Senate debates

Monday, 13 February 2017

Bills

Privacy Amendment (Notifiable Data Breaches) Bill 2016; Second Reading

12:10 pm

Photo of Cory BernardiCory Bernardi (SA, Australian Conservatives) Share this | Hansard source

It is interesting to listen to Senator Singh. I understand her frustration in respect to one side of politics or the other not supporting an initiative by someone else and then supporting when it is from their own team. I had the same experience with the Labor Party in trying to stop child sex tourism when they were government and it took over 15 months for the then Labor government to see the wisdom of that initiative to adopt the legislation that I put forward as their own and finally bring it into this place. Senator Singh, your frustration—through you, Mr Acting Deputy President—is absolutely shared.

I will not delay the Senate more than is necessary but there are a few concerns that I have on behalf of Australian Conservatives that perhaps in the summing up speech or if there is a committee stage the minister might consider addressing. The first of these is the fact that this bill contains provision that the notifications need to go to the Information Commissioner. It is not lost on me and I am sure it is not lost on many in this place where we note that this is the very office that the attorney sought to abolish and was prevented doing so by the Senate crossbench in a previous iteration. There are concerns and reports that have been handed to me that the Information Commissioner is operating with scarce or scant or non-existent—depending on who you listen to—resources. Some have suggested he is actually working from home. So the question I ask is whether the Information Commissioner will be in a position to fully respond to the other onerous requirements which are attached to this bill. I look forward to a response in due time from the minister or from the Attorney-General.

The second concern Australian Conservatives have is about the definition of 'serious harm'. Harm, however you are going to define it, is defined as including serious physical, psychological, emotional, economic, financial or reputational harm. This bill does not strictly define that at all. In fact, it is very subjective. I have been on the record about subjective tests in other legislation that have been enacted in other bills. In this time of extreme political correctness, we have safe spaces and trigger warnings for all sorts of concerns. Do we have the same sorts of implications in this bill? If you are not prepared to define 'serious harm' and if you are not prepared to define what is 'psychological harm', businesses can find themselves in all sorts of inadvertent direct accusations and inadvertent breaches of this bill or this act because what they thought was serious harm or was not serious harm was considered by an individual or another group as being serious harm. So where you are talking about psychological and emotional harm and other varieties of harm, I think the definition needs to be more succinct. Otherwise, we risk of course having the proverbial 'lawyers' picnic', where they will queue up to advise businesses large and small about what could be a serious breach. Of course those who err on the side of caution will say let's report every single breach to the Information Commissioner, who may or may not have the resources required to deal with what could be thousands, tens of thousands or maybe hundreds of thousands of complaints every year.

The other aspect—and I will conclude shortly—is which businesses are exactly captured by this. I recognise that there are some broad parameters in here. My concern is principally for small businesses, who are often ill equipped to deal with onerous regulations and compliances mandated by governments. I believe that small businesses should be able to get on with building their businesses and trying to generate wealth for them and their families, generate jobs and improve the economic conditions for all involved. Sometimes governments can put forward well-meaning initiatives that create an enormous amount of red tape and bureaucracy for small businesses in particular, who then are forced to employ people to comply with various aspects of it or, as I mentioned earlier, maybe get legal advice, which is expensive—sometimes prohibitively so—and end up running their business for the government rather than for the benefit of the country.

I would like to think that small businesses will not be captured here, but those that are captured are:

… those that provide a health service, are a credit reporting body, or trade in personal information.

Political parties trade in personal information. A not-for-profit with a turnover of over $3 million would include the Labor Party, the Liberal Party, the Greens and maybe some other political parties and organisations. Does that mean, if a fraction of their membership list gets leaked by one of their branch officers, they are going to have to notify the Office of the Australian Information Commissioner and have an investigation into how this took place and so forth? Is it going to apply to doctors' surgeries? Will it apply to direct-mailing houses? What is an information breach? Is it just someone's name or a list of names? Or does it have to include personal information such as dates of birth, perhaps, or email addresses? Does it include physical addresses or just a mailing address? These are the sorts of questions that I think people are entitled to ask and have concerns about. Anyone with a mailing list could potentially fall foul of this, depending on the definitions.

As an Australian Conservative, I am concerned about the regulation and red tape. I am concerned about the lack of specificity in this bill, because it does leave it open to a number of subjective assessments and I do not think that it is a positive way to go. Nonetheless it is clear to me that this legislation is going to get through. I hope the Attorney-General and the minister will take on board some of these questions and maybe provide a response but also be aware in future legislation that maybe some amendments will need to be made. I thank the Senate.

Comments

No comments