Senate debates

Monday, 13 February 2017

Bills

Privacy Amendment (Notifiable Data Breaches) Bill 2016; Second Reading

11:07 am

Photo of Penny WongPenny Wong (SA, Australian Labor Party, Leader of the Opposition in the Senate) Share this | | Hansard source

I rise to speak on the Privacy Amendment (Notifiable Data Breaches) Bill 2016on behalf of the opposition. The opposition will be supporting this legislation. We welcome this bill which has been much delayed in its introduction by this government. We support the bill because it is actually a Labor bill. It is nearly identical to a bill that passed the House with bipartisan support some four years ago, but which lapsed at the election in 2013. It has taken this government that long to re-introduce this bill. Really, it ought to have been one of the first things on the Attorney-General's agenda, but, as we know, he has been distracted with a few other things.

Let me outline why this bill is important and why we thought fit to introduce it four years ago. As it stands, an individual's personal data can be breached by a government agency, a bank or an online store and there be no requirement that the individual be notified so that they can change their passwords or take other measures to protect themselves. A person might be told tomorrow that their data was hacked four years ago, and that organisation would face no consequences for its failure to notify them at the time. This is the situation that this government and this Attorney-General has let linger thanks to an inexplicable inertia on this important issue.

Let us have a look, briefly, at the history. In 2013, Mr Dreyfus, the then Attorney-General, introduced the Privacy Amendment (Privacy Alerts) Bill. That bill, like this one, made it mandatory for regulated entities under the Privacy Act to alert consumers when their personal data had been breached, whether through accident or malice.

The 2013 bill followed an extensive report by the Australian Law Reform Commission in 2008 which recommended that the Privacy Act be amended to provide as follows:

An agency or organisation is required to notify the Privacy Commissioner and affected individuals when specified personal information has been, or is reasonably believed to have been, acquired by an unauthorised person and the agency, organisation or Privacy Commissioner believes that the unauthorised acquisition may give rise to a real risk of serious harm to any affected individual.

And a failure to notify would result in a civil penalty. The Australian Law Reform Commission went on to clarify that 'specified personal information' should include personal information as well as sensitive personal information—for instance, a unique identifier that links someone's Medicare number to their name and address.

After extensive consultation, Labor responded to that recommendation with the privacy alerts bill, which was introduced on 29 May 2013. That bill had bipartisan support and passed the House of Representatives, but, sadly, lapsed at the election in 2013 before it could pass in this place. We have all been waiting for this government to do something about this. We waited patiently, but the government was far more interested in picking partisan fights than passing sensible law with bipartisan support. In particular, one would have to say, the Abbott government would have had to be one of the least constructive governments in Australia's recent history.

With the total absence of action from the Abbott government, the opposition introduced a private senator's bill in 2014 to the same effect as the 2013 bill. That lapsed at the hastily organised 2016 election. The best we got from the Abbott-Turnbull government in the 43rd Parliament was a fig leaf of an exposure draft which was released in 2015 but progressed nowhere. That came after a recommendation of the Parliamentary Joint Committee on Intelligence and Security on mandatory retention of metadata to the effect that a mandatory data breach notification scheme be introduced by the end of 2015. That was agreed by the government in its response to the committee's recommendation. Yet, here we are in 2017 and we have only just got this bill in the Senate. Given that history, we on this side of the chamber do find it somewhat baffling as to why the government has been so tardy in bringing this bill forward—four years to introduce a simple, straightforward bill that has bipartisan support.

Many Australians would be shocked to learn that it is not already mandatory for agencies or companies to notify them when their personal data has been breached. If consumers are not informed that their personal data has been breached for months or even years after the fact, it certainly removes any capacity to take remedial action. Significant loss of funds and identity theft cannot be easily avoided. Those affected cannot change their credit card details and they cannot keep a watch for suspicious activity. They are powerless, in effect, because they are not aware. That is not unacceptable.

While the government has waited and delayed, the situation has worsened. A prime example is the Catch of the Day case, where the personal data of some or all of its two million customers was hacked and stolen in 2011 but the customers were not told until 2014. This, quite rightly, caused outrage. Moreover, the company did not even report the hack to the Australian Federal Police when it happened but waited three years. This bill is designed to prevent exactly this kind of situation. Corporations, or public service departments, ought not be allowed to delay reporting of a serious breach of personal data simply because of the fear of the damage it might cause to their reputation. They should disclose to affected customers as soon as the breach is known, regardless of any embarrassment to them. Australians are entitled to know so that they can act to protect themselves.

Section 26WA of the bill sets out the threshold test for the eligible data breach. It provides that such a breach happens if it is 'likely to result in serious harm'. In contrast, the threshold test in the Privacy Amendment (Privacy Alerts) Bill 2013 was 'real risk of serious harm'. The test 'likely to result in serious harm' could be seen as a slightly higher threshold than the previous bill, particularly when combined with the list of relevant matters for consideration to help guide whether harm is likely or unlikely.

The Australian Law Reform Commission report For your information: Australian privacy law and practice noted that in international law the terms 'likelihood' and 'real risk' are similar and related. The term 'a real risk of serious harm' has been defined to mean a reasonable degree of likelihood, real and substantial danger, and a real and substantial risk. The law council, in their submission on the exposure draft of the bill, expressed concern that the 'real risk' test, as drafted, was unclear. They view the 2016 bill as an improvement on the exposure draft version of the bill. The new test responds to stakeholder concerns about the practicality of determining what degree of probability and what kind of harm would be captured in the phrase 'real risk of serious harm'. It will provide greater certainty for regulated entities to be able to comply with their obligations.

I want to turn now, briefly, to the handling of personal data. The protections for consumers contained in this bill become even more vital with the worrying trend of this government to outsource the handling of personal data from the public to the private sector. This includes the proposed sell-off of the corporate registry of ASIC, which holds critical information on more than two million companies in Australia. It holds the names of directors, companies, company names and corporate histories. It is a key resource for journalists and members of the public who wish to find out more about Australian companies. Business owners, for example, are required to lodge a lot of detail with ASIC, not all of which is made public, which undoubtedly they would not want to fall into the wrong hands.

In the midst of the election last year we heard that the Turnbull government intended to award the contract for managing sensitive medical records to Telstra, which will be in charge of the new national cancer screening registry from next year. The contract, estimated to be worth $180 million over three years, will be the first time such sensitive data is in corporate hands. Telstra does not have an entirely spotless history in terms of taking care of its customers' data and has had a number of breaches considered by the Office of the Australian Information Commissioner. In 2014, Telstra was fined for exposing the personal data of nearly 16,000 customers online. The Australian, in March 2014, stated:

The finding is the latest stain on Telstra's lax privacy record. In 2012 the telco received a similar warning from the Privacy Commissioner for publishing the personal information of more than 730,000 customers online. It also received warnings for breaches of customer data in 2010 when a mailing list error resulted in about 220,000 letters with incorrect addresses being mailed out.

In an era such as this, when personal health data is being handed over to a large corporate entity which has, demonstrably, a patchy privacy record, the passage of this bill is more important than ever.

Then we have the proposed privatisation of the Medicare data system, which the government pledges is no longer going ahead. But one wonders whether it will keep to that promise. If it did go ahead it would be possibly the largest transfer of personal health and financial data from public to private hands ever undertaken by an Australian government. It is vitally important that the protections contained in this bill are in place before that happens, if it does.

The passage of this bill also matters because of the singular botching of another bill to do with the protection of privacy and data that is yet to be debated in this place, the Privacy Amendment Data (Re-identification Offence) Bill 2016. Labor proposes to vote against that bill because it is a bad law which does not seek to protect Australians from having their personal privacy compromised; rather, it aims to cover up embarrassing mistakes by government agencies. It was hastily drafted, and regrettably—again—this government has refused to negotiate in order to find a compromise position. Luckily, given the excessively long lead time, that has not occurred with the bill we are currently debating.

The delay of this bill concerning data breach notifications is, one could surmise, symptomatic of a broader problem with this Attorney-General. There are a whole range of essential tasks—filling vacant judge positions, visiting community legal centres and complying with the FOI Act—which he seems not to be engaged in, but he is very intent on pursuing ideological frolics like the destruction of section 18C of the RDA. As I said, it really is inexplicable that this minister and this government have taken some four years to bring forward a bill that has bipartisan support and that Australians and privacy advocates have been seeking for some time.

Concerns about privacy in the digital era will surely grow in coming years, and it is important that Australians have faith that the government and the parliament are responding in an appropriate way. Considering the comprehensive mess this government made of the 2016 census and associated concerns with the safety of data provided to the government, there is a risk that Australians are losing faith in this government's ability to handle their sensitive data. If Australians are to hand over their most sensitive personal information, they must have faith that it will be properly and responsibly handled. If Australians lose that faith then our ability as a government—whoever is in government—to collect the important data which is needed to run good policy is at risk. So passing this law is an important step that will demonstrate to Australians that the parliament recognises their legitimate concerns about the safety of their data and will compel those organisations who handle it to be more mindful.

As I said, we regret that the government has taken so long to act in relation to this legislation but we are glad that it finally has. I commend the bill to the Senate.

11:19 am

Photo of Scott LudlamScott Ludlam (WA, Australian Greens) Share this | | Hansard source

It will not come as a surprise to any in here that the Australian Greens also support the Privacy Amendment (Notifiable Data Breaches) Bill 2016. I think Senator Wong has given a good wrap-up of why the bill has such widespread support in this parliament. The basic principle is so sound that it will probably come as a shock to people to realise that these protections are not already enshrined in law in Australia—the fact that if you hold private information on people and you lose it you should be obliged to let people know so that they can do something about it. That is the principle that is at stake here. At the moment—and I will go through a couple of examples in a second—if the control of information that we hand over to government agencies, private companies and other entities, which records our lives in extraordinary detail, is lost, these entities are under no obligation whatsoever to report it so that we can take remedial action. That information could be credit card records, it could be your medical history, it could be your political views and affiliations, it could be your credit worthiness—anything at all. There have been some extraordinary examples, which I will go through.

I also find it immensely curious that the Australian government has not seen fit in more than three years—in fact, I think it is four years now—to proceed with this measure when the committee that it dominates, the Parliamentary Joint Committee on Intelligence and Security, in the wake of the disastrous debate on mandatory data retention, said that this is something that should happen. Senator Brandis at the time agreed with that, and nothing has been done.

In terms of what is at stake here, this is not a trivial matter. There are trivial examples, if you want to find them. The Australian immigration department, a couple of years ago, accidentally published personal details of world leaders by mistake—so this stuff can affect anybody at all. Much more seriously, they accidentally disclosed thousands of records of people imprisoned in our immigration detention system. These are people who have fled violent and, in many cases, authoritarian regimes and who have then had their private personal details published by the department that is charged with protecting their interests. This can affect anybody at all.

To go through some of the history briefly, in 2008 the Australian Law Reform Commission published a report, which was the first time, as far as I am aware—certainly the first time in my experience in this place—that that organisation had proposed a mandatory data breach notification scheme. As Senator Wong identified, in 2013 there was a bill that was up for debate—it was on the Notice Paper in this place—that lapsed after the election. Senator Singh, I believe it was, introduced a private senators bill to the same effect the following year, and of course during 2013 and 2014 we had the debate in here on mandatory data retention.

The general principle, I would have thought, of reducing the risk of these kinds of disclosures in the first place is, firstly, do not collect more information than you need. That is one of the Australian privacy principles enshrined in legislation: do not collect anything more than you need. Secondly, make sure it is securely protected and encrypted and, thirdly, if you do lose control of it, notify the people whose interests may have been harmed. Those are the three key principles: do not collect it, protect what you do collect and let people know if you have some kind of failure.

In the data retention debate, the government was obviously running directly in opposition to the first and, I would argue, most important principle, forcing telecommunications providers to collect vastly more information than they needed for their business records or the integrity of their networks. They were doing it for what we were originally told was only going to be the most serious national security and terrorism offences, but obviously the way the debate has swung now means we may see this material deployed in civil cases, family law disputes, copyright disputes—that kind of stuff. So this enormous pool of data that is basically worthless to everybody—certainly the telecommunications providers did not want to have to collect it—is being collected. So you have violated the first privacy principle. What happens when agencies or corporations lose control of this material that is being collected?

In 2008 the Law Reform Commission said people should be protected from this kind of disclosure. In 2013 the government introduced a bill. In 2014 a private senators bill was introduced. In 2014 the Parliamentary Joint Committee on Intelligence and Security said it was about time this was done, particularly if we were going ahead with data retention, and nothing happened. Nothing was done.

Let's just trip down memory lane. iTnews put together the biggest Australian data breaches of 2015. On 1 October, Kmart revealed it had discovered customers' data had been stolen by external attackers. David Jones disclosed that attackers had exploited a vulnerability in their WebSphere based website to pinch the sensitive personal details of their customers. Aussie Farmers Direct, a little bit later in October, found that it had fallen victim to an attack, according to iTnews, in which the personal details of more than 5,000 of its customers were posted online. In Aussietravelcover's breach, one of the first of 2015, 870,000 records were posted online by a teenage hacker. In one of the more notorious ones, 37 million customer profiles were ripped and posted from the infidelity website Ashley Madison. The US Office of Personnel Management fell for this. Hacking Team is one of the funnier examples, I guess. This is a company that provides offensive IT to governments undertaking dodgy activities. It found itself on the other side of the line when hackers pulled its pants down and disclosed all kinds of information about what Hacking Team was up to. VTech, TalkTalk, Experian—the list is enormous.

Those come just from 2015, and all of those examples happened since this parliament was made broadly aware, and the government has certainly known, that there is cross-party support—government, opposition and crossbench—for precisely the legislation that we are dealing with today. On 2 February last year I actually put a question to the minister, asking, 'Where is it?' A year later, we get around to it. It is really extraordinary.

The issues that I am going to invite the minister to respond to, if he cares to do so in his closing speech or if and when we go into committee, are issues that were raised during the inquiry into the exposure draft that the minister put forward in 2016. The main issues that we are concerned about relate to who the bill applies to. For example, the Privacy Act, which this bill amends, does not apply to small businesses operating on a turnover of less than $3 million. We think that is highly problematic. The threshold determining who this bill applies to should not have anything to do with turnover. It should have regard to how much material those entities are holding. Really, their turnover is irrelevant. There are companies and entities such as researchers operating under much smaller turnovers than that who are still amassing large amounts of private information. So that is one issue that I hope the minister will address.

So is the fact that enforcement agencies will be able to give themselves a free pass. Enforcement agencies such as the police or investigatory agencies can decide themselves, if they suffer a data breach, whether or not to disclose it. We think at the very minimum there should be some kind of reporting obligation so that we know if that is occurring. Some of the submitters to the inquiry suggested that the Ombudsman should play a role.

The third exemption from the Privacy Act, which should affect us all and give us cause to have a serious think, is political parties. They are collecting large amounts of private information on people in the electorate. Even after this bill is passed, they will still have no obligation to disclose any data breaches. We think that that is wrong.

The second issue is the test of seriousness. If you are a company or a government department who realises that a breach has occurred and you are trying to decide whether or not you fall within the ambit of this bill, you will need to pass the 'serious harm' test. This is an issue Senator Wong addressed briefly, but it was an issue that was hashed out by those who made submissions to the inquiry into the bill. We support the view of the Australian Privacy Foundation, who made a very detailed submission on the bill, that the threshold for requiring notification should be based on either of the following conditions being satisfied: a real risk of harm—without qualifying it according to the seriousness of the risk—or a significant breach, whether or not a real risk of harm has arisen.

That will lead us to the third issue that we believe has not been addressed yet: the fact that, if we simplify the test such that the entity does not have to assess whether or not there is a serious risk of harm but whether it is a significant breach or whether there is a real risk of harm, it should not take 30 days to undertake the test. I will read briefly from what is buried in the government's own explanatory memorandum, at clause 80. It says:

Under the voluntary system—

in other words, the system that we have at the moment—

the notification of individuals can be delayed for years, as discussed above. Such a failure to notify an affected individual of a data breach in a timely manner increases the potential cost of the data breach on the individual. For example, a delay in notification increases the risk of an affected individual becoming a victim of an identity crime such as identity theft, as they may be unaware of the need to take action to mitigate the detrimental consequences of the data breach. Summary statistics for the last 12 months presented in IDCARE's submission to the 2015-16 consultation indicated that the average number of days between a data breach and an individual being notified of the breach was 405 days, whereas the average time between a data breach and the misuse of compromised information was 72 hours.

So we have a voluntary system where there is no time threshold at all; people can choose to tell you or not, and it is really up to the company or the department. The average number of days between a breach and an individual being notified was 405 days. The bill, as we read it, would reduce that to a mandatory 30 days. The explanatory memorandum says the average time between a data breach and a misuse of compromised information is 72 hours. My question to the government is: what possible justification do you have for leaving people hanging out for that additional 27 days? Twenty-seven days—or 30 days, as the government has it in the bill at the moment—is an extraordinarily long period of time for material to be abused. If somebody loses control of my credit card information, I do not want legislation that does not force them to disclose that to me for a month, because a lot of harm can be done in a month.

These are the issues that we would like government to address before we put this bill to a vote. Other than that, I look forward to the bill passing into law—it is an essential piece of privacy legislation. As no doubt other speakers will point out, it is long overdue. In fact, we think it has been weakened in some important ways from the original conception proposed by the Australian Law Reform Commission all the way back in 2008. It is time that this bill was put to a vote, but we hope that the Senate will give regard to some of the issues that we have raised on the way through. I now move the second reading amendment standing in my name:

At the end of the motion, add:

", but calls on the Government to extend the Privacy Act 1988 to include political parties and businesses with an annual turnover under $3m, as such organisations have considerable holdings.".

11:32 am

Photo of Catryna BilykCatryna Bilyk (Tasmania, Australian Labor Party) Share this | | Hansard source

The bill before the Senate today—the Privacy Amendment (Notifiable Data Breaches) Bill—amends the Privacy Act to introduce mandatory data breach notification provisions for agencies, organisations and certain other entities that are regulated by the act. The bill requires agencies and organisations regulated by the Privacy Act to provide notice to the Australian Information Commissioner and affected individuals of an 'eligible data breach'. An eligible data breach is one where a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure. Failure to comply with an obligation included in the bill will be deemed to be an interference with the privacy of an individual for the purposes of the Privacy Act. This will engage the commissioner's existing powers to investigate, make determinations and provide remedies in relation to non-compliance with the Privacy Act. Entities that are already exempt from the requirements of the Privacy Act, such as intelligence agencies and small businesses, will not be subject to the requirements of this bill, and law enforcement agencies will not be required to notify affected individuals if it is likely to prejudice law enforcement activities.

This bill was introduced to the parliament in October last year—that is more than three years since Labor, in government, introduced a bill to provide for a mandatory data breach notification scheme. That is three years of those opposite dragging their feet while thousands of Australians have been victims of data breaches. In those three years, Labor has consistently called on those opposite to establish a mandatory data breach notification scheme. The introduction of Labor's bill—the Privacy Amendment (Privacy Alerts) Bill—followed lengthy consultation with industry. It was endorsed by a Senate committee and passed the House of Representatives with the support of those opposite, but lapsed with the dissolution of parliament for the 2013 election. In 2014, in opposition, we introduced a private senator's bill which was almost identical to our government bill. In 2015, we made the introduction of the notification scheme a condition of our support for the government's data retention laws. The government undertook to have the scheme introduced by the end of that year.

The bipartisan Parliamentary Joint Committee on Intelligence and Security had recommended in 2013 that, if the government was to pursue any data retention regime, the legislation should include a mandatory data breach notification scheme. In fact, Senator Brandis—the minister now responsible for carriage of this legislation—was a member of the committee at the time. In 2015, the same committee insisted that the government implement mandatory data breach notification legislation by the end of that year. Having missed that deadline, the measure was then thwarted by Mr Turnbull's political stunt of proroguing parliament and calling an early double-dissolution election. After years of dragging their feet, this government has finally caught up with Labor on this issue. All I can say about that is: it is about time.

This is not a particularly controversial measure, so why has it taken this government so long to follow Labor's lead? All they had to do was pick up the legislation that we put to parliament in 2013 or the private senator's bill that we put to Parliament in 2014. In fact, Labor's 2014 privacy alerts bill was still before the parliament when Mr Turnbull pulled his double-dissolution stunt two years later. In government, Labor had already done the hard yards by consulting with industry, drafting the bill and securing bipartisan support. All the Abbott-Turnbull government had to do was pick up the bill and run with it. Had they done so years earlier, the outcome could have been much better for the thousands of Australians who have been the victims of data breaches. Those opposite have dragged their feet on this issue. There have been a number of major data breaches over the past three years—some involving literally hundreds of thousands of sensitive customer records. Without a mandatory notification scheme, we do not know how many other breaches have gone unreported, how many thousands or even millions of customer records are involved, or what information has been compromised.

Had the government introduced the bill earlier, I am in no doubt that many more Australians would have been promptly notified of data breaches involving their personal information.

McAfee Labs' threat report for August 2015 states that there has been a 'monumental increase in the number of major data breaches and in the volume of records stolen' between 2010 and 2015. I will outline a few of the many examples of large-scale data breaches that have gone public, including some that occurred in the three years that this government has been procrastinating on this bill. But I stress that these are just the breaches that we know of.

In 2013, Telstra had to issue a formal apology to customers after phone numbers, names and home addresses were found online during a Google search. While Telstra said that the privacy breach was not acceptable, they had already been investigated by the Privacy Commissioner for two data breaches in the three years prior. One of those breaches, in 2011, resulted in the details of almost 800,000 customers being left online for eight months.

In October 2015, Kmart revealed that it was urgently working to address a privacy breach in which customer data had been stolen during a cyber attack. The customer details taken during the attack included names, email addresses, delivery and billing addresses, phone numbers and product purchase details. Fortunately, no credit card or other payment details had been compromised, as the company used an external gateway for payments and did not store the details internally. A similar breach was reported by retailer David Jones the following day, with the stolen data including names, email and mailing addresses, and order details but no financial information or passwords. Later that year, in November, hackers stole data lodged through online inquiry forms from the Queensland TAFE and Department of Education websites, although the Queensland government said that they were confident the data were not very sensitive and that no financial information had been obtained.

In October last year, the records of 550,000 Australians donating blood to the Red Cross Blood Service were published online. The file included personal details such as the donor's name, gender, residential and email address, phone number, date of birth, country of birth and blood type. It also included sensitive medical information, like whether someone had engaged in at-risk sexual behaviour in the last year.

Australians have also been caught up in larger data breaches involving multinational corporations. In 2011, personal information of 77 million subscribers to the Sony PlayStation network was stolen, including names, addresses, email addresses, birthdates, usernames, passwords, logins and security questions. Sony revealed that the hack may have even resulted in the theft of credit card information. Following the hack, Sony could not guarantee that credit card data was not involved in the breach, but their Australian division was warning Australian customers to check their credit card accounts for suspicious activity.

There are many more examples I could go through. In fact, in the 2015-16 financial year alone, the Breach Level Index report provides 22 reports of data breaches in Australia involving over four million records. It is no wonder the Abbott-Turnbull government has taken so long to introduce a mandatory data breach notification scheme, when they themselves cannot practice what they preach.

In September last year, a group of academics from the University of Melbourne notified the government that it was possible to figure out provider ID numbers from Medicare Benefits Schedule and Pharmaceutical Benefits Schedule datasets published on the Department of Health's website. While the government was notified of the issue on 12 September, it took them until the 29th—that is, 17 days later—to admit to the breach. While we welcome the privacy and information commissioner's decision to investigate the breach, it should be remembered that this is the very same commissioner whose position those opposite had been attempting to abolish for two years. Since the data—now removed from the department's website—was published, it has been downloaded 1,500 times.

Only a month after this breach, you may recall that we were debating legislation to outsource the management of sensitive health data on the National Cancer Screening Register to Telstra. As I explained during the debate on that bill, the data to be handed over to Telstra included sensitive data such as Medicare numbers, Medicare claims information and cancer-screening test results. I also mentioned during that debate that Telstra themselves have a poor track record when it comes to the security of customers' information. For example, you only have to look the two massive data breaches Telstra have had in recent history, which I referred to earlier in this speech and in the speech on the cancer screening bill. Despite industry concerns about the arrangement, the bill passed the parliament, giving effect to the $220 million contract which was secretively awarded to Telstra before the last election.

Another serious data breach involved the personal details of world leaders at the 2014 Brisbane G20 Summit being emailed to an external recipient in early 2015. This breach involved the passport numbers of major world leaders such as US President at the time, Barack Obama, and Chinese President Xi Jinping, yet in an embarrassment for the Australian government these world leaders were not immediately notified of the breach.

This was a bad record for the department of immigration, which had inadvertently published the personal information of 10,000 asylum seekers in February 2014. This information was made available for 14 days and accessed 123 times. Many of the asylum seekers affected said that the breach had made returning to their home countries even more perilous. The then immigration minister, Mr Morrison, launched an investigation into how the data breach threatened the safety of the asylum seekers if they had returned home. Sadly, however, a court found that the investigation withheld information from asylum seekers critical to arguing their case, ensuring their claims failed. They were not told what the breach entailed or who might have accessed the information, and they were denied a copy of the KPMG report into the breach. So much for open government. The guidelines set down by the Office of the Australian Information Commissioner state:

In general, if a data breach creates a real risk of serious harm to the individual, the affected individuals … should be notified.

Yet the examples I have just given demonstrate a consistent failure by this government to follow this very reasonable guideline. So, not only does the government have a poor track record when it comes to the pace of this important reform; they also have a poor track record when it comes to following the very principles that they seek to impose on others through this bill. If those opposite truly believed in mandatory data breach notification for the private sector then not only should they have acted more quickly on this reform but also they should have set a better example themselves.

The standard they have set when it comes to data breach notification is very, very poor indeed. When I was chair of the parliament's Joint Select Committee on Cyber-Safety we conducted an inquiry into cybersafety for senior Australians. The report of that inquiry, released in March 2013, made some observations about the issue of mandatory reporting of data breaches. One submission to the inquiry cited 2008 research by the Australian Institute of Criminology that found that only eight per cent of small to medium enterprises reported data breaches, despite security incidents costing those businesses an estimated $600 million. Other research indicated that 73 per cent of small to medium enterprises had experienced at least one data breach in 2010.

We also noted in our report research from the Australian Information Security Association that found that security of information is a low budget priority in most industries. The AISA also said:

    It was noted in the report that the Labor government at that time was working on a scheme for mandatory notification of data breaches. This was the work that led to our 2013 bill.

    This bill is based on a very sound principle: that a person has a right to know if the security of their personal information has been compromised, whether it is held by a retailer, a financial institution, a telecommunications provider or any other business. Right now, if any Australian has their personal information compromised either accidentally or through hacking, the company that holds the data is under no obligation to inform the victim that that has occurred. There are, thankfully, many companies who make it their policy to do the right thing and notify customers immediately when their personal data has been breached, but it is not compulsory. When customers have their personal information, such as their name, address, date of birth, passwords and even their banking and credit card details, disclosed or accessed without their authorisation there is no legal obligation for them to know that it has happened.

    There are a number of advantages to mandatory notification of data breaches. Mandatory notification allows affected customers to take steps to protect their information. For example, if the breach includes financial information, customers can change bank accounts or cancel their credit cards. If it includes passwords, they can change their passwords. Unfortunately customers cannot readily change other pieces of information, such as their address or date of birth, but at least knowing the information is out there can prepare them and give them the opportunity to discuss their concerns with any institutions that might use that information for identity checking or security. Of course we know about the issues around identity theft, so we need to always bear that in mind.

    Mandatory notification also provides companies holding personal information with an incentive to strengthen their data protection measures and to make sure that the breach does not happen in the first place. If a company is compelled by law to notify its customers of a data breach then the risk of reputational damage to the company might make the investment in stronger data security more attractive.

    It stands to reason that Labor will support this bill because we have been calling on the government to introduce mandatory data breach notification for over three years. It has been three years in which we have had an Attorney-General who is not interested in protecting the privacy of Australians because he has been a bit distracted. He has been distracted by defending the so-called rights of bigots and those who seek to engage in hate speech, he has been distracted by his ideological attacks on Australia's arts industry and he has been distracted by his public spats with the Australian Human Rights Commissioner and the Solicitor-General. So it is no wonder, with the storm of controversy that this minister creates for himself, that he is too busy to get on with the job of protecting Australians' right to privacy. He is too busy to ensure the timely introduction of this important and well-overdue reform. But, after three years of inaction, we do finally have a bill before the Senate and, as overdue as this bill may be, I guess it is a case of better late than never.

    11:49 am

    Photo of Stirling GriffStirling Griff (SA, Nick Xenophon Team) Share this | | Hansard source

    I am very pleased to see the government has kept its promise to introduce the Privacy Amendment (Notifiable Data Breaches) Bill 2016 which will enforce mandatory data breach notifications for organisations that inadvertently lose or release sensitive consumer data. Senators will recall that during last year's debate on the national cancer-screening register bills we moved an amendment and sought a commitment from the government to strengthen privacy laws as recommended by the Australian Law Reform Commission some eight years ago. Since that time there have been three different data breach models proposed.

    This bill currently before us is an important piece of legislation because, in contrast to previous incarnations and the existing voluntary notification scheme, it finally obliges organisations to report potentially harmful data breaches, which is very much an area where Australian privacy laws have fallen well behind. It will ensure the public are notified should there be a breach of personal information, such as that contained in the cancer-screening records managed by Telstra or indeed any other entities subject to and regulated by the Privacy Act.

    As we have recently seen with the inadvertent release of passwords and other personal information at organisations as diverse as Yahoo!, the Red Cross Blood Service and Telstra itself in 2011 and again in 2012 and 2013, we cannot assume that electronic data will always be kept safe. As more and more of our personal data is stored online, we also become more susceptible to the risks of identity theft. Whether it is through phishing, hacking, remote access scams, malware and ransomware or document theft, identity theft has become an extremely sophisticated and lucrative business worth upwards of a staggering $1.6 billion per year in Australia alone.

    According to the Australian Federal Police, identity crime is also a key enabler of serious and organised crime, costing Australia around $15 billion annually. According to cyber experts, the 2016 Red Cross Blood Service data breach—which, by the way, was Australia's largest security breach—was a perfect example of how the personal data of some 550,000 Australians could potentially have been used for identity theft if it had fallen into the wrong hands and been sold on the underground black market. The data disclosed included personal details and identifying information, including names, gender, addresses and dates of birth—all material that could be easily used to falsify a person's identity to access bank accounts and to obtain loans, credit cards, phone contracts and even government benefits. Luckily, this data breach was well managed by the Red Cross and these potential risks were mitigated.

    The proliferation of online personal data storage by public and private entities alike has made it absolutely necessary to ensure that, whenever unauthorised events happen, affected members of the public are informed in a timely manner so that they are aware that their private data has been compromised and are in a position to act as soon as possible and hopefully before any damage is done. It will very much be a comfort for the public to know that the corporations and agencies that are entrusted with their personal data must from now on act with more accountability and transparency in the event of a privacy breach. With these few words, the Nick Xenophon Team supports this bill.

    11:53 am

    Photo of Lisa SinghLisa Singh (Tasmania, Australian Labor Party, Shadow Parliamentary Secretary to the Shadow Attorney General) Share this | | Hansard source

    I rise to speak on the Privacy Amendment (Notifiable Data Breaches) Bill 2016 with a sense of relief but also with a sense of deja vu. As the Senate would recall, I introduced a private senator's bill of the very same intent in 2014—the Privacy Amendment (Privacy Alerts) Bill 2014, a bill that was thwarted by this government. So, I would like to take a step back and actually highlight the history of this important issue—and it is an incredibly important issue.

    After extensive consultation, Labor introduced legislation in government in 2013 to implement mandatory data breach alerts. This bill was passed on 6 June 2013 by the House of Representatives with bipartisan support. It was introduced into the Senate and was referred on 18 June 2013 to the Legal and Constitutional Affairs Legislation Committee for inquiry. The committee reported on 24 June 2013, its sole recommendation being that the Senate pass this bill. The bill then lapsed, on prorogation of the 43rd parliament, so I reintroduced an almost identical bill—the privacy alerts bill—as a private senator's bill in 2014, a bill to make it compulsory for corporations and governments to notify people if their privacy is breached and personal details are released without authorisation.

    At the time, the coalition senators in this place filibustered extensively to ensure that this piece of legislation did not pass. Despite their record of bipartisan support, time and time again they came into this chamber and filibustered on this important legislation—this legislation that today we similarly have in this place. So it is now clear that it was not the piece of legislation that was the issue; it was that Labor had introduced it—clear, plain politics, on such an important issue as people's privacy and the breach of their privacy.

    Labor has always been committed to mandatory data breach notification provisions and of course therefore supports that the government is finally enacting these protections. Unlike the coalition senators, we will not play politics with people's lives or with their privacy and the breach thereof. Labor believes that Australians should be told when there has been a breach of their privacy. And at this very moment in time, and since 2013, when Labor first introduced this legislation, there is nothing in place to notify someone if there data has been breached, if their privacy has been breached, in that sense. So it is very much time that companies, corporations and government agencies who are required to protect Australians' personal data should also have the complementary duty to tell a customer when their personal data has been the subject of unauthorised public release.

    Businesses that already implement good privacy practices and comply with the current voluntary guide from the Office of the Australian Information Commissioner will have little difficulty in transitioning to this new scheme, because they are already showing an obligation towards their customers. But the risk of data breaches and the seriousness of their consequences has grown as new technology has allowed government and the private sector to collect more and more personal information about Australians. A consumer should have the right to know if their personal information has been compromised or if their bank or their telecommunications provider has lax security standards. Consumers need to have the power to change their passwords, improve their security settings online, cancel their credit cards or completely change providers such as banks or telecommunications companies if they need to do so. But how can they do any of that when, at the moment, they do not even know that their data has been released?

    That is what this legislation is all about. That is what makes this legislation so important, and that is why Labor introduced it in 2013 and I similarly introduced it in 2014. Yet it did not pass this place, because of those coalition senators filibustering and not having it pass because they did not want Labor to have that win of being the side that introduced it, and that is shameful.

    So, let's look at some of the breaches in recent years—and there have been a number, because, as I said, we are living more and more in a digital world, and more and more data and personal information is being collected about Australian families. This bill puts in place some kind of compulsory notification regime in order to strengthen those protections around that information and build on the privacy regime that I talked about that Labor implemented when in government. Some of those highly publicised data breaches have included sensitive and very personal details of customers, such as the 15,775 Telstra customers who were affected by a breach that made their names, telephone numbers and home and business addresses accessible through a global Google search. That was only one example of several Telstra privacy breaches, in fact.

    There was, of course, that shocking case of one billion Yahoo customers who were affected by hacks—again, private information including names, email addresses, telephone numbers, dates of birth and some passwords were accessed—and it took two years for news of that breach to be made public. It took two years before those one billion customers had any understanding that their data had been breached. Aussie Travel Cover, one of Australia's largest insurance companies, had its computer system hacked, and around 750,000 records of personal details were stolen, which included names, phone numbers, email addresses, travel dates and the cost of their policies. Addresses and partial credit card details were stolen, and that company opted not to tell customers about the hacking—it left them completely in the dark. This is why this legislation is so important; and this is why Labor has been pushing it for so many years.

    The hacking of Catch of the Day, in which personal information credit card numbers were stolen, took three years to be made public—three years in which customers were unaware that their personal details were not secure. Catch of the Day has not released the number of consumers that were affected by this breach, but Australian consumers reported fraudulent activity on their cards shortly after the breach. So go figure—the poor old consumer had to figure it out for themselves.

    These breaches have also affected the government sector. In 2014 the personal details of almost 10,000 asylum seekers were accidentally published on the Department of Immigration and Border Protection's website. The details included full names, gender, citizenship, date of birth, period of immigration detention, location, boat arrival details and reasons for the individual being deemed unlawful. Absolutely appalling!

    McAfee Labs Threats Report for August 2015, which reviewed changes in cyber threats and cybersecurity from 2010 to 2015, states that there has been a 'monumental increase in the number of major data breaches and in the volume of records stolen'. There could not be clearer evidence of why this legislation is so important to get through this place. Yet it is now 2017, some four years on since Labor first introduced our bill of similar intent, and finally the government is going to act on it. It should not have taken so long. In fact, if it had not taken so long, a number of data breaches could have been managed much better than they were—they simply left consumers in the dark.

    Data breaches are not a concern only for individuals, although first and foremost the individual is of utmost concern. The security of personal data is of commercial importance to Australian companies. Data breaches are simply bad for business and can be incredibly costly. Companies stand to lose not just time and money rectifying a data breach, but also their reputation. In the modern information economy the trust of consumers in a company's privacy compliance is an incredibly important part of a company's goodwill. What happened when Telstra had that massive data breach of thousands and thousands people's information is clearly in people's minds; what happened to those one billion Yahoo customers is clearly in people's minds. Did they want to stay with Yahoo after that?

    When Kmart and David Jones experienced data breaches, both companies notified affected customers. That is good corporate policy; it shows a company's goodwill towards its consumers. That is the sort of positive step that some companies adopt; it stands in contrast to those corporations I highlighted earlier that hide the breaches. A mandatory data breach notification scheme is the most basic of privacy protections, allowing consumers to take action such as cancelling credit cards when their data has been hacked. It is that simple, and yet it has taken so long for this parliament to act on it, due to those coalition senators. While it is customary for many banks, government departments, retailers and telecommunications providers to notify customers of breaches, it is not compulsory. They do not have to do it. In practice this means that victims of serious breaches are not aware that their data has been corrupted.

    The bill before us today amends the Privacy Act 1988 to introduce mandatory data breach notification provisions for agencies, organisations and certain other entities that are regulated by the Privacy Act. The bill is so important because it requires those agencies and organisations regulated by the Privacy Act to provide notice first and foremost to the Australian Information Commissioner and then affected individuals of an eligible data breach. At the moment that requirement does not exist. I have highlighted some examples of companies which inform their customers and others which have hidden breaches.

    A data breach arises where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure. The bill will introduce a new consumer privacy protection for Australians that will keep their personal information more secure in the digital age. It will also encourage agencies and private sector organisations to improve their data security practices. It is an important general step that they should be taking any way. If an entity suspects that an eligible data breach has occurred, it must undertake an assessment into the relevant circumstances and, in the event of an actual data breach, an entity is required to notify the Information Commissioner and affected individuals as soon as practicable after the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach. To give rise to an eligible data breach, the reasonable person would need to be satisfied that the risk of serious harm occurring is likely—that is, more probable than not. In deciding whether this is the case, entities are required to have regard to a list of relevant matters, which, I understand, are included in this bill. Failure to comply with an obligation included in the bill will be deemed to be an interference with the privacy of an individual for the purposes of the Privacy Act and that will engage the commissioner's existing powers to investigate, make determinations and provide remedies in relation to non-compliance with the Privacy Act.

    So despite the delay tactics of the coalition, this important issue has remained on the agenda. There has been a number of reports about it. I know that the Australian Financial Review has reported a number of times about this issue and also the Parliamentary Joint Committee on Intelligence and Security recommended in its report on the mandatory data legislation in 2015 that if the legislation went forward, it was vital that data breach notification legislation be introduced as well.

    The coalition government, I understand, was committed to introducing mandatory data breach notification provisions by the end of 2015. It is now 2017. It has taken the government more than three years to bring itself to introduce this legislation that it voted in favour of back when Labor was in government in 2013. If the government had introduced that legislation three years ago, thousands of customers would have been promptly notified that their data was breached. If they had put aside their partisan antics, we could have had privacy alerts legislation when I introduced the bill in this place in 2014. I am pleased to see the government has finally caught up with Labor's proposed legislation—the mandatory notification of consumers when their data has been breached. I am very relieved indeed that the government is finally getting on with honouring its commitment but the impact its delay tactics have had on the people of Australia should not be underestimated. That is why Labor supports this bill but notes very clearly that it is long overdue.

    12:10 pm

    Photo of Cory BernardiCory Bernardi (SA, Australian Conservatives) Share this | | Hansard source

    It is interesting to listen to Senator Singh. I understand her frustration in respect to one side of politics or the other not supporting an initiative by someone else and then supporting when it is from their own team. I had the same experience with the Labor Party in trying to stop child sex tourism when they were government and it took over 15 months for the then Labor government to see the wisdom of that initiative to adopt the legislation that I put forward as their own and finally bring it into this place. Senator Singh, your frustration—through you, Mr Acting Deputy President—is absolutely shared.

    I will not delay the Senate more than is necessary but there are a few concerns that I have on behalf of Australian Conservatives that perhaps in the summing up speech or if there is a committee stage the minister might consider addressing. The first of these is the fact that this bill contains provision that the notifications need to go to the Information Commissioner. It is not lost on me and I am sure it is not lost on many in this place where we note that this is the very office that the attorney sought to abolish and was prevented doing so by the Senate crossbench in a previous iteration. There are concerns and reports that have been handed to me that the Information Commissioner is operating with scarce or scant or non-existent—depending on who you listen to—resources. Some have suggested he is actually working from home. So the question I ask is whether the Information Commissioner will be in a position to fully respond to the other onerous requirements which are attached to this bill. I look forward to a response in due time from the minister or from the Attorney-General.

    The second concern Australian Conservatives have is about the definition of 'serious harm'. Harm, however you are going to define it, is defined as including serious physical, psychological, emotional, economic, financial or reputational harm. This bill does not strictly define that at all. In fact, it is very subjective. I have been on the record about subjective tests in other legislation that have been enacted in other bills. In this time of extreme political correctness, we have safe spaces and trigger warnings for all sorts of concerns. Do we have the same sorts of implications in this bill? If you are not prepared to define 'serious harm' and if you are not prepared to define what is 'psychological harm', businesses can find themselves in all sorts of inadvertent direct accusations and inadvertent breaches of this bill or this act because what they thought was serious harm or was not serious harm was considered by an individual or another group as being serious harm. So where you are talking about psychological and emotional harm and other varieties of harm, I think the definition needs to be more succinct. Otherwise, we risk of course having the proverbial 'lawyers' picnic', where they will queue up to advise businesses large and small about what could be a serious breach. Of course those who err on the side of caution will say let's report every single breach to the Information Commissioner, who may or may not have the resources required to deal with what could be thousands, tens of thousands or maybe hundreds of thousands of complaints every year.

    The other aspect—and I will conclude shortly—is which businesses are exactly captured by this. I recognise that there are some broad parameters in here. My concern is principally for small businesses, who are often ill equipped to deal with onerous regulations and compliances mandated by governments. I believe that small businesses should be able to get on with building their businesses and trying to generate wealth for them and their families, generate jobs and improve the economic conditions for all involved. Sometimes governments can put forward well-meaning initiatives that create an enormous amount of red tape and bureaucracy for small businesses in particular, who then are forced to employ people to comply with various aspects of it or, as I mentioned earlier, maybe get legal advice, which is expensive—sometimes prohibitively so—and end up running their business for the government rather than for the benefit of the country.

    I would like to think that small businesses will not be captured here, but those that are captured are:

    … those that provide a health service, are a credit reporting body, or trade in personal information.

    Political parties trade in personal information. A not-for-profit with a turnover of over $3 million would include the Labor Party, the Liberal Party, the Greens and maybe some other political parties and organisations. Does that mean, if a fraction of their membership list gets leaked by one of their branch officers, they are going to have to notify the Office of the Australian Information Commissioner and have an investigation into how this took place and so forth? Is it going to apply to doctors' surgeries? Will it apply to direct-mailing houses? What is an information breach? Is it just someone's name or a list of names? Or does it have to include personal information such as dates of birth, perhaps, or email addresses? Does it include physical addresses or just a mailing address? These are the sorts of questions that I think people are entitled to ask and have concerns about. Anyone with a mailing list could potentially fall foul of this, depending on the definitions.

    As an Australian Conservative, I am concerned about the regulation and red tape. I am concerned about the lack of specificity in this bill, because it does leave it open to a number of subjective assessments and I do not think that it is a positive way to go. Nonetheless it is clear to me that this legislation is going to get through. I hope the Attorney-General and the minister will take on board some of these questions and maybe provide a response but also be aware in future legislation that maybe some amendments will need to be made. I thank the Senate.

    12:17 pm

    Photo of Arthur SinodinosArthur Sinodinos (NSW, Liberal Party, Minister for Industry, Innovation and Science) Share this | | Hansard source

    I think I am at the summing-up stage now. I want to thank honourable senators for their contribution to the debate on the Privacy Amendment (Notifiable Data Breaches) Bill 2016. There has clearly been a lot of interest around the chamber, and a number of issues have been raised during the debate, some of which I have here in front of me. Let me start with amendment C: significant data breach. Section 26WE is already intended to cover incidents that would be considered significant data breaches. The government expects that guidance material from the Office of the Australian Information Commissioner will help ensure that entities subject to the bill understand the full range of incidents covered here under section 26WE as currently drafted.

    One of the other issues that has arisen is the scope of the scheme. Why are small businesses and other entities covered or not covered? The bill's mandatory data breach notification scheme applies only to entities which are already subject to the Privacy Act—that is, Australian government agencies, other than those exempt from the act such as: intelligence agencies; private sector organisations with annual turnover greater than $3 million; and specific kinds of small businesses such as health service providers, credit reporting bodies and credit providers, and tax file number recipients. The Privacy Act seeks to achieve an appropriate balance between ensuring that entities that hold personal information apply appropriate privacy standards and not imposing unnecessary regulation on small business.

    The bill's mandatory data breach notification scheme is linked to the information security requirements which already apply to entities subject to the Privacy Act, in particular, existing Australian Privacy Principle 11, which requires entities to take reasonable steps to secure personal information they hold. Expanding the scheme to cover entities not currently covered by the Privacy Act would apply it to entities who do not have pre-existing information security obligations under the Privacy Act and could not be subject to other enforcement action by the commissioner under the act. It is also not considered desirable to alter existing Privacy Act exemptions which apply to entities such as intelligence agencies or media organisations acting in the course of journalism solely for the purpose of the mandatory data breach notification scheme.

    Another issue that has been raised is why the bill does not provide specific assessment notification time frames. The proposed section 26WH applies where an entity has 'reasonable grounds to suspect that there may have been an eligible data breach of the entity'. Section 26WH requires entities to conduct 'a reasonable and expeditious assessment' of whether there are reasonable grounds to believe that there has been an eligible data breach of the entity. A 'reasonable' assessment is expected to be one that focuses on matters that can be reasonably justified as relevant to determining whether a data breach has occurred. 'Expeditious' in this context is not defined. It will depend on all the relevant circumstances, with the intent being that entities should move as promptly as possible in the circumstances to determine whether notification is required.

    Section 26WH also includes the additional requirement that entities must 'take all reasonable steps to ensure that the assessment is completed within 30 days' of when the entity first suspected an eligible data breach may have occurred. This is not a hard 30-day deadline but instead reflects the policy intention that 30 days would generally be an appropriate amount of time in cases where there may be a likely risk of serious harm to individuals arising from an individual. Section 26WH recognises, however, that in some cases entities may need longer than 30 days to complete an assessment—for example, where the facts of a suspected eligible data breach are particularly complex, or where completing the assessment within 30 days would require an unreasonable application of resources. This responds to concerns that were raised frequently in the exposure draft consultation, from December 2015 to March 2016, about the potential complexity of assessing whether a breach has occurred. The 30-day requirement must also be read alongside the requirement in section 26WH to undertake an expeditious assessment. This means that in some cases an entity may be required to complete an assessment in less than 30 days—for example, where the circumstances are relatively straightforward.

    If when an entity first becomes aware of a data breach it is clear that there are reasonable grounds to believe that there has been an eligible data breach of the entity, then section 26WH will not apply and the entity will be required to move straight to the notification requirements in sections 26WK and 26WL. The proposed sections 26WK and 26WL provide that, where an entity has 'reasonable grounds to believe that there has been an eligible data breach of the entity' the entity must prepare a statement about the breach, provide a copy of the statement to the Australian Information Commissioner, and notify affected individuals of its contents, as soon as practicable. What constitutes a practicable time frame will vary, depending on the circumstances of the eligible data breach, and the entity that experienced the eligible data breach. This flexibility recognises that while in many cases prompt notification will be appropriate, in other cases entities may need additional time to comply with the notification requirement. Guidance materials from the Australian Information Commissioner is expected to provide practical assistance in determining appropriate time frames to notify an eligible data breach. The Information Commissioner could also investigate failure to notify an eligible data breach as soon as practicable or issue the entity with a direction to notify, under proposed section 26WR, if the commissioner became aware of an eligible data breach that the entity had not yet notified.

    A number of speakers, principally from the opposition, have raised an issue about the time taken to introduce the bill. The government has taken time to consider the design of the Mandatory Data Breach Notification Scheme contained in this bill and to undertake a proper and adequate consultation process with stakeholders. The time line is this: an exposure draft bill was released on 3 December, 2015, with submissions open until 4 March 2016. A total of 56 submissions were received, including 47 public submissions, which are available on the Attorney-General's Department's website. The bill was scheduled for introduction in the autumn 2016 sittings of parliament, but this did not occur before the election was called. The government introduced the bill in the spring 2016 sittings of parliament and has promptly brought the bill on for debate.

    I believe Senator Ludlam has raised an issue about the enforcement bodies exception—section 26WN. The proposed section 26WN provides an exception from the requirement to notify individuals if an enforcement body, such as the Australian Federal Police, experiences a breach, where notification would compromise an enforcement related activity, such as an ongoing investigation. However, section 26WN does not excuse the enforcement body from notifying the Australian Information Commissioner. This should ensure appropriate oversight of data breaches of this kind.

    The purpose of the scheme is to ensure that individuals can take steps to protect themselves in the event that their personal information is compromised in a data breach. As such, it implements the government's response to the Parliamentary Joint Committee on Intelligence and Security's February 2005 advisory report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015. The bill will create a Mandatory Data Breach Notification Scheme that will apply to Australian government agencies and private sector organisations subject to the act. They would be required to notify an individual whose personal information is subject to unauthorised access, unauthorised disclosure or loss, where a reasonable person would consider the individual is at likely risk of serious harm as a result. The extensive consultation undertaken on this bill has ensured that it strikes an appropriate balance between effectively protecting individuals while remaining workable for business covered by the bill. The bill complements existing information and security requirements in the Privacy Act and will provide individuals with confidence that they will be notified in the event of a data breach that places them at likely risk of serious harm. In an environment where entities collect and use growing volumes of personal information in their business activities, and individuals enter into increasing numbers of online transactions, the bill is an important consumer protection measure that builds on the strong privacy protections already provided in existing privacy legislation. On that basis I commend the bill to the chamber.

    Photo of Barry O'SullivanBarry O'Sullivan (Queensland, National Party) Share this | | Hansard source

    The question is that the amendment moved by Senator Ludlam be agreed to.

    12:34 pm

    Photo of Barry O'SullivanBarry O'Sullivan (Queensland, National Party) Share this | | Hansard source

    The question now is that this bill be read a second time.

    Question agreed to.

    Bill read a second time.