Senate debates

Thursday, 19 June 2014

Bills

Privacy Amendment (Privacy Alerts) Bill 2014; Second Reading

9:32 am

Photo of Christopher BackChristopher Back (WA, Liberal Party) Share this | | Hansard source

I am delighted to continue my remarks on the Privacy Amendment (Privacy Alerts) Bill 2014, introduced by Senator Singh in March. I wish to go back to the topic that I was speaking on prior to the adjournment, and that was that this government is not going to be drawn into the same errors that characterised the Rudd followed by Gillard followed by Rudd governments between 2007 and 2013. Those governments were characterised by thought bubbles, poor consultation and hasty decision making, with poor outcomes and, inevitably, tears all around. Of course the government and all senators on this side have a deep concern about this, because measures that enhance the protection and security of the personal information of Australians are critical, particularly in the digital environment in which we find ourselves. That does not only extend to Australia, of course; it extends well beyond Australia's borders, internationally. But there is much more work to be done, and Senator Singh, as I said in my contribution in March, should have known that and the opposition should have been prepared to engage with the government much earlier than this.

The government have always supported the broad principles of privacy protection for individuals. It is part of our DNA. But we have previously expressed concerns about the details of this bill and especially about the Labor Party in government—and then in opposition rushing to make the same mistake—failing to consult broadly with affected members in the community and with industry, those who will be responsible for the implementation. It was my colleagues Senator Sue Boyce, whom I congratulate on her valedictory speech last night, and then Senator Gary Humphries, who was here gracing us with his presence in the chamber last night, who drew attention to many of the concerns that I wish to address in my contribution this morning—concerns, for example, as were expressed by a number of the submitters regarding the lack of definition of terms such as 'serious breach' or 'serious harm' in the legislation, as well as concerns, which my colleagues cited in their minority report, about the regulatory overload for business. That was something that very rarely concerned the Labor Party in government, and it would appear they have not learned their lessons, because they are again having no regard for this in opposition.

The bill in 2013 was based on the general requirements of Australian Privacy Principle 11—which requires regulated entities that hold personal information to prevent the loss, unauthorised disclosure or misuse of that personal information—all of them reasonable precepts. We look then to the term of risk. The proposed model, we were told, would create a requirement to notify the Office of the Australian Information Commissioner and affected individuals where there has been a data breach which has given rise to a real risk of serious harm to an individual. That was their recommended approach, the ALRC's recommended approach, in which they defined a real risk as a risk that is not a remote risk. These are indefinite terms and should obviously be given much more consideration and credibility in terms of the activities.

It was not just the coalition that was concerned at the lack of time given by the then Labor government when this legislation was introduced. I quote from Liberty Victoria at the time:

… we note with extreme disappointment that public comment opened on 18 June 2013 and closed two days laterJune 2013.

Not two weeks, not two months, but two days. They went on to say:

This is not conducive to open and transparent Government and it is extremely unlikely that many members of the public or any other interested party will have had time to review the Bill, let alone prepare submissions to this Committee. Privacy is an important issue and with increasing amounts of personal data being collected by both the private and public sectors, the issue as to how that information is used and protected is of high public interest.

We confirm that view taken by Liberty Victoria. A second group, one that you would think would have enormous interest in this question, is the Australian Privacy Foundation. They expressed their concern, citing:

… seriously negative impact on the democratic process that is inherent in the provision by the Parliament of 1½ working days—

they brought it down from two—

during which civil society organisations are expected to discuss, draft and finalise a Submission to your Committee.

Surely the Labor Party must have seen the signals at that time. Then there was a submission from the Cyberspace Law and Policy Centre at the University of New South Wales Faculty of Law highlighting their concerns that there were 'around 10 working hours to collaborate on, draft and finalise a submission'. It begs the question whether or not the Labor Party at that time, then in government and now in opposition, were even serious about consultation when one group said two days, another said 1½ days and then the University of New South Wales law faculty centre said 10 hours for consultation.

Why do we have this massive concern on our side? Because we do not want to see again Australia descend into what we saw between 2007 and 2013, and that was the exercise of the Rudd, followed by the Gillard, followed by the Rudd Labor government rushing into poor policy development. Let me give some examples of those. The first was the pink batts, where there was a failure to consult with the states, who for a long time had the expertise, the opportunity and the time to implement the type of activity proposed, and a failure to consult with industry, particularly in relation to occupational health and safety and welfare issues. This was evident in the recent royal commission into the pink batts project, and what a tragedy that we even had the circumstances where a royal commission had to be called. Evidence came out about the failure by the government of the day to consult with their own departments as to how it would be implemented. We had seen evidence at the time—we said so, and unfortunately it played out in the royal commission—of the basic lack of any business experience. If only a risk analysis had been done at that time to understand that a project of that nature was only ever going to get the sharks, the fly-by-nighters, the people with no interest at all in anything other than their own wealth acquisition, coming into that sort of market. So, to come back to the legislation that has been brought forward by Senator Singh, there was a circumstance where there was inadequate time to consult, inadequate opportunity to engage with stakeholders and inadequate involvement in the decision-making process by people affected or likely to be affected.

We saw this again with the NBN. Needless to say when we speak of privacy issues, those associated with internet connectivity et cetera are very much to the fore. I recall when I first came into this place that Senator Conroy, in response to a question I asked him about a business plan, very proudly told the chamber that we did not need a business plan, that we did not need a cost-benefit analysis. I asked him what risk analysis he had undertaken? Well, of course, that was not necessary either! We have now seen the failure of the NBN project. I will give just one small example of things that would have been shown up by a proper risk analysis, and that is the asbestos contained within the pits—the old Telecom, PMG, now Telstra pits. That would have been exposed, we would have known about them and we could have dealt with them if only there had been adequate consultation.

I will not dwell today on the ban on the live export of cattle in June 2011, except to say it is still very raw for those who were the victims of it, whose lives and businesses and activities and families were destroyed by that. There was no consultation with industry, there was no consultation with the department who advise them, there was no consultation with affected personnel and, worse than that, there was not even dialogue with the government of Indonesia or other Asian neighbours. We are still living today with the overall impact of that failed process.

I say again that the government is in favour of all of those activities that will protect the privacy of individuals to the extent that that is possible. But, unlike Labor, we are not going to be rushed into activities in which industry is not consulted, families are not consulted and affected people are not consulted.

9:43 am

Photo of Catryna BilykCatryna Bilyk (Tasmania, Australian Labor Party) Share this | | Hansard source

Before I start my substantive speech on the Privacy Amendment (Privacy Alerts) Bill 2014, I would like to make some comments about some of the comments made by the previous speaker. He talked about a lack of transparency and a lack of planning and, very typically, kept referring to things that happened when we were in government. I would just like to point out some of the issues around Infrastructure Australia, where people have been gagged and sent on gardening leave so that there is no transparency and no planning to be done. So we will look forward to those speeches coming up later in the session, Senator Back. Can I also say that this is not a new situation for anyone in either of the chambers.

Turning to the privacy legislation we are debating, I point out that Labor is the party that cares about protecting Australian's privacy. It is Labor that understands that Australians care about who has their data and how it is used. It was the Labor Party that enacted the Privacy Act in 1988 and it was the Gillard Labor government that made significant improvements to that Privacy Act.

I remind Senator Back that this bill is substantially the same as the Privacy Amendment (Privacy Alerts) Bill 2013, which passed the House last year but lapsed when the parliament was prorogued before the 2013 election. It was the important next step, put forward by the Attorney-General Mark Dreyfus, and I am glad that it has returned to the parliament as a private senator's bill thanks to Senator Singh, one of my Tasmanian Labor colleagues.

The 2013 bill was passed in the House of Representatives on 6 June 2013 with the support of the coalition, and I hope that they will vote in support of this bill in this place. I am disappointed that the Liberal Party did not consider this bill important enough for the current Attorney-General to put forward as government business. Once again, it has taken the Labor Party to push this important reform. I am disappointed that the Liberal-Nationals government did not think that the security of the personal and financial data of Australian citizens was worthy of their time.

Once again, the Liberal-Nationals government has shown that it is out of touch with the concerns and expectations of the Australian people. Once again, the Liberal-Nationals government has shown that it is out of touch with the realities of the 21st century and the changes to the way that customers and clients interact with businesses and government agencies.

The issue that this bill deals with is timely, given that, in the digital world we now inhabit, a large amount of our private data is held by businesses, government agencies and organisations that we interact with on an everyday basis. Our personal data is held by everyone—from banks, credit card companies, telecommunications companies, government agencies, libraries, supermarkets, pharmacies and department stores to, often, our local coffee places or bookstores.

Large companies and government agencies, in particular, often hold personal data that we would not want to go public or fall into the wrong hands. As time progresses the amount of data held by companies and government organisations, and the number of companies and government organisations that hold data, is likely to grow considerably. Unfortunately, though, despite our best efforts and best assurances, breaches of our data can and do occur.

We have seen breaches of privacy from multinational companies and small businesses. I will give you some recent examples. The Department of Immigration and Border Protection, in February this year, accidentally published personal details of around 10,000 asylum seekers held in Australia. The major software company Adobe was hacked in October last year, with 130 million user records being stolen. In November and December last year, a similar event occurred to the American retailer Target, with data from around 40 million credit and debit cards stolen. In February 2013, the Australian Broadcasting Corporation revealed that the personal details of almost 50,000 internet users had been exposed online after the ABC's main website was hacked. In 2009, in Lancashire, England, a health worker lost a memory stick containing the medical details of more than 6,000 prisoners and ex-prisoners from Her Majesty's Prison Preston.

With the number of organisations holding our data increasing, the number of breaches is likely to increase into the future. In their submission to the Senate inquiry for the 2013 bill, the Office of the Australian Information Commissioner—the OAIC—noted that a significant number of Australian organisations had suffered a data breach. In their evidence, they said:

… 21 per cent of Australian organisations interviewed had experienced a data breach, and a 14 per cent of organisations interviewed were unsure if they had experienced a data breach.

Furthermore their evidence highlighted that in instances of an admitted breach:

. 18 per cent of organisations interviewed did not notify anyone outside the organisation of the data breach;

. 68 per cent did not notify affected customers of the data breach; and

. 79 per cent did not notify affected suppliers of the data breach.

Australians would not, and do not, consider such practices to be good enough. Furthermore, the OAIC noted:

There is evidence that the incidence of data breaches is increasing on a global scale and within Australia …

This evidence would be of concern to most Australians.

Whether the breach occurs due to an accident while using technology, the loss or theft of technology like laptops or flash drives, or it is due to deliberate and criminal attacks on network infrastructure or assets, the result is still the same: the personal data of Australians entering the public sphere, with the possibility of its use for nefarious purposes.

And no matter how that data is breached, Australians believe it is reasonable that they be informed, and expect to be informed, when their data is breached. In a survey conducted last year, the OAIC reported that 96 per cent of Australians believe they should be notified of data breaches that affect them. After all, it is their information which has been mishandled. And if you know your data has been breached, there are a number of precautions that you can take to protect yourself from loss. These precautions include changing passwords, changing or cancelling credit cards and switching service providers, amongst other precautions.

It would be a surprise to most Australians to find out that there is not currently an obligation for them to be informed when their personal data is breached. In fact, most Australians would be horrified to know that there is not an obligation for them to be notified when there is a serious breach of their personal data.

In my time as chair of the Joint Select Committee on Cyber-Safety, there were many occasions when the committee heard evidence of the need for mandatory breach reporting laws. During our inquiry into Cyber-safety and Senior Australians, University of Canberra Centre for Internet Safety director, Alastair MacGibbon told the committee:

… we do not actually know how many data breaches there are in Australia and we do not know how much of our personal identifiable information is out there because there is no compulsion to report such breaches either to the individuals or to a central Commonwealth authority like the Privacy Commissioner or others.

He said:

We believe that the Australian Law Reform Commission report, particularly in relation to its recommendations about data breach notification … should be followed up.

Similarly, the Australian Communications Consumer Action Network, or ACCAN, in their submission to the inquiry on the 2013 bill, said:

It is entirely possible that there have been a great many more incidents that have gone unreported, leaving consumers with no knowledge that their personal information has been mishandled or accessed without authorisation, and unable to seek any redress or take action to limit possible damage arising from these breaches.

This bill puts in place a compulsory notification regime in order to ensure that all Australians are informed if their personal data have been breached, and builds on the privacy regime Labor implemented in government. I think it is a reasonable requirement, and most Australians would agree.

Because the bill requires organisations to report breaches to affected clients, it will also encourage government agencies and private sector organisations to lift their security standards and be more transparent about their information-handling practices. It will ensure that all organisations covered by this bill will take data security much more seriously. I know that many organisations are increasingly taking data security seriously and have robust systems in place. They take the security of their customers' and clients' data seriously and they have become aware of just how important it is, because it can cause serious damage to their brand when data breaches occur.

This bill will also help all businesses and organisations more widely, enabling industry, consumers and regulators to have more information about data breaches. A better picture will form of what leads to breaches, either accidental or malicious, and what measures and mitigations all parties can take to prevent or respond to breaches that do occur. It will help inform and encourage best practice.

This bill is a long overdue measure recommended by the Australian Law Reform Commission way back in its 2008 report, For your information: Australian privacy laws and practice. The 2013 bill was referred to the Legal and Constitutional Affairs Legislative Committee, which reported on it in June 2013. Submissions strongly supported the introduction of mandatory data breach notification provisions for Commonwealth government agencies and certain private sector organisations including the Australian Law Reform Commission, the ALRC, and the Office of the Australian Information Commissioner, the OAIC.

There are a significant number of benefits of compulsory breach notifications both for individuals and organisations. The OAIC gave evidence that said:

Identity theft and personal fraud is an increasingly problematic issue in Australia. In the 2010/11 financial year, personal fraud cost Australians $1.4 billion. Further, 1.2 million Australians aged 15 years and over were victim to at least one incident of identity fraud in that year; a significant increase from 806,000 victims in 2007-8.

These are extraordinary figures. They are figures that should be of concern to all senators in this place.

Time and time again as chair of the cybersafety committee, I heard of the devastating impact of identity theft and fraud particularly amongst senior Australians. I have heard evidence of individuals losing tens of thousands, even hundreds of thousands of dollars through identity theft. Australian Bureau of Statistics data shows that in 2010-11, 0.3 per cent of Australians, some 44,700 people, were victims of identity theft and another 3.7 per cent of the population, some 662,300 Australians, were victims of credit card fraud.

Identity theft is not a victimless crime. The lives of thousands of Australians are ruined each year—utterly ruined. Family homes are lost. Marriages fail and families fall apart. And it often begins with data breaches. However, the OAIC gave evidence to the Senate inquiry into the 2013 bill, saying:

In some circumstances, notification can prevent or limit identity theft and personal fraud by helping to protect personal information against misuse, loss or unauthorised access, modification or disclosure. Specifically, where personal information has been compromised, notification can be essential in helping affected individuals regain control of that information and mitigate potential harm. For example, where an individual's identity details have been stolen, once they have been notified the individual can take steps to regain control of their identity information by changing passwords or account numbers, or requesting the reissue of identifiers. Such steps help prevent or limit the risks resulting from the theft of personal information.

Of course, personal data extends just beyond financial data. The Australian Law Reform Commission's report of May 2008, For your information: Australian privacy laws and practice, illustrates this point, saying:

Other types of personal information, such as health information, if disclosed, could subject a person to discriminatory treatment or damage to his or her reputation. Informing a person that such information has been disclosed makes that person aware of what may be the possible consequences of the breach.

Australians have a right and an expectation that their confidential personal information, whether their financial information, health information or any other personal information be kept secure and private. They have a right to be informed when breaches occur. That is why the bill we are debating today is of such importance. Individuals that have their data breached due to the actions or negligence of companies or government agencies do not have to sit passively by. They can actively take steps to minimise their risk of suffering identity theft or being the victim of other crimes—if only they know of the breach; they must know of the breach.

Notification can also be of benefit to the organisation in which the data breach occurred. The OAIC in their evidence, mentioned previously, says:

Notification can help rebuild public trust and demonstrate to the public that the entity takes the security of personal information seriously, and is working to protect affected individuals from the harms that could result from a data breach.

There are also commercial benefits for those companies with good, strong data protection notification regimes or privacy alert regimes and those with good information on privacy practices in being trusted more by their customers. As the Cybersafety Law and Policy Centre at the University of NSW Faculty Of Law said:

The reputation risk of being seen to behave inappropriately is transferred to the non-discloser, who now stands out and is clearly not responding appropriately.

This bill will require all entities currently regulated by the act to notify affected individuals and the OAIC where there has been a data breach that gives rise to a 'real risk of serious harm' to an affected individual. A real risk is defined as a risk that is not a remote risk. Therefore, only the more serious data breaches will need to be notified. The OAIC will have the power to compel notification to affected individuals where it becomes aware of a serious data breach that has not been notified as a result of an individual's complaint or otherwise. The OAIC will also be given the power to exempt an entity from the notification requirement where it is in the public interest to do so.

The notification must contain at least four key pieces of information. First, it must contain a description of the breach. Secondly, it must contain a list of the types of personal information that were accessed or disclosed. Thirdly, the notification must contain recommendations about the steps that individuals should take in response to the breach. Finally, contact information for affected individuals to obtain more information and assistance must be included. Noncompliance with the scheme would attract the normal Privacy Act remedies. These remedies can take a number of forms and could include public or personal apologies, compensation payments or enforceable undertakings. A civil penalty could be sought where there has been serious or repeated noncompliance with mandatory notification requirements. I expect that a majority of Australians would see this as fair and reasonable.

This proposal has strong support from state and federal information privacy commissioners, from IT security companies and from privacy and consumer advocates, and this proposal is becoming a norm globally. In support of this view, the Cyberspace Law and Policy Centre at the University of New South Wales Faculty of Law gave evidence to the inquiry into the 2013 bill that:

Mandatory Data Breach Notification is increasingly the norm, and something we support in general: it has been law in parts of the USA for a decade, is increasingly common in other countries, and has been under discussion in Australia for years. The general concept is also increasingly accepted in Australia, including by some businesses who appreciate the transparency behind it as a necessary part of earning the essential ingredient, consumer trust and confidence in e-commerce and online systems in an environment where absolute security clearly can clearly not be promised.

The public is increasingly concerned with how their data is managed and protected. They are aware of just how much it could cost them through identity theft and other nefarious uses of their private information.

Australians have an expectation that they will be informed if their personal data is breached, and Australians deserve to be informed if their personal data is breached. If a corporation or agency's data is breached, it is the customer, as I said, or the client of the business or agency who could end up with all the problems. As Professor Phair from the Cyber-Safety Policy Centre at the University of New South Wales told the Joint Select Committee on Cyber-Safety:

The other problem is that if you are an SME or even a large organisation and you have had a data breach—lost a whole lot of customer identifying data, including credit cards et cetera, the CVV2 track data on the back, which is even more important—

that is, the three numbers on the back of your credit card that you often have to give when you are buying online—

you have been compromised as an SME. You have moved on and brought in an IT security company to mop up the problem. Everything is good, but it is all those people that bought off your website who have the heartache for quite some time.

That is why this legislation we are debating today is so important.

Australian customers or clients should have the right to find out, so that they can change passwords and take other precautions. They should know which companies and which government organisations are failing to hold their data safely. Australians also want and expect penalties for companies and organisations that fail to notify when they have not kept our data secure. That is why I call upon the Senate to support this bill.

10:03 am

Photo of Scott LudlamScott Ludlam (WA, Australian Greens) Share this | | Hansard source

I rise to add the Greens' support for the Privacy Amendment (Privacy Alerts) Bill 2014 and to acknowledge Senator Singh for bringing this matter before us today. This is very strongly in line with Greens policy; in fact, in the run up to the election last September, we announced and launched a digital rights package that had mandatory data breach notification as one of its components.

This is a bill that was on the Senate Notice Paperbefore the last election, and my understanding at that time was that the coalition, then in opposition, supported it. It is a shame that Senator Back has left us; I have got a lot of time for him. But I did find it somewhat puzzling that he admonished Senator Singh for somehow not giving people enough advance warning that this matter was being brought forward when it has been on the Notice Paper for years. It is a matter that has been canvassed certainly for as long as I have been involved in this field, and, as previous senators who have contributed to the debate have outlined, it is a matter of basic common sense. If a service provider or an organisation that you have trusted with private information—which can range from trivial personal details all the way up to your medical records, your credit card and quite intimate material—loses control of it, you have a right to know. I would have thought that was something the coalition—or the Liberal Party at least, with its supposed focus on the liberty and integrity of the individual—would have been falling over themselves to legislate.

Nonetheless, it has come forward as a private senator's bill. I was puzzled when, after the election, the government did not simply proceed with the matter. There were no significant voices raised in industry—maybe a little bit of grumbling—but the fact is that most people working in this field, in an Australian industry context, would be well aware that the reliability or the integrity of your business model depends on people trusting that their data is secure. Given that so much of our private information has now been shifted online, you have effectively lost control over it; so what you would hope is that the people you have entrusted with it would, at the very least, let you know if that material has been made insecure or lost.

Data breaches and the sort of stuff that we are talking about can range from the inconvenient all the way up to the life threatening. When the Department of Immigration let go of thousands of people's records not so long ago, that actually put people's lives at risk. Those people had a right to know about that, rather than finding out about it in the media. It affects people in this building. The fact is that we were not told for quite a long period of time that, allegedly—and there appear to be quite strong indications now that this is the case—hackers working for the Chinese government had penetrated the mail servers of this building, affecting staff, senators, representatives and journalists working here.

When Senator Singh closes the debate later in the morning, I would be interested if she could spell this out, because my reading of the way it is drafted is that it is intended to catch organisations such as those who run the mail servers here at Parliament House. I think that anybody in any quarter of Australian society, whether they work in Parliament House or not, has a right to know if their private material and data has been compromised.

Citizens absolutely have a right to privacy. That is something that is recognised globally and yet what we see is something of a patchwork. Mandatory data breach notification does exist in various jurisdictions but it is very unevenly applied. I would draw senators attention to World Law Group's Global guide to data breach notifications which they published in 2013 that outlines just how uneven the regulatory environment is around the world. One thing that Australia could do, in taking a fairly strong stand about mandatory data breach notifications, is, apart from encouraging other countries around the world to step up as well, create a competitive advantage. Data is mobile. It can be stored all over the place. So why would Australia not take a strong stand in that regard? That is something that to me almost feels self-evident. I will be interested when Senator Birmingham stands up, as someone who has had quite a long association with these issues, to hear if he can put in black and white the position of the government as to why on earth you would not proceed with a matter like this.

Citizens absolutely have a right to privacy and the examples even from the last couple of years, where quite large corporations—major companies and government departments—have simply lost control of people's material, is almost too long to get into a 20 minute speech. Sony was one of the most high profile, Telstra, First Super, ANZ Bank. These are just examples from recent times. The Australian Privacy Commissioner in 2012 said that it appeared that these kinds of events were on the rise. The Australian Information Commissioner, Professor John McMillan, said that there is 'strong support for the notion that the Government must treat data breach notification is a mandatory process' and that 'internationally, the tide is moving in this direction'. He said that in 2012. It is not like this issue was new to this parliament. It is not even, in my view, a particularly complex matter, so I very much look forward to hearing the government's argument as to why it should not proceed. If it is the usual parliamentary tactic where you take a good idea and come up with some fabricated reason why you cannot pass it and then reintroduce it as a government bill—we see that happen from time to time—this is one instance where I would not begrudge it, as long as it gets done.

As I say, citizens have a right to privacy and corporations and powerful institutions and governments have an obligation to transparency. That is something, I suppose, of the Cypherpunk Manifesto. We see this government, particularly under this Attorney-General, as moving in the opposite direction—as annihilating privacy for ordinary people while withdrawing government operations behind a curtain of national security. Perhaps that will come out in Senator Birmingham's comments as a reason to oppose this kind of bill.

I do want to acknowledge while I have the floor someone who has done more than most to advance these issues around personal privacy, data security and also the obligation of governments and powerful institutions to transparency. It is two years today since Mr Julian Assange, an Australian citizen, entered the Ecuadorian embassy in the Knightsbridge in London and threw himself on the mercy of the Ecuadorian government in a bid for asylum because he was not getting any protection or any help from the Australian government at the time. Since the change of government we have seen absolutely no change in posture or policy from the incoming government. In fact, if anything, things have got substantially worse. But I do want to acknowledge Julian Assange, who has now spent two years in the close confines of a very small embassy premise. I also want to put firmly on the record my thanks and gratitude on behalf of millions of Australians to the Ecuadorian President and the Ecuadorian authorities for taking this stand. While sometimes the debates in here may seem somewhat abstract, these are issues that affect us all, whether we like it or not. Everything that we do in some sense is mapped and recorded online and the integrity of that material and our rights to its protection and our rights to privacy are something that should not simply be frittered away.

Again, I thank Senator Singh for bringing this bill forward for debate and look forward to putting it to a vote and sending it to the other place for consideration.

10:11 am

Photo of Simon BirminghamSimon Birmingham (SA, Liberal Party, Parliamentary Secretary to the Minister for the Environment) Share this | | Hansard source

It is a pleasure to rise and speak to the Privacy Amendment (Privacy Alerts) Bill 2014 which was introduced by Senator Singh. I acknowledge her contribution in bringing this to the parliament as a private member's bill to amend the Privacy Act 1988 and to establish a framework for the mandatory notification by government agencies and certain private organisations to notify the Australian Information Commissioner and affected individuals of serious data breaches involving their personal information.

This, of course, reflects a bill that the previous government brought forward last year in 2013. That bill was passed by the House of Representatives on 6 June and brought to the Senate and was considered in rather rapid time by the Senate Legal and Constitutional Affairs Legislation Committee, which reported to the Senate on 24 June 2013. As all speakers to the debate so far have acknowledged, these issues around privacy are critically important, but we do need to equally acknowledge that we have here is a relationship between privacy and the rights of individuals and how that is appropriately dealt with on the one hand and of course then regulation, regulation in particular of parts of the digital economy, and how that is appropriately dealt with on the other hand. We need to make sure that in addressing these two competing issues we get the balance right and that we make sure that the rights of individuals to have confidence in their privacy are strong and respected but that also the enormous contribution that the digital economy can make to our future economic wellbeing and economic growth is not hampered in any way and that we remain a competitive country, and hopefully an even more competitive country, for start-ups and other businesses operating in the digital space to operate.

As I indicated, the previous bill was considered by the Senate Legal and Constitutional Affairs Legislation Committee in the space of just a short couple of weeks. That bill was brought into the Senate, and, for some reason, the government of the day thought it deserved only a rapid-fire consideration by that committee. Concerns were expressed at the time of that committee's report being handed down about the very fast consideration of the bill.

Additional comments provided by former Senator Humphries and departing Senator Boyce highlighted some of those concerns around the speed with which the assessment of this legislation was undertaken and the bill was made available to others outside of this parliament to consider. Their comments at the time highlighted remarks by the Cyberspace Law and Policy Centre of the University of New South Wales Faculty of Law that, because of the very short nature of the Senate inquiry, which reported within a couple of weeks of the bill's passage from the House of Representatives, they had around 10 working hours in which to collaborate on, draft and finalise a submission on what is, as I am sure all senators would acknowledge, a complicated area.

The Australian Privacy Foundation also expressed this concern, citing in their submission to the inquiry:

… the seriously negative impact on the democratic process that is inherent in the provision by the Parliament of only 1-1/2 working days, during which civil society organisations are expected to discuss, draft and finalise a Submission to your Committee.

It was notable at the time that there were no public hearings held and so no opportunity for live testimony as such, and for that exchange of views and opinions that comes with such live testimony and the opportunity for people to assess the merits of the bill and whether it effectively achieves its aim of providing privacy without jeopardising in any way the potential growth of our digital economy.

The bill lapsed before the Senate in advance of the 2013 federal election. So, despite having been rushed through the committee process, it then languished on the Notice Paper under the previous government until the parliament was dissolved.

But, aside from the concerns about the speed of its consideration, there were some concerns at the time from submitters regarding the lack of definition in the legislation that is proposed, and similar concerns, I would imagine, would continue to exist, given the almost identical nature of the legislation that Senator Singh has brought forward now. Those concerns included, in particular, definitional concerns—about what actually constitutes 'a serious breach' and 'a serious harm'. These are genuine concerns. It is reasonable for people to wonder how they can definitely comply with this legislation and what their obligations and responsibilities are. Also, an absence of clear definitions in the legislation creates a circumstance of uncertainty for businesses and agencies which are expected to comply, and, of course, in creating those concerns, you end up with a situation where people are at risk of noncompliance if they are not always erring very much on the side of caution.

The principles of the bill and the principles underpinning it and the remarks we have heard from other senators demonstrate that there is good reason to see further reform in this space—a reform that builds upon the Privacy Act and gives people confidence about how those operating in the digital economy treat matters of privacy and private information and details that are provided to them. The bill is of course intended to strengthen existing voluntary data breach notification frameworks in order to counter what is seen as an underreporting of data breaches and to help prevent or reduce the effects of serious crimes, especially those like identity theft.

The bill and the model that is proposed would require notification to the Office of the Australian Information Commissioner and affected individuals where there has been a data breach which has given rise to a real risk of serious harm to an affected individual. 'Real risk' is defined as a risk that is not a remote risk—a somewhat circular definition, I would note. But this is seen to mean that it would not be required to report less serious privacy breaches to affected individuals or the Office of the Australian Information Commissioner. The requirement to notify would apply to data breaches involving personal information, credit reporting information, credit eligibility information, and tax file number information. The content requirements of notification are, at a minimum: a description of the breach, a list of the kinds of personal information concerned, contact information for affected individuals to obtain more information and assistance, and recommendations about the steps that individuals should take in response to the breach. The Office of the Australian Information Commissioner would have power under the legislation to compel notification to affected individuals where it becomes aware of a serious data breach that has not been notified as a result of an individual's complaint or otherwise and it is in the public interest to do so. The Office of the Australian Information Commissioner would of course have its normal investigative enforcement powers in relation to noncompliance with an obligation to notify. Consistent with the measures of the legislation, a civil penalty would only be available to be sought by the Privacy Commissioner where there has been a serious or repeated noncompliance with mandatory notification requirements.

The government is not opposed to considering proposals that improve data security practices. We are broadly sympathetic to the concerns that drive legislation of this nature. But we do remain concerned that the consultation on the initial legislation was inadequate and that the opposition, in bringing this legislation back to the Senate, has done little to rectify that. We are not just concerned about the consultation by the executive of the previous government in drafting the legislation but also, as I have outlined, by the availability of time for consultation by the relevant Senate committee when considering this legislation, as identified by a number of those who made submissions to that inquiry.

We do think there is more work to be done in consulting more broadly on the implications of a mandatory notification scheme. Unlike those opposite, it is not the default position of this government that everything is always solved by a legislative or regulatory outcome. There are circumstances where you can get good outcomes without recourse to the law or the need to legislate or regulate further. This may or may not fall into one of those categories; what we want to do is give it full and proper consideration to make sure the broad principles of privacy are respected but also that it does not impose an excessive regulatory burden on industry.

We are, as a government, very determined and very eager to see growth in the digital economy space. We want to make sure we spur innovation. This is the type of industry, and the sector of our economy, that provides enormous opportunity for future growth. It reflects the highly educated workforce of Australia, giving the opportunities we would hope for the employment and growth of that highly educated workforce. We are working steadily and carefully to implement policies that drive further innovation in the digital economy.

Just one of the ways we are doing that—and it is a way that is related in some part to this legislation—is through our approach to open data and open data sources and ensuring that, as a government, we take all the steps we can to spur innovation through open data access. Government controlled data has been identified by many around the world to be of immense economic value. A 2013 report by McKinsey & Company researchers estimates there is $3-$5 trillion in economic value annually from open data across seven different sectors in the United States. So far, we have managed to add dramatically to the availability of information and data across government since our election in September. In fact, 85 per cent of the data that is available through data.gov.au has been added since the coalition was elected last September—a dramatic increase in the amount of information available to Australian innovators and users.

Mr Turnbull, as the Minister for Communications, working with his department, Geoscience Australia and the finance portfolio, in particular, has been striving to deliver on our election commitments on e-government and the digital economy, particularly on our commitment to driving this approach to open data access. A senior working group to identify datasets of high value to the economy has been established in the Communications portfolio, providing leadership across government in achieving the significant growth we have had. More than 20 high-value government datasets have been identified thus far—covering areas such as geocoded addressing, finance, energy and infrastructure—which we believe as a government can, if made open and available, provide real economic returns through their utilisation by businesses and innovators across the economy.

Importantly, government is working to make sure that any such data released is anonymised, where appropriate, to protect privacy. That is obviously a key criterion in our approach to the provision of open data access. We give a firm commitment that, while we work to provide more information and a greater stream of knowledge that can be accessed by the private sector for wealth generation across the economy, we will of course be very careful, taking each dataset one at a time to make sure we have appropriate protections and precautions around privacy.

We will be releasing more such datasets around this year's GovHack competition in July and August, which encourages coders to make use of government data to design new apps like TripView. It is important to realise that this is the type of innovation that can lead both to efficiency and savings across government and to areas of economic growth. By being open as a government and making our data sources and IT as accessible as possible, people can see opportunities to do things more efficiently. That has certainly been the case in the United Kingdom where the reforms of the Cameron government, under the GOV.UK website, have dramatically streamlined what the government has been able to achieve in the digital world. The UK government have cut back on a lot of their unnecessary online presence to provide a government interface for voters and residents of the UK that is genuinely user-friendly and focused on the key outcomes they expect from their government. It has been made far more user-friendly and achieves far greater satisfaction ratings across the UK in terms of the use of government information. Importantly, it has also achieved very significant savings in the UK—hundreds of millions of pounds worth of savings—in terms of the procurement of IT systems, the cost of running government websites and the overall cost of government interaction with the digital economy.

It is a real win-win, because satisfaction with government websites has gone up dramatically whilst the cost of operation has gone down dramatically. This has come through not just a commitment to be more responsive to community needs but also, importantly, a commitment to open data and open government principles which ensure that all of the information that underpins gov.uk is openly available. Obviously, an individual's personal data is protected, but all of the structural information that underpins that transformation that the UK has been on is openly available for other countries to be able to access.

I certainly hope that Australia, at the Commonwealth level and across all the states and territories, will look very closely at the UK model and will develop it for their own needs. We need to make sure that we follow a similar approach of streamlining government online presence so that residents of Australia have a single portal, a single access point, and get high satisfaction by being able to find easy answers to the things they need, or by being able to have an easy interaction with the government services that they seek. We need to do this in a manner that, hopefully, can also provide some cost savings.

We are, as a government, determined to drive the digital economy space, but to do so in a way that protects privacy principles to the utmost. We do not necessarily oppose this legislation, but we do think it needs far greater consultation, and we think it is appropriate for us to look closely at it and ensure— (Time expired)

10:32 am

Photo of David FawcettDavid Fawcett (SA, Liberal Party) Share this | | Hansard source

I also rise to make some brief remarks about this private member's bill put forward by Senator Singh. I would like to start by acknowledging that the whole issue of information, whether it be private information, information about companies, how we collect and how we store that information and, most importantly, how we secure that information, is quite important. It is of immense value to individuals, it is of immense value to companies and it is of immense value to countries. You only have to look at some of the things that have been occurring around the world recently, such as data retention and data security, to see why it is so valuable.

On the international stage, in May this year, we saw an indictment by a US grand jury that has caused new tensions between Beijing and Washington around accusations that there were PLA personnel who had stolen some billions of dollars worth of corporate secrets from America as well as some 700,000 pages of personal emails and other classified or private information from the US. Eric Holder, a US Attorney-General, made some quite pointed remarks about the nature of this kind of espionage, this kind of theft of information. What it points out and really highlights is that, regardless of whether the information is private, commercial or of national interest, the ability to collect and store, and the controlled release of that information, is really quite important.

The same discussion around that US case with the indictment looked at things in Australia where we have overseas companies seeking to acquire Australian resource companies. There is quite a deal of discussion about the impact of either the deliberate seeking-out of that data through hacking, or inadvertent leaks, or breaches of data privacy, as it affects the commercial transactions and as it affects people's ability to influence commercial outcomes through knowing personal data.

We saw also in Australia, in May this year, that the Australian Privacy Commissioner is investigating the superannuation company, Cbus, for a second time, about the leak of workers' personal details. In that case a senior employee of Cbus leaked personal information of around 300 employees of a company that was subject to a construction union industrial campaign. That employee happened also to be the honorary president of the Queensland branch of the CFMEU. What the Cbus files revealed was that the internal inquiry found that this person had inappropriately sent personal details of more than 300 workers to a third party without consent. The company has subsequently said that he has to undergo some remedial training. But the issue here is that the workers were employed by a company, Lis-Con, and the allegation is that they wanted that information to help and industrial campaign against the company. What we see is that this issue around data privacy is important.

Photo of Catryna BilykCatryna Bilyk (Tasmania, Australian Labor Party) Share this | | Hansard source

So, you're supporting it?

Photo of David FawcettDavid Fawcett (SA, Liberal Party) Share this | | Hansard source

I am. I will take that interjection, because the government is saying that, in principle, we support the concept of better data protection. But it comes as a whole package of understanding why it is important at the national level, the commercial level and the private level. There is no point in trying to bring through legislation that is not well thought through for the simple reason that it touches so many areas of Australia's national life, national interest and the interests of individuals.

In relation to the last case I was talking about I am sure that the current Royal Commission into union corruption will be investigating this whole area to look at how these kinds of data breaches, breaches of peoples' private information, have been used to try to influence commercial outcomes or, in fact, industrial relations outcomes in Australia. In relation to that particular Cbus case, the two people, who still hold their jobs at the fund, admitted providing the detailed information to union officials and delegates upon request until amendments were made to privacy legislation. So, that does highlight the importance of having appropriate legislation because it does constrain the behaviours of individuals. But what we also see is that there are some people who will seek to extract it; there are some processes that are poor enough that it is leaked inadvertently; and you will always still find, unfortunately, those people who are prepared, for their own personal gain or the gain of an organisation that they are a member of, to breach the requirements of legislation—or, in fact, the rules of their own company—to leak information. So I think it is beyond doubt that it is important, and it is important that we have appropriate legislation.

Now that legislation is certainly not without dispute. We have seen a great deal of discussion on the international stage around this whole area of what data can be collected, how it should be protected, how long it should be retained and what should happen if it is released. Edward Snowden has been a lightning rod for this debate over the last 12 months, with people arguing that citizens of a country are just that: they are citizens and not suspects. This is balanced, however, with the legitimate need that security agencies have to understand what is happening. So we have seen in the EU, for example, the data retention initiative—where metadata could be held for up to two years, versus the original six months for the purpose of billing—struck down in April by the EU Court of Justice because people were trying to find this balance.

Yet, as we look at the news headlines today where we see people holding Australian nationality being involved with ISIS in both Syria and Iraq, we recognise the importance of having appropriate data collected and held by national agencies in the national interest. The last thing we wish to see is people like that free to go and be indoctrinated in that kind of training in those kinds of activities and then be able to come back to Australia and bring that kind of mindset and that kind of world view that sees that kind of violence as being acceptable into our society without our security agencies being aware of them.

For that reason, one of the things that I do support in the bill that Senator Singh has brought forward is the fact that there will be exemptions. Chapter 33 in the Privacy Act talks about some of the exemptions that already exist. There are a number of ways that entities can be exempt, either completely or partially, from the Privacy Act. Under the existing law they can be completely exempt from the information privacy principles. Broadly speaking, while those apply to all agencies, chapters 34 to 38 go more particularly to discuss the agencies that are partially or completely exempt from the Privacy Act: namely Defence, the intelligence agencies, federal courts and tribunals and specified agencies that are exempt under the Freedom of Information Act and certain agencies with law enforcement functions and others.

This is a really important area that we understand because the private member's bill that has come forward here talks about the exemptions, but some of the definitions in the bill have been queried by people who put in submissions to last year's inquiry. As we look at the debate that has been kicked off in the US and the EU and other parts of the world, the definitions become important in Australia around: what data it is appropriate to hold; whom is it appropriate to collect that data on; under what conditions it should be retained; and for how long should it be retained. Definitions in those kinds of arguments are really important.

While we go to definitions, I have just a brief comment on the headlines today. As we define these people who are fighting with ISIS in Syria and in Egypt, I actually deplore the use of the title 'Aussie jihadists'. 'Aussie' is a term of ownership and of pride that we use for our sportsmen, for our diggers: for people of whom we say, 'These are Australians we are proud of.' We give them that name. If these people happen to have Australian citizenship, that is fine, you can call them an Australian citizen. But I would encourage people in the media not to use the title 'Aussie' for someone who is betraying in such a blatant way the values and standards that this nation stands for—the values and standards that our soldiers have served and fought to protect; the values and standards that our civil society works so hard to preserve and to encourage and to nurture into our young people. Those are the people we call Aussies, not those who betray them. By all means, technically, acknowledge the fact that they may hold Australian citizenship, but do not give them that term of ownership and support.

I come to the report that was done last year when the then Labor government tried to put this bill through. The coalition minority report highlighted that, while in principle we support the notion of having better disclosure where there has been a breach of data because, as I have just outlined, it is important and it affects a whole range of areas, definitions are important and it is not something that we should just be rushing through. The Cyberspace Law and Policy Centre of the University of New South Wales highlighted in their submission that they had only had around 10 working hours in which to collaborate on, draft and finalise a submission. Now, unfortunately, that was not an uncommon occurrence for the previous government. There were a number of pieces of legislation which were rushed through without time to get adequate input, and people question why unintended consequences occur from legislation. It is because things are dreamt up and pushed through without time for the community, for stakeholders and for the Senate—particularly the committee system—to do an adequate review so as to understand where those unintended consequences can be. That is where we see bad outcomes.

One that is very applicable to South Australia, my home state, is the bill around better access to the Woomera range area for mining, something that both sides of politics support. But the concern that the coalition raised last year when we were in opposition was the fact that, although Dr Hawke did a thorough job of doing the review and it covered a range of areas, it was a couple of years before it ended up in legislation. The stakeholders around that are involved with the world's premier test range, one of the world's premier mining resources which is hugely significant for South Australia's economy, our national defence and, in fact, even on a global scale for our allies with the allied defence capability for weapons testing and evaluation, and the stakeholders were given less than a week—only five working days to consider that information and to provide feedback to the then government.

We have since reintroduced a bill and we are working through that now so that we give access, but it has allowed a larger range of stakeholders to provide more detailed input so that we can get the arrangements right so that not only will Defence still be able to maintain and use that range as a premier test range in the national interests of the country but industry can have the certainty they need to make the significant investments that they have to make to do both the exploration and development of mining leases, knowing what the terms mean. Again, it came back in part to some of the definitional items in that Woomera bill. It said that Defence could basically override the agreement if there was a national defence requirement. But there was no definition as to what that meant. Did that mean there was an operational difficulty in a place like Afghanistan? Did it mean that there were hordes swarming over Australia's beaches? What did it mean? There was not that definition in the legislation to give people the assurance.

Likewise here, our concern is replicated by people like the Australian Privacy Foundation, who said:

… the seriously negative impact on the democratic process that is inherent in the provision by the Parliament of only 1-1/2 working days, during which civil society organisations are expected to discuss, draft and finalise a Submission to your Committee.

I come back to the importance of giving adequate time for consultation and the importance of civil society around the parliament to have input into discussions such as these go to the important issues of data, privacy, who can hold it, how long they can hold it, what happens if it is released, how people are affected, how reparation should be made and how people should be given an opportunity to correct that. Those are important issues. In fact, last night at a dinner, in discussing the relationship between the US and Australia and speaking with the Libyan ambassador, one of the things he highlighted was around the fact that they are trying to regrow a national government. During the years of Gaddafi, the civil society—who are the people who are able to hold government to account in terms of providing an alternative voice and considered opinions on policy areas—had been essentially shut down and excluded. One of the challenges they have in that country now is re-establishing a strong voice for civil society to work alongside government, quite apart from the security issues they are having, so that they get that balanced view. And yet here we are in Australia, where we have a strong civil society and the process that was put into this bill meant that we only gave those people a day or perhaps a day and a half to get the information, read it, talk about it and give a response back to the Senate.

If Australia wants to maintain its premier place in the world as a leading nation of stable government and well-considered legislation that does not unduly disadvantage people, then we do need to make sure that stakeholders—whether they be government agencies, interest groups or civil society groups—have adequate opportunity to receive the information, consider, debate and formulate a balanced view in order to reflect back to the work of this Senate through its committee system so that we can make sure that legislation that goes forward does not have unintended consequences.

The coalition senators in the minority report noted the concern that was coming forward from a number of submitters saying that there was not enough definition around terms, such as 'serious breach' or 'serious harm'. It goes directly to the point that if you do not have the definitions correct you start getting interpretations or consequences that were never intended by the drafters of the bill. That is why the coalition supports, in principle, the need for better privacy arrangements around data; but they have to be thought through. They have to be looked at with a balance of national interest, intelligence and security agencies, who is exempted, why they are exempted and under what conditions. There is the whole argument that the Snowden case has brought up around citizen or suspect and the commercial imperatives. We see issues with companies like Cbus releasing information for industrial campaigns. To look at all of these things—the implications, who is guilty when, what is an extenuating circumstance, how does the law apply—a day and a half is not adequate for that.

While I commend Senator Singh for her desire to bring this forward and keep it on the agenda, the way to do it is not to bring it in like this without consulting, advising the government, asking why we actually can take an opportunity to reinstitute consultation with civil society—

Photo of Lisa SinghLisa Singh (Tasmania, Australian Labor Party, Shadow Parliamentary Secretary to the Shadow Attorney General) Share this | | Hansard source

There was consultation over five years!

Photo of David FawcettDavid Fawcett (SA, Liberal Party) Share this | | Hansard source

Senator Singh is interrupting yet again, but I come back to the point that if it has taken that long—and I will take that interjection—over five years, why was only a day and a half given to the stakeholders, to civil society, to have their input?

Photo of Lisa SinghLisa Singh (Tasmania, Australian Labor Party, Shadow Parliamentary Secretary to the Shadow Attorney General) Share this | | Hansard source

They've been consulted for years and years!

Photo of David FawcettDavid Fawcett (SA, Liberal Party) Share this | | Hansard source

Senator Singh—through you, Mr Acting Deputy President—the problem is, with things that are worked up through initial consultation, and we saw this again with the Hawke review and Woomera, the work that is done only comes to a head when it takes form in legislation. And it is the wording in the legislation which is the culmination of all the stakeholder inputs that needs the opportunity for review. The bare facts are discussed, but it is the form of the legislation, and particularly regulations that flow from it, that need the review. That is the objection of the coalition to this bill. We support it in principle but there needs to be more considered input from the stakeholders, particularly civil society, before we would support moving forward with it.

10:52 am

Photo of Helen KrogerHelen Kroger (Victoria, Liberal Party) Share this | | Hansard source

Before I comment on the bill, Acting Deputy President Bishop, I acknowledge your service to the parliament. I was here when you gave your valedictory speech this week. May I say, it demonstrated the significant contribution you have made to this place over a long period of time. I note that your wife was in the gallery. I know that she and your family have been tremendously supportive of your services to this place. I would like to put on the record my appreciation. We worked very closely together on the foreign affairs committee. When I came to this place, I did not expect military justice to be one of the things that I would understand and become an expert at. I can thank you for putting that on my radar so that I could have greater comprehension of all matters in relation to military justice, as well as other matters in the defence arena. Enjoy your retirement from this place, although I know that there will certainly be no retirement in a professional sense.

Photo of Mark BishopMark Bishop (WA, Australian Labor Party) Share this | | Hansard source

Thank you, Senator Kroger.

Photo of Helen KrogerHelen Kroger (Victoria, Liberal Party) Share this | | Hansard source

My pleasure.

Senator Bilyk interjecting

Senator Bilyk, I would be happy to offer one for you, but it is not your time yet. Good luck to you. I hope your time does not come too soon at all. I come to the Privacy Amendment (Privacy Alerts) Bill 2014. I will share some observations that have been made not only this morning but at other times in relation to the bill that has been brought to the chamber by Senator Singh. I notice, as has already been stated, that this bill is similar to a bill that was introduced by the former government in 2013. We heard that the bill was passed by the House of Representatives on 6 June 2013 and there was a very brief inquiry undertaken by the Senate Legal and Constitutional Affairs Legislation Committee. I understand the inquiry was particularly brief and the committee reported on this bill on 24 June 2013.

Before I start my comments, I note the interjections across the floor from Senator Singh to Senator Fawcett. Senator Singh said that consultation happened for years and years. The fact of the matter is that, if that had happened, the bill would have been introduced to parliament by the former government before June last year. The facts just do not stack up.

The government, as has been appropriately recognised, support the essence of what is being sought here. What concerns us is the process. Process is incredibly important. That is what the Senate is all about. It is our responsibility to ensure that all proper processes, inquiries and considerations are undertaken so that, when legislation comes here and is finally passed or denied, it is done in the most authoritative way. That is the role of the Senate. We are very different to the House of Representatives in terms of our mandate. It is the mandate of the Senate to review all legislation so that we can ensure that, as Senator Fawcett so properly characterised, unintended consequences of legislation, even in the best interests of any parliament, do not have adverse effects, particularly on stakeholders. That is our primary concern here.

When I was looking at the detail of the explanatory memorandum that Senator Singh put together—and I commend her for that—I was reminded of a website that raised the issue of privacy concerns. There are many examples of overt breaches. One in Australia particularly concerned me. I think it was raised here earlier. It was the allegation of a privacy breach with the very large superannuation fund called Cbus. My concern is that this breach could have happened to any superannuation fund. If you think about the degree of private information we have to provide to all these funds, then every citizen would be concerned. In the case of Cbus, it was alleged that the personal information of hundreds—not just one or two but hundreds—of Cbus members was leaked to a union boss as part of an industrial campaign. Someone inside extracted the private details of individual members so that they could be contacted for an industrial campaign. Those allegations, I might add, were sent to the Australian Federal Police for investigation. Such was the significant nature of that breach. The allegations were forwarded not only to the Australian Federal Police but also to the Australian Privacy Commissioner. What was alleged at the time was that a senior employee of Cbus leaked names, birthdates, postal and email addresses, and even phone numbers—information that, I am sure you would agree, we would hope would remain private when we provide it to any superannuation fund and that it would be retained with that intent. But in this case, it was not. Superannuation contribution details of the more than 400 members were provided. Most of those people, though, were not members of any union and, in fact, they were not union members to the New South Wales Construction, Forestry, Mining and Energy Union.

It was sent to that union's branch secretary without their consent. It is the nature of these sorts of breaches, where they are direct and overt, that we have serious concerns, because we all know in this modern age just how much information we have put out there to providers. If you subscribe to a private health insurance provider, you have got to provide all sorts of very intimate details. It is information that we would not want to get out, because of the nature of it.

We have had conversations in this place many times about a national identity card. It could be used for all sorts of purposes. In fact, I have been involved with the current and ongoing JSCEM inquiry into the conduct of elections. One of the issues there is the validation of those turning up to vote, who are not required to provide a form of identity and that gives an opportunity for someone to vote in another person's name. Many, many examples have been raised in the inquiry where people use another name—perhaps not Senator Catryna Bilyk, but Catryna Bilyk, for example, in Tasmania—and they may vote in her name. In that case there is no way notionally to identify that the person is not Catryna Bilyk. There is nothing to attest to the fact that they are not that person.

Identification and the determination of registration and details—and all of that sort of thing—is really important in today's modern age. But what is more important—and I raised the national ID card—is that one of the biggest stumbling blocks to that ID card is the fact that people are concerned, and rightly so, about the way in which their personal details may be breached and misused. We have it here, as I said, and that was reported to the AFP and the Australian Privacy Commissioner. This is just one example in Australia where privacy details have been abused and used by an insider.

Yes, in essence, we support what this bill seeks to do. I have sat here in this chamber—well, I am going into my last week before I leave next week—for six years and watched as legislation has been passed without the proper scrutiny that it deserves. When that happens, you get unintended consequences. I can cite numerous examples of legislation that was rushed through without proper consideration. We have prosecuted it quite extensively, but it was legislation that had come through without being given proper consideration. There has been significant, significant consequences.

Photo of Catryna BilykCatryna Bilyk (Tasmania, Australian Labor Party) Share this | | Hansard source

What about your Infrastructure Australia legislation?

Photo of Lisa SinghLisa Singh (Tasmania, Australian Labor Party, Shadow Parliamentary Secretary to the Shadow Attorney General) Share this | | Hansard source

What about the Racial Discrimination Act?

Photo of David FawcettDavid Fawcett (SA, Liberal Party) Share this | | Hansard source

Senator Bilyk and Senator Singh, standing order 197 says that interruptions are disorderly. You will not interrupt Senator Kroger.

Photo of Helen KrogerHelen Kroger (Victoria, Liberal Party) Share this | | Hansard source

Senator Bilyk and I just think that we are having a drink outside and we are having the usual argy-bargy. I appreciate your ruling. If I can try to go back to where I was—you have very successfully interrupted my train of thought—the one that comes to mind, because it affected some stakeholders and some constituents of mine in Victoria, was the introduction of the pink batts insulation scheme. It was introduced on the run and it is one we can all relate to very well. We know why it was suggested: it was necessary to inject capital into the economy so we did not go into the GFC. We know the arguments for it. There has been a judicial inquiry held into that. This is one thing that every Australian man and woman can identify with, because what it demonstrated was that the stakeholders were not consulted prior to the rollout of that program. It did not come here for due consideration; there was no proper inquiry before it was rolled out; it was literally policy done on the run, which was legislated and rolled out straightaway.

Departmental staff have indicated that they were not aware of the various consequences of the way in which they rolled out that program. If I can take you back, we know that there were literally hundreds of fires. I visited a house in in Victoria, where the retired lady was so lucky; she had a fire in her kitchen; they had installed the insulation. She did not know there was a choice. The provider called up and said, 'You know, you can get this and you won't have to pay for it.' She thought, 'Oh, okay.' She did not understand, because the details were not provided to her. She had the insulation installed; they installed it over the current insulation; it blocked and created a huge problem with the electricity in her kitchen. She was in the bedroom when a fire started in her kitchen. It was a neighbour who alerted her to it. She was one of the lucky ones. I went in, and you could see this extraordinary situation where she was very lucky. There was a fire in her kitchen ceiling. Thankfully, she was in the bedroom. She was not intoxicated by smoke.

The whole point of that was that the stakeholders—electricians, for instance—who are skilled and licensed to install insulation were not consulted on what the process here should have been. This could so easily have been averted, and it was not. Alarm bells were ringing at various levels from the Prime Minister and the minister responsible down—we know all that—but no-one took any note. That is probably a very stark but very good example of unintended consequences.

That brings me back to this, because we are just seeking to ensure that, for legislation that comes here, we as a Senate do the task that is set out for us. It is our mandate to review legislation, so we can consult properly, consult widely and ensure that everyone who has significant input has the opportunity to provide that and that what we end up doing is not just creating another layer of red tape, another layer of bureaucracy, but ensuring that the proper processes are put in place.

There is a fantastic booklet that has been put out by the Abbott government. It is this booklet, entitled The Australian Government Guide to Regulation. I would suggest that every person in this place should pick it up and have a read, because it is like a plumber's guide to plumbing. It is our guide to legislation. Everybody in this place should take the time to read this because it will save time, ultimately, for senators of this place and members in the other chamber if they pick up this guide and read it to ensure that the proper processes have been undertaken in bringing any legislation into this place.

I go to page 40 of the guide. There are many areas. This one covers the area of stakeholders. I am not going to go through it. Everybody in this place is bright enough to consult it, pick it up and have a read. But there are various aspects of it which I really commend to the senators in this place to read. They include 'Proper consultation delivers better outcomes'. In that section, we have 'Understanding the attitudes and likely reactions of the people affected', 'Making sure every practical and viable policy alternative has been considered', 'Confirming the accuracy of the data on which your analysis was based'—these are all subheadings which detail ways in which you can do this. Others are 'Ensuring there are no implementation barriers or unintended consequences', 'Affected groups will feel you have listened and considered their views'—and it goes on. It also talks about 'the right consultation tool' to use for the particular job that you are seeking to undertake.

This is not a guide that has been put together for legislators. It is a guide for all agencies, for all departments, which should pull out this little book to literally do a checklist when they are looking at introducing or considering policy. There are also options for the way in which you can consult stakeholders, including 'full public consultation', 'targeted consultation', 'confidential consultation' and 'post-decision consultation'.

In closing, I refer to the committee that inquired into this bill for a very, very limited time. I have to acknowledge the work that former Senator Humphries and outgoing Senator Boyce did on this. They made a number of recommendations in additional statements, if you like, to the report. I do not have time to go through those additional recommendations, but I commend these additional comments to the chamber for consideration.

11:12 am

Photo of John WilliamsJohn Williams (NSW, National Party) Share this | | Hansard source

I would like to contribute to this debate. The Privacy Amendment (Privacy Alerts) Bill 2014 seeks to amend the Commonwealth Privacy Act 1988 as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012. One of the first things that you learn in life is that you cannot educate idiots. I refer to the opposition here. Look at what they have done in their time in government: the rush, rush, rush. We could talk about the pink batts fiasco, the hundreds of houses burnt down and, sadly, the four lives lost—and the inquiry underway now will no doubt find out more about that.

We could talk about the emails that came in about the live beef exports, so it was: 'Let's just rush another decision. Let's just rush it.' The ramifications for rural Australia of another rushed decision because of the 'Miss Populist' Prime Minister—Ms Julia Gillard, at the time—were terrible: the loss of exports of live animals. Of course, those live animals had to be under 350 kilos live weight, so the immediate suspension of the live trade of cattle to Indonesia meant that, as time went on, those cattle exceeded that weight, then they could not go to Indonesia. So they were brought down south. We had cows being brought from the top of Western Australia to Inverell, where I live, in northern New South Wales, for slaughter—two or three days on road trains—because of a rushed decision.

The reason I make this point is that nothing has changed. Here it is again: 'Let's rush, rush, rush.' Let us have a look at the facts of the inquiry. This bill was referred to the Senate Legal and Constitutional Affairs Legislation Committee on 18 June 2013. Submissions closed on 20 June—two days later, submissions closed—and the committee was to report on 25 June. It was referred on 18 June and it had to report six days later. What was the rush? In their submission, the Cyberspace Law and Policy Centre of the University of New South Wales were scathing of this rushed time frame. I quote from their submission:

(Note that we received this at close of business Tuesday, due noon Thursday; the provision of around 10 working hours in which to collaborate on, draft and finalise a submission to your Committee is clearly inadequate …

I agree: 10 working hours in which to lodge a submission is clearly inadequate. What is this about? Aren't we seeking public input, public submissions and public witnesses to actually scrutinise the legislation? They went on:

… even given the demands of the legislative process.)

The submission from the Cyberspace Law and Policy Centre at UNSW on this Bill comprises only this message, and is necessarily incomplete. (We would normally hope to survey issues raised by others in some depth before focusing on particular aspects which deserver separate comment or support, but this has only happened in cursory form, as has the review of the text.)

This is our whole argument here. Let me continue. Civil Liberties Australia put in a submission—not that I am a big fan of civil libertarians, but they have the right to have their say like everyone else in this country. They share concerns of other civil society groups about the short time frame. They said, 'What was the rush?' From referral of the bill, to reporting in six days, will someone please answer: what was the rush? It is a simple question. Why so little time for submitters to lodge their submissions? Why so little time to actually interview witnesses? Why such little time to report? Perhaps someone on the opposition bench could answer that question before this debate is over.

I expressed earlier the point about the rushed decision on the live cattle exports and the rushed decision on the pink batts stimulus plan. There were many rushed decisions on school buildings where, unfortunately, builders did not get paid because of the rushed decisions as to who got the contracts, the scrutiny of those companies—and then who went broke. Some builders built schools under the Building the Education Revolution and never got paid. I know of one builder in a country town who lost $600,000. He did not get paid. That was another rushed plan by the Australian Labor Party in their rush to do things. And that is the analogy I draw with this very legislation.

It is all right being in a rush to suit them. Mr Acting Deputy President Fawcett, you would remember only too well the guillotining legislation. Between November 2010 and June 2013, Labor—along with their political allies, of course, the Greens, who assisted them all the way—guillotined 214 pieces of legislation. We in government will not be pressured into agreeing to a proposal without giving it full and proper consideration. There has been no proper consideration by Labor on this bill. But we should not be surprised, because they were in chaos when they were in government.

The Liberal-National government is not opposed to considering proposals that improve data security or practices. Measures that enhance the protection and security of personal information of Australians are critical, particularly in a digital environment. We have heard of all the hackers and of people getting control of bank accounts and credit card numbers. They are certainly out there. Security in this region is vital, especially as more move to the digital age. It is not the days of: 'Hang on, the bank is sending out my bank statement and I look through it.' Now it is at the stage of going online. With electronic funds transfer, BPAY and that sort of banking we need tight security there. But there is more work to be done, including consulting broadly on the implications of a mandatory notification scheme. We need to consult broadly with the community and industry. We in government are not prepared to agree to a proposal without giving it full and proper consideration.

Senator Kroger mentioned some of the things that Senator Humphries and Senator Boyce said on the inquiry. Let me quote some of those things they said in the additional comments by coalition senators.

1.1 Coalition senators are, like a number of submitters to this inquiry, concerned with the lack of due process and time for scrutiny afforded to this bill through the committee.

So it was clear in writing there, in those additional comments. And further:

1.2 Coalition senators understand that the number and depth of analysis of submissions to this inquiry has been hampered by the restrictive timeframe—

as I said, referred on 18 June, report on 24 June. That is simply outrageous. You just ask the question: why the rush? They called for submissions on 18 June, closed submissions on 20 June, and then report on 24 June. It further states in the additional comments of coalition senators:

Given the importance of the nature of this matter, and the extensive criticisms which were levelled at the primary privacy legislation when it was examined by the committee last year, it is most unfortunate that thorough and detailed scrutiny should not have been afforded to this bill.

The senators also said:

In its submission, the Cyberspace Law and Policy Centre of the University of New South Wales, Faculty of Law highlighted that it had "around 10 working hours—

as I have mentioned. Also:

The Australian Privacy Foundation too expressed this concern, citing a:

... seriously negative impact on the democratic process that is inherent in the provision by the Parliament of 1-1/2 working days …

I will repeat that. This is what the Australian Privacy Foundation also expressed:

... seriously negative impact on the democratic process that is inherent in the provision by the Parliament of 1-1/2 working days, during which civil society organisations are expected to discuss, draft and finalise a Submission …

Those additional comments by the coalition senators went on:

The Coalition has on a number of occasions highlighted consultation, or lack thereof, as a point of concern when dealing with bills through Senate committees. On this occasion, that concern is self-evident through the limited time available for submissions.

They made the point:

1.7 Coalition senators note the concerns expressed by a number of submitters regarding the lack of definition of the terms 'serious breach' or 'serious harm' in the legislation. We note also concerns expressed about 'regulatory overload' being experienced by industry as it digests both the new privacy regime and this latest tranche of significant enhancements to that regime. In the absence of public hearings of the committee and the receipt of live testimony, it is difficult to know what weight to place on these concerns.

So we have this item brought up today by the opposition, and how do we get a message through to them that rush, rush, rush means mistake, mistake and more mistakes? That is exactly what we have here.

I am not going to speak for the whole 20 minutes but I support my colleague Senator Kroger when she highlighted this in her presentation to this chamber. So let's just put the brakes on. Let's just do it properly and get it right the first time. You will be very interested when Senator Bishop presents the report hopefully next week—I am sure it will be next week—on the inquiry we have had into ASIC. We have gone through it slowly, precisely, to do the best we can to get things right. This is no exception. Don't rush it; get it right. We have already seen far too many costly errors and mistakes, financial and life costing, unfortunately, by those opposite when they were in government. Rush, rush, rush and mistake, mistake, mistake. Let's get this one right.

11:23 am

Photo of Barry O'SullivanBarry O'Sullivan (Queensland, National Party) Share this | | Hansard source

Before I address the core issue, I want to take the opportunity to reject some of the assertions that have been made by speakers opposite that would suggest, if left untested, that this side of politics, this coalition of National and Liberal people, do not have a high regard for the rights of citizens, particularly with respect to their right to privacy.

Over many, many decades, federal coalition governments, Liberal governments, National governments independently in the states and quite literally thousands of convened local authorities who share our philosophical view of politics across this country have paid detailed attention to issues relating to the privacy of our citizens and those who look to us to protect those rights.

There has been enormous progress in this area, and I personally am proud to be attached to a coalition that has at its very heart the interests of citizens with respect to privacy issues as we examine legislation and the impact of legislation, looking at it through that very important prism.

It is important today that this debate be put into the context of: it is not opposition on our part to any sensible progressive legislation that would enhance our citizens' rights to privacy; it is an attempt to apply due process that in and of itself does not have the ability to provide the safeguards required for changes to this important class of legislation.

In this debate there has been reference to the ALRC report that resulted in the recommendation concerning data breach notifications. I am sure it has been quoted by other speakers, but to underpin and segue into my next comments, I will repeat it again for the Hansard: agencies and business organisations should be required to notify individuals—and the Privacy Commissioner—where there is a real risk of serious harm occurring as a result of a data breach. Prima facie it would be difficult for anybody to mount an argument against that important principle.

The authors of that report were Justice Berna Collier, Justice Robert French, Justice Susan Kenny, Justice Susan Kiefel, Professor David Weisbrot, Professor Les McCrimmon and Professor Rosalynd Croucher. These are noted jurists and principals from academia with whom I probably have little in common. I am no jurist and I am no academic but I promise you that I share with them the value of their recommendation about enhancing and maintaining privacy protections for the good citizens of Australia.

What does divide us at the moment is that that eminent group of people had no less than 28 months to consider material put before it before they arrived at that recommendation. Their report was 74 chapters and included 295 recommendations for reform—I repeat: 28 months—after they had the benefit of examining and interrogating submitters with over 585 written submissions. They reported that there was a very high level of public engagement.

Their brief, their mandate, is different to the brief and mandate of this place. As a senator, my obligations to the people of Australia have been explained to me in some detail. My obligations are to very carefully make a contribution to, in the first instance, the development of legislation and regulation so that we can continue to improve the orderly, free and protected society that we enjoy here in Australia. Some of the legendary senators of this place have mentored me and counselled me to go steady, to be cautious, to be thorough and to ensure that I consult broadly with the relevant constituencies, to whom I have a particular responsibility to get the situation right, in the same way the commissioners did with this recommendation in their report.

I reject absolutely any assertion made against this coalition government—or, indeed, former coalition governments—which suggests that they did not hold issues of protecting the privacy of the citizens of Australia near to their heart, as they steadily and carefully developed the legislative and regulatory arrangements in which we work. Might I point out that the need for caution and care is to see that any legislation that is adopted by this place on behalf of the citizens of this country does not upset, disturb or, more importantly, produce unintended consequences because it was poorly drafted and not thoroughly considered. At times I myself have been exposed to the frustrations of privacy legislation, where, for example, I needed to represent the interests of my late mother. In a modern and busy society, from time to time, I had the obligation to represent my mother and to make arrangements for her affairs. My mother was 90, and I held her power of attorney, but I found it immensely frustrating that it would sometimes take weeks to resolve matters that were causing her great distress, because of the inhibitions presented by privacy legislation.

I cannot believe that the fathers in this place who drafted that legislation had intended for it to frustrate the circumstances in which I was endeavouring to operate to support my mother. My circumstances presented more than once with aged family and relatives. I know that this frustration also exists for people who are endeavouring to represent people with disabilities—people with new-late-onset disabilities, such as hearing or sight disabilities; Again, I suggest that the drafters of such legislation would have avoided those inhibitions if time had been taken to carefully consider the implications of legislation that they introduced. I am sure that there are those who would correct me and say that legislation was not rushed. Perhaps the rush to the legislation in and of itself is not the only element that we need to be conscious of, as we develop legislation. My life's experience, which sadly is now reaching its sixth decade, has taught me that most things which I have rushed into eventually turn out to be inadequate and do not meet the standards that I had set for myself from the beginning. In fact, I often quote my son who has said to me over the years: 'Dad, most of the mistakes we make in business, we make on the way in, not in there and not on our exit plan.'

The only test that needs to be applied to this debate is whether the journey of this bill has met the test of proper scrutiny. Unlike the tenure of the academics and jurists, who made this recommendation to us, the way this Senate considers legislation is through the very useful and powerful process of Senate inquiry. Many speakers have talked about the undue haste in which this bill was presented to the Senate inquiry in 2013. Some of those quotes are worth repeating to reinforce the principle that this Senate should reject this legislation, not on the basis of its merit nor of its underlying philosophy—that of protecting our citizens' privacy, which all of us would support—but on the basis that the process, if done with haste, is flawed and would expose us all to adopting legislation that is ill-considered and ill-tested. When you have bodies of the quality of the Cyberspace Law and Policy Centre at the University of New South Wales or the Australian Privacy Foundation, who speak out against the haste with which this legislation has been considered, then we should listen.

I recently received a quote which suggested that the amount of contemporary information retained today is greater than the aggregate amount of information accumulated since mankind has been keeping records. I understand that each year that will remain true. For example, in 2015 we will have a body of data collected on earth that is greater than all information recorded before it, including data created in the calendar year of our Lord 2014. So this is a very serious issue. Electronic data started to have accelerated accumulation about 45 years ago and society are still coming to terms with the collection, the storage and the additional responsibilities that go with this.

As I recently commented when the head of Australia Post came to this place to complain to us that Australia Post was starting to experience difficulties in the reduction of the volume of thin mail—that is, letters with a stamp affixed to the corner—my initial reaction was, 'Who didn't see that coming?' I would make the same comment with respect to the collection and our responsibility as a nation, as a government and, indeed more specifically, as the Senate, to look at, to prepare and to give passage eventually to legislation which secures and enhances those areas of responsibility relating to the collection and the management of data for and on behalf of our citizens. Given these challenges have progressively been coming into our lives over the last 45 years, I too ask the question: what is the rush? We need to go very steadily in this space. We have an obligation to consult. While the jurists and the academics have a responsibility to interrogate and recommend, we have the responsibility to test and examine and to test and examine, and to do so exclusively with the people who have an interest in relation to the outcome of this legislation. For me, that is code for me going back to my constituency in the state of Queensland, talking broadly with groups, organisations and individuals as we make this very important journey to continue to protect the environment in which data is held.

This matter will only grow in stature and importance as time passes. Legislation that we introduce needs to consider what I call across-the-horizon considerations. I once saw a skit on the television where Moses was coming down from Sinai with what appeared to be three tablets which, the impression was, contained the Commandments. It was meant to be a funny skit and Moses fell over out of sight of the camera. There was much breaking of granite and when he raised up, he had a very suspicious look about him as he scurried down the mountain with only two tablets under his arm; the suggestion being that the third tablet may have helped our modern society interpret contemporary guidelines with respect to offences and conditions existing today which perhaps were not anticipated or considered in the time of Moses.

History has always had to deal with this challenge. As time progresses and contemporary life brings new demands to our society, and challenges for legislators and law enforcement, we will always have to contemplate continuing changes with legislation and regulation to support our citizens.

I want to close by saying that I will never, in the time I am here—short or long—engage in the adoption of legislation which I am not personally satisfied has been scrutinised, examined, road-tested and considered very broadly by the society I represent. There will be times when that will no doubt get me into some trouble but if legislation does not meet the test of being good public policy and good law which is there to support our society's very important protections—such as data privacy—then I will not support the legislation.

Let me close simply by quoting an unattributed statement which says, 'At times it is folly to hasten and at other times to delay. The wise do everything in its proper time.' I urge colleagues, wherever you sit in this chamber, to support any initiative or move which ensures that this important legislation, which is capable of being supported by everybody, is given the proper time for consideration.

11:44 am

Photo of Richard ColbeckRichard Colbeck (Tasmania, Liberal Party, Parliamentary Secretary to the Minister for Agriculture) Share this | | Hansard source

I commend Senator O'Sullivan for his very considered contribution to the debate. I think it has been quite clearly articulated during the debate here this morning that the government in no way opposes proper management of data and appropriate frameworks around the management of privacy. Senator O'Sullivan quite clearly articulated that in his presentation, and I know my other colleagues have likewise.

I do not take away from Senator Singh's obvious intention to ensure that there are frameworks in place. But, like my colleagues, I do express concern that this is being pushed onto the chamber and the parliament without sufficient process for consultation. And I would have thought that this opposition might have learnt some lessons from its time in government and the many failures that it had through lack of consultation. It was a feature—

Photo of Bridget McKenzieBridget McKenzie (Victoria, National Party) Share this | | Hansard source

A hallmark.

Photo of Richard ColbeckRichard Colbeck (Tasmania, Liberal Party, Parliamentary Secretary to the Minister for Agriculture) Share this | | Hansard source

a hallmark—that is a better word; thank you, Senator McKenzie—of their administration. And when you have organisations such as the then Cyberspace Law and Policy Centre of the University of New South Wales Faculty of Law saying that they had around 10 working hours to collaborate on, draft and finalise a submission on a matter of this level of moment, I would have thought that it would be obvious that that was inadequate consultation. When you have a number of organisations, including the Australian Privacy Foundation, expressing concern around the consultation on and the preparation of the legislation that was presented to the parliament last year, I would have thought that that would have been an obvious indicator that there were concerns around its preparation. I would have thought that that would have been obvious, given the concerns that were raised and what I believe was the general inadequacy in the addressing of those concerns.

Even in the government's Senate committee report from last year, I do not believe they genuinely addressed the concerns that were raised by people who submitted to that inquiry. Even as an opposition, if they had genuinely wanted to put some framework like this into the public arena, there should have been a full and open and proper consultative process through which you would derive the legislation. You would make sure that the inadequacies that were raised in the previous incarnation of the legislation were given a proper airing, so that those who expressed concern previously would have the opportunity to have those concerns addressed.

I note the concerns around the definitions in the document. Experience would show any legislator that getting the correct terms and definitions in place may have a profound and lasting impact, and getting them wrong may have a bigger and a detrimental impact. It is absolutely incumbent on us all to do the work to ensure those things are right. We have to do that, particularly in relation to matters of privacy. They can have long-lasting and, in many cases, completely unconsidered and negative impacts on the broader community.

The opposition brought this piece of legislation to the parliament without going through due process when it was initially introduced and they rushed it through a Senate inquiry in a short period of time—which, as I said before, was a hallmark of the way that they operated previously. Those are genuine reasons for the government at this point in time not to support this bill.

You would have thought that they would have learnt, as I said earlier. They brought on a piece of biosecurity legislation which would impact across all of Australia and they proposed to give the parliament one day to conduct a Senate inquiry. On that occasion, we were fortunate in that enough members of this chamber said that one day to consider the biosecurity legislation for the entire country was not enough. But obviously, as to the bill we are talking about now, that leeway was not given to the parliament. That is disappointing. There were so many times when the then government used their numbers in this place to ram through pieces of legislation, with short Senate inquiries that did not provide adequate consultation but had effects down the track—think the mining tax, think pink batts, think school halls; you can line them all up.

Photo of Helen KrogerHelen Kroger (Victoria, Liberal Party) Share this | | Hansard source

And the NBN.

Photo of Richard ColbeckRichard Colbeck (Tasmania, Liberal Party, Parliamentary Secretary to the Minister for Agriculture) Share this | | Hansard source

Well, the NBN—dear oh dear! There was even one piece of legislation that they introduced within 24 hours which had six amendments made to it within those 24 hours, and it was so bad that they even put a sunset clause in it so that the bill would kill itself off. You would have thought that they would have learnt their lesson, but obviously they have not.

We do not deny that there should be proper processes in place to ensure management of data. In fact, a matter was raised, I believe, earlier in the debate where a senior employee of Cbus leaked names, birth dates, postal and email addresses and phone numbers of contributors to the CFMEU for use in a campaign. That indicates that there needs to be some work done. I think it is fair that there should be some work done. But it should be done utilising proper consultation and proper process. And all of the people who have been mentioned in the debate this morning who have expressed concern would applaud that. You do not give an organisation like the Cyberspace Law and Policy Centre of the Faculty of Law of the University of New South Wales 10 hours to consult on something like this. It really does not stack up. And of course when you have the Australian Privacy Foundation also expressing concerns, that is a fair indication of why proper consultation should be put in place and why we do not support this piece of legislation.

Photo of John HoggJohn Hogg (President) Share this | | Hansard source

Order! The time allotted for this debate has expired.