under the proposed broad power. The amendment will affirm an individual's right to physical integrity and freedom from cruel, inhuman or degrading treatment and ensure that personal identifiers are collected with respect for human dignity. Through the bill the government seeks to strengthen the Department of Immigration and Border Protection's powers to collect personal identifiers for the purposes of the Migration Act and migration regulations. These measures in the bill affirm the government's commitment to border protection, and I commend the amendment to the Senate.

Question agreed to.

Bill, as amended, agreed to.

Bill reported with an amendment; report adopted.