Senate debates

Thursday, 20 March 2014

Bills

Privacy Amendment (Privacy Alerts) Bill 2014; Second Reading

11:58 am

Photo of Lisa SinghLisa Singh (Tasmania, Australian Labor Party, Shadow Parliamentary Secretary to the Shadow Attorney General) Share this | | Hansard source

I move:

That this bill be now read a second time.

I seek leave to table an explanatory memorandum relating to the bill.

Leave granted.

I table an explanatory memorandum and I seek leave to have the second reading speech incorporated in Hansard.

Leave granted.

The speech read as follows—

The introduction of the Privacy Amendment (Privacy Alerts) Bill 2014 is the next key step in the major reform of Australia's privacy laws.

It is a long overdue measure that was recommended by the Australian Law Reform Commission in 2008.

It will introduce a new consumer privacy protection for Australians that will keep their personal information more secure in the digital age. It will also encourage agencies and private sector organisations to improve their data security practices.

In its 2008 privacy report, the Australian Law Reform Commission found that, as government agencies and large companies collected more and more personal information online, there was an increasing risk that this information could become subject to data breaches. There were studies that showed that the frequency of data breaches was increasing and their consequences were becoming more severe.

This trend has continued. For example, in recent years, there have been a number of high-profile data breaches in Australia and in other countries.

Customers of large, well-respected businesses have had their personal information compromised as a result of hacker attacks, poor security or just plain carelessness.

We have seen breaches take place in the first few months of 2014. It has been reported that the Department of Immigration and Border Protection released the personal details of around 10,000 adults and children including details on their names, arrival information, nationalities, and location. It affects every asylum seeker detained in a mainland detention centre, all those detained at the Christmas Island detention centre and several thousand under the community detention program. The Department removed the information from its own web server, but it remained accessible, in full, on a public internet site, for over a week.

This followed other significant breaches in recent years at Telstra, Medvet and Sony Playstation.

Internationally we have recently seen breaches on an unprecedented scale. Target in the United States had secure customer information hacked. As many as 110 million customers had credit card information, names, mailing addresses, telephone numbers and email addresses taken. According to a Reuters/Ipsos poll, 40 per cent of people who shopped at Target during the period of the data breach had not been notified about the incident. Thirty-one per cent said they had been notified by Target and 28 per cent said they had been notified by their bank or credit card company.

Following this breach Neiman Marcus announced it had also been targeted with information on 1.1 million credit and debit cards stolen.

A data breach can severely affect individuals whose personal information has been compromised.

Individuals can lose money when personal information relating to their finances finds its way into the wrong hands. They can be exposed to the risk of fraud and identity theft. And they can suffer embarrassment and distress when information contained in medical records is publicly revealed.

Labor believes that individuals should know when their privacy has been interfered with. That is why I am introducing this Bill.

Currently, there is no requirement for agencies and organisations to notify affected individuals or the Office of the Australian Information Commissioner (OAIC) when they have suffered a data breach.

The OAIC has voluntary guidelines encouraging notification, but is concerned that many data breaches—perhaps a majority—are going unreported. The Bill stops the gap in Australia's privacy laws.

Australia should be a global leader in privacy protection as we grow our digital economy and more and more personal information goes online.

The Bill provides that when an agency or organisation has suffered a serious data breach, it must notify the affected individuals and the OAIC.

Prompt notifications will allow individuals to take action to protect their personal information. Individuals will be able to reset passwords, cancel credit cards, improve their online security settings, and take other measures as they see fit.

The notification requirement will provide an incentive to businesses to store information securely. No business wants a reputation for not keeping its customers' personal information safe.

Agencies and organisations will only have to provide notification of serious data breaches. A requirement to provide notification of all data breaches would impose an undue regulatory burden on businesses, and it would unnecessarily alarm many customers.

The notification must include information such as a description of the breach, the kinds of information concerned, recommendations about steps that individuals should take, and contact details of the entity.

The Bill provides that the commissioner may direct an agency or organisation to provide affected individuals with notification of a data breach. This is a necessary measure in cases where an agency or organisation is recalcitrant or has simply made the wrong decision.

The Bill also contains public interest and law enforcement exceptions. These are necessary where there are countervailing interests that outweigh the need to inform individuals about the data breach.

Where there is a failure to comply with a notification requirement, all the commissioner's enforcement powers to investigate and make determinations will be available. This could result in personal and private apologies, compensation payments and enforceable undertakings.

In the case of serious or repeated noncompliance with notification requirements, this could lead to a civil penalty being imposed by a court.

The Bill is part of the Labor Party's ongoing commitment to the right to privacy.

In 2012, the Labor government introduced the most significant reforms to privacy law in Australia since the Privacy Act commenced in 1989. This Bill will complement those new reforms, which have recently commenced operation.

One of 2012's major reforms was the creation of the Australian Privacy Principles, which will apply to both government agencies and many private sector organisations.

Australian Privacy Principle 11 provides that entities regulated by the Privacy Act must have adequate security measures in place to protect personal information that they hold. The data breach notification requirement will complement Australian privacy principle 11 by requiring notification if there has been unauthorised access or disclosure, or loss, of that personal information.

Privacy is an important human right, and its continued protection in the digital era is becoming a major challenge for governments everywhere.

The right of an individual to control what happens with his or her personal information is an important aspect of the right to privacy.

The data breach notification requirement helps return control over their personal information to individuals.

The ALRC believed Australia's privacy laws needed this change in 2008. The evidence since that time has been building and it is now clear that this reform is well overdue.

I commend the Bill to the Senate.

I seek leave to continue my remarks later.

Leave granted; debate adjourned.