House debates

Wednesday, 29 May 2013

Bills

Privacy Amendment (Privacy Alerts) Bill 2013; Second Reading

Photo of Mark DreyfusMark Dreyfus (Isaacs, Australian Labor Party, Attorney-General) Share this | | Hansard source

I move:

That this bill be now read a second time.

The introduction of the Privacy Amendment (Privacy Alerts) Bill 2013 is the next key step in the government's major reform of Australia's privacy laws.

It is a long overdue measure that was recommended by the Australian Law Reform Commission in 2008.

It will introduce a new consumer privacy protection for Australians that will keep their personal information more secure in the digital age. It will also encourage agencies and private sector organisations to improve their data security practices.

In its 2008 privacy report, the Australian Law Reform Commission found that, as government agencies and large companies collected more and more personal information online, there was an increasing risk that this could become subject to data breaches. There were studies to show that the frequency of data breaches was increasing and their consequences were becoming more severe.

This trend has continued. For example, in recent years, there have been a number of high-profile data breaches in Australia and in other countries.

Customers of large, well-respected businesses have had their personal information compromised as a result of hacker attacks, poor security or just plain carelessness.

As recently as February this year, the Australian Broadcasting Corporation (ABC) revealed that the personal details of almost 50,000 internet users had been exposed online after the ABC's main website was hacked.

This followed large-scale breaches in recent years at Telstra, Medvet and Sony Playstation.

A data breach can severely affect individuals whose personal information has been compromised.

Individuals can lose money when personal information relating to their finances finds its way into the wrong hands. They can be exposed to the risk of fraud and identity theft. And they can suffer embarrassment and distress when information contained in medical records is publicly revealed.

The government believes that individuals should know when their privacy has been interfered with. That is why the government is introducing this bill.

Currently, there is no requirement for agencies and organisations to notify affected individuals or the commissioner when they have suffered a data breach.

The commissioner has voluntary guidelines encouraging notification, but is concerned that many data breaches—perhaps a majority—are going unreported. The bill stops the gap in Australia's privacy laws.

Australia is not the only jurisdiction to introduce a notification requirement.

Almost every state in the United States has introduced data breach notification laws. Canada has legislation in parliament. The European Union is developing a new directive that requires notification of data breaches. New Zealand is considering a similar law reform commission recommendation to introduce a mandatory notification scheme.

Australia should be a global leader in privacy protection as we grow our digital economy and more and more personal information goes online.

The bill provides that when an agency or organisation has suffered a serious data breach, it must notify the affected individuals and the Australian Privacy Commissioner.

Prompt notifications will allow individuals to take action to protect their personal information. Individuals will be able to reset passwords, cancel credit cards, improve their online security settings, and take other measures as they see fit.

The notification requirement will provide an incentive to businesses to store information securely. No business wants a reputation for not keeping its customers' personal information safe.

Agencies and organisations will only have to provide notification of serious data breaches. A requirement to provide notification of all data breaches would impose an undue regulatory burden on businesses, and it would unnecessarily alarm many customers.

The notification must include information such as a description of the breach, the kinds of information concerned, recommendations about steps that individuals should take, and contact details of the entity.

The bill provides that the commissioner may direct an agency or organisation to provide affected individuals with notification of a data breach. This is a necessary measure in cases where an agency or organisation is recalcitrant or has simply made the wrong decision.

The bill also contains public interest and law enforcement exceptions. These are necessary where there are countervailing interests that outweigh the need to inform individuals about the data breach.

Where there is a failure to comply with a notification requirement, all the commissioner's enforcement powers to investigate and make determinations will be available. This could result in personal and private apologies, compensation payments and enforceable undertakings.

In the case of serious or repeated noncompliance with notification requirements, this could lead to a civil penalty being imposed by a court.

The bill is part of the government's ongoing commitment to the right to privacy.

Last year, the government introduced the most significant reforms to privacy law in Australia since the Privacy Act commenced in 1989. This bill will complement those new reforms, and that is why we intend to commence the bill at the same time in March 2014.

One of last year's major reforms was the creation of the Australian privacy principles, which will apply to both government agencies and many private sector organisations.

Australian privacy principle 11 provides that entities regulated by the Privacy Act must have adequate security measures in place to protect personal information that they hold. The data breach notification requirement will complement Australian privacy principle 11 by requiring notification if there has been unauthorised access or disclosure, or loss, of that personal information.

Privacy is an important human right, and its continued protection in the digital era is becoming a major challenge for governments everywhere.

The right of an individual to control what happens with his or her personal information is an important aspect of the right to privacy.

The data breach notification requirement helps return control over their personal information to individuals.

The ALRC believed Australia's privacy laws needed this change in 2008. The evidence since that time has been building and it is now clear that this reform is well overdue.

I commend the bill to the House.

Debate adjourned.