Senate debates

Monday, 13 February 2017

Bills

Privacy Amendment (Notifiable Data Breaches) Bill 2016; Second Reading

12:17 pm

Photo of Arthur SinodinosArthur Sinodinos (NSW, Liberal Party, Minister for Industry, Innovation and Science) Share this | Hansard source

I think I am at the summing-up stage now. I want to thank honourable senators for their contribution to the debate on the Privacy Amendment (Notifiable Data Breaches) Bill 2016. There has clearly been a lot of interest around the chamber, and a number of issues have been raised during the debate, some of which I have here in front of me. Let me start with amendment C: significant data breach. Section 26WE is already intended to cover incidents that would be considered significant data breaches. The government expects that guidance material from the Office of the Australian Information Commissioner will help ensure that entities subject to the bill understand the full range of incidents covered here under section 26WE as currently drafted.

One of the other issues that has arisen is the scope of the scheme. Why are small businesses and other entities covered or not covered? The bill's mandatory data breach notification scheme applies only to entities which are already subject to the Privacy Act—that is, Australian government agencies, other than those exempt from the act such as: intelligence agencies; private sector organisations with annual turnover greater than $3 million; and specific kinds of small businesses such as health service providers, credit reporting bodies and credit providers, and tax file number recipients. The Privacy Act seeks to achieve an appropriate balance between ensuring that entities that hold personal information apply appropriate privacy standards and not imposing unnecessary regulation on small business.

The bill's mandatory data breach notification scheme is linked to the information security requirements which already apply to entities subject to the Privacy Act, in particular, existing Australian Privacy Principle 11, which requires entities to take reasonable steps to secure personal information they hold. Expanding the scheme to cover entities not currently covered by the Privacy Act would apply it to entities who do not have pre-existing information security obligations under the Privacy Act and could not be subject to other enforcement action by the commissioner under the act. It is also not considered desirable to alter existing Privacy Act exemptions which apply to entities such as intelligence agencies or media organisations acting in the course of journalism solely for the purpose of the mandatory data breach notification scheme.

Another issue that has been raised is why the bill does not provide specific assessment notification time frames. The proposed section 26WH applies where an entity has 'reasonable grounds to suspect that there may have been an eligible data breach of the entity'. Section 26WH requires entities to conduct 'a reasonable and expeditious assessment' of whether there are reasonable grounds to believe that there has been an eligible data breach of the entity. A 'reasonable' assessment is expected to be one that focuses on matters that can be reasonably justified as relevant to determining whether a data breach has occurred. 'Expeditious' in this context is not defined. It will depend on all the relevant circumstances, with the intent being that entities should move as promptly as possible in the circumstances to determine whether notification is required.

Section 26WH also includes the additional requirement that entities must 'take all reasonable steps to ensure that the assessment is completed within 30 days' of when the entity first suspected an eligible data breach may have occurred. This is not a hard 30-day deadline but instead reflects the policy intention that 30 days would generally be an appropriate amount of time in cases where there may be a likely risk of serious harm to individuals arising from an individual. Section 26WH recognises, however, that in some cases entities may need longer than 30 days to complete an assessment—for example, where the facts of a suspected eligible data breach are particularly complex, or where completing the assessment within 30 days would require an unreasonable application of resources. This responds to concerns that were raised frequently in the exposure draft consultation, from December 2015 to March 2016, about the potential complexity of assessing whether a breach has occurred. The 30-day requirement must also be read alongside the requirement in section 26WH to undertake an expeditious assessment. This means that in some cases an entity may be required to complete an assessment in less than 30 days—for example, where the circumstances are relatively straightforward.

If when an entity first becomes aware of a data breach it is clear that there are reasonable grounds to believe that there has been an eligible data breach of the entity, then section 26WH will not apply and the entity will be required to move straight to the notification requirements in sections 26WK and 26WL. The proposed sections 26WK and 26WL provide that, where an entity has 'reasonable grounds to believe that there has been an eligible data breach of the entity' the entity must prepare a statement about the breach, provide a copy of the statement to the Australian Information Commissioner, and notify affected individuals of its contents, as soon as practicable. What constitutes a practicable time frame will vary, depending on the circumstances of the eligible data breach, and the entity that experienced the eligible data breach. This flexibility recognises that while in many cases prompt notification will be appropriate, in other cases entities may need additional time to comply with the notification requirement. Guidance materials from the Australian Information Commissioner is expected to provide practical assistance in determining appropriate time frames to notify an eligible data breach. The Information Commissioner could also investigate failure to notify an eligible data breach as soon as practicable or issue the entity with a direction to notify, under proposed section 26WR, if the commissioner became aware of an eligible data breach that the entity had not yet notified.

A number of speakers, principally from the opposition, have raised an issue about the time taken to introduce the bill. The government has taken time to consider the design of the Mandatory Data Breach Notification Scheme contained in this bill and to undertake a proper and adequate consultation process with stakeholders. The time line is this: an exposure draft bill was released on 3 December, 2015, with submissions open until 4 March 2016. A total of 56 submissions were received, including 47 public submissions, which are available on the Attorney-General's Department's website. The bill was scheduled for introduction in the autumn 2016 sittings of parliament, but this did not occur before the election was called. The government introduced the bill in the spring 2016 sittings of parliament and has promptly brought the bill on for debate.

I believe Senator Ludlam has raised an issue about the enforcement bodies exception—section 26WN. The proposed section 26WN provides an exception from the requirement to notify individuals if an enforcement body, such as the Australian Federal Police, experiences a breach, where notification would compromise an enforcement related activity, such as an ongoing investigation. However, section 26WN does not excuse the enforcement body from notifying the Australian Information Commissioner. This should ensure appropriate oversight of data breaches of this kind.

The purpose of the scheme is to ensure that individuals can take steps to protect themselves in the event that their personal information is compromised in a data breach. As such, it implements the government's response to the Parliamentary Joint Committee on Intelligence and Security's February 2005 advisory report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015. The bill will create a Mandatory Data Breach Notification Scheme that will apply to Australian government agencies and private sector organisations subject to the act. They would be required to notify an individual whose personal information is subject to unauthorised access, unauthorised disclosure or loss, where a reasonable person would consider the individual is at likely risk of serious harm as a result. The extensive consultation undertaken on this bill has ensured that it strikes an appropriate balance between effectively protecting individuals while remaining workable for business covered by the bill. The bill complements existing information and security requirements in the Privacy Act and will provide individuals with confidence that they will be notified in the event of a data breach that places them at likely risk of serious harm. In an environment where entities collect and use growing volumes of personal information in their business activities, and individuals enter into increasing numbers of online transactions, the bill is an important consumer protection measure that builds on the strong privacy protections already provided in existing privacy legislation. On that basis I commend the bill to the chamber.

Comments

No comments