Senate debates
Thursday, 13 October 2016
Bills
National Cancer Screening Register Bill 2016, National Cancer Screening Register (Consequential and Transitional Provisions) Bill 2016; In Committee
1:22 pm
Helen Polley (Tasmania, Australian Labor Party, Shadow Parliamentary Secretary for Aged Care) Share this | Link to this | Hansard source
by leave—I move amendments (1), (2) and (3) on sheet 7945 together:
(1) Clause 26, page 26 (line 16), omit "The Minister ", substitute "(1) The Minister ".
(2) Clause 26, page 26 (lines 16 and 17), omit "a person ", substitute "a permitted entity ".
(3) Clause 26, page 26 (after line 20), at the end of the clause, add:
(3) In this section: permitted entity means:
(a) a Department of the Commonwealth, a State or a Territory; or
(b) a body (whether incorporated or unincorporated) established for a public purpose by a law of the Commonwealth, a State or a Territory; or
(c) a person in the service or employment of a Department mentioned in paragraph (a) or a body mentioned in paragraph (b); or
(d) a person who holds or performs the duties of an office or position established by or under a law of the Commonwealth, a State or a Territory; or
(e) an entity (whether incorporated or unincorporated) established for a charitable purpose.
(4) This section has no effect to the extent (if any) to which its operation would result in the acquisition of property (within the meaning of paragraph 51(xxxi) of the Constitution) otherwise than on just terms (within the meaning of that paragraph).
These are critical amendments being proposed by Labor. The amendments will go to the heart of the government's action to hand this sensitive information to a for-profit operator.
As I have outlined, there are clearly concerns with the shambolic way the government has approached this important legislation—in particular, their rush to sign the contract with Telstra before the legislation was even seen by the parliament. This is unprecedented. The existing cancer-screening registers are managed by governments and not-for-profit organisations with expertise in managing the registers. For example, the Victorian psychology service operates Victorian and South Australian registers for the National Cervical Screening Program, and yet the government signed a $220 million contract with Telstra only four days before the election was called.
Let's be clear: Telstra is a for-profit company, whereas the intention of the register is to save lives. Telstra has never operated a register like this. In fact, the Senate inquiry heard that a for-profit corporation has never managed a cancer-screening register anywhere in the world.
As I have mentioned, the register will hold extremely sensitive information about our health: human papillomavirus vaccination status, screening test results and cancer diagnoses. Certainly, this is not information that most Australians would be comfortable disclosing to a telecommunications provider. There is a clear question for this parliament: do we think that outsourcing this private and sensitive health information to a for-profit company is a good step for the future of our health system?
As the Royal College of General Practitioners, which represents 33,000 GPs, said at the inquiry into the legislation:
RACGP would be far more comfortable with it being operated by a government, tertiary institution or a not-for-profit entity that has little interest in how the data in the registry might otherwise be used for pecuniary reasons.
So let's be clear: there is no question about the value of the register. Labor strongly supports the register and the improvements to the bowel and cervical cancer screening programs it will enable. But as we have heard time and time again during the inquiry there was a question about the government's decision to outsource operations to Telstra.
The government knows it is a substantial change. This is why they rushed into signing a contract but could not bring themselves to mention it in the parliamentary debate. They rushed to sign the contract before caretaker kicked in and before the legislation had been introduced to parliament. The repercussions are clear: it has been a bungle.
These amendments would restrict the operation of a register to a government agency or to a not-for-profit organisation. Our amendments would allow the register to be operated by one of the organisations that actually have experience and expertise in this area, like the Commonwealth Department of Human Services or the Victorian psychology service. I commend Labor's amendments to the Senate.
1:26 pm
Fiona Nash (NSW, National Party, Deputy Leader of the Nationals) Share this | Link to this | Hansard source
I can indicate to the chamber that the government does not support the amendments moved by the opposition.
Successive governments have successfully partnered with the private sector to deliver many programs and services, and continue to do so. Implementing these amendments would be an extraordinary limitation on any government's ability to continue with these partnerships, and would certainly send a concerning message to the private sector.
The proposed amendments would negatively impact on the government's ability to deliver the register by 20 March 2017 for the National Bowel Cancer Screening program and by 1 May 2017 for the renewed National Cervical Screening Program. Significant delays in the implementation of the register will have significant consequences for the renewed National Cervical Screening Program as well as for the introduction of MBS items for the new HPV test, which has been recommended by the Medical Services Advisory Committee and supported by jurisdictions as a more effective screening test for protection against cervical cancer in women.
1:27 pm
Richard Di Natale (Victoria, Australian Greens) Share this | Link to this | Hansard source
I am just interested in seeking some clarification about the timing of the contract with Telstra—in particular, when that was signed and why, indeed, that was signed prior to any legislation being passed by the Senate?
1:28 pm
Fiona Nash (NSW, National Party, Deputy Leader of the Nationals) Share this | Link to this | Hansard source
Thank you, Senator. While I am just waiting for the actual date for you, my understanding is that it was very much a timing issue. Given the very real length of time that it takes to actually put these arrangements in place and with the dates we were trying for to attain delivery of this, it was a timing arrangement to have that in place.
The date of the contract I will provide to you very shortly—
Helen Polley (Tasmania, Australian Labor Party, Shadow Parliamentary Secretary for Aged Care) Share this | Link to this | Hansard source
It was 4 May, actually, Minister.
Fiona Nash (NSW, National Party, Deputy Leader of the Nationals) Share this | Link to this | Hansard source
It was 4 May 2016. Thank you very much your assistance, Senator!
Richard Di Natale (Victoria, Australian Greens) Share this | Link to this | Hansard source
I am specifically interested in why the contract was signed in the absence of any specific legislation that would allow this contract to actually operate. I understand the timing, but it is a massive risk—it is a leap of faith to come in here and expect the Senate to pass legislation when what is happening is that we are entering into uncharted territory. We are handing over sensitive health information on Australian men and women. We are providing that information to a for-profit company, which is not something that we have ever done before—particularly within the cancer registry space. It is a big decision to do that.
Traditionally, these registers have been managed by government, and have been managed by specific for-purpose NGOs created specifically to manage this information. To hand it over to a for-profit, large telecommunications company is a big step. It was undertaken without any guarantee that the legislation would be approved by the Senate. So on what basis was the contract signed and why was it done before the passage of any legislation?
1:30 pm
Fiona Nash (NSW, National Party, Deputy Leader of the Nationals) Share this | Link to this | Hansard source
I reiterate what I was saying earlier. I think most people who have been following this are well aware of the timing and the hard marker dates that we are trying to get to in terms of delivering this. Without an operating register for the renewed NCSP there is no safety net for women participating in cervical screening, which risks their health and safety. There are a number of factors that have come into play where I think it is common sense to take into account the timing, the end marker and the period of time it will take to put those arrangements in place. So I appreciate your concern, Senator, but given that very timely issue, and in terms of those hard marker dates, it was simply appropriate to begin the process.
1:31 pm
Richard Di Natale (Victoria, Australian Greens) Share this | Link to this | Hansard source
But existing state registers would have continued to operate, so that information would have been collected. I agree with the intent of this legislation. I think it is important that we try and consolidate this information into a single national register. We certainly agree with the intent here. But I just want some clarification. The existing state registers would have continued. I am not sure about the timing imperative.
Fiona Nash (NSW, National Party, Deputy Leader of the Nationals) Share this | Link to this | Hansard source
My understanding is that the states are not able to collect all of the information required, that only some of that information can be done by the states.
Nick Xenophon (SA, Independent) Share this | Link to this | Hansard source
I can indicate that I and my colleagues Senators Griff and Kakoschke-Moore will not be supporting this amendment. We understand the sentiment and the intent behind it. I believe the opposition and the Australian Greens have every reason to be concerned about the whole tender process being dealt with before the legislation was considered. That is something I hope the Auditor-General will be looking at in due course. Of course, it is for the Auditor-General to consider whether his office goes down that path. But the deal has been done. There is an opportunity for greater scrutiny of that through the ordinary courses of the parliament. To rip up this deal now would, I believe, trigger the just compensation provisions in the Constitution, which could mean that the Commonwealth would end up paying twice. So in economic terms I do not believe this is a practical amendment, although I do understand the very serious concerns as to why this amendment has been moved.
1:32 pm
Helen Polley (Tasmania, Australian Labor Party, Shadow Parliamentary Secretary for Aged Care) Share this | Link to this | Hansard source
I would like to ask the minister why, when this was already in the 2015 budget, it took until 5 May to introduce the legislation, which is now causing the imperative that we deal with it so quickly?
1:33 pm
Fiona Nash (NSW, National Party, Deputy Leader of the Nationals) Share this | Link to this | Hansard source
My understanding is that a privacy impact statement had to be undertaken to assess the state and territory legislation.
Richard Di Natale (Victoria, Australian Greens) Share this | Link to this | Hansard source
Referring specifically to the proposed amendments by the Labor Party, I am interested in what they seek to do—at least, the issue around penalty units and also the amendment around data breaches. They try and bring this legislation in line with My Health Record. That was one of the recommendations from the Information Commissioner at the inquiry that was held. Given that that was a recommendation from the Information Commissioner, I am interested in understanding the basis for opposing the legislation around increased penalties and data breaches.
1:34 pm
Fiona Nash (NSW, National Party, Deputy Leader of the Nationals) Share this | Link to this | Hansard source
In relation to the higher penalty for breaches of the privacy provisions, firstly it is considered unnecessary. Under the Privacy Act, there is capacity to penalise up to $1.8 million. That is my understanding. I think it has to be taken into account as well that while obviously Labor is targeting this at Telstra Health we may well see family GP practices—and I am sure you would understand this, senator—also subject to the proposed increase in penalty should they make a breach. I think we have got to take into account also that Telstra are going to be very well aware of the reputational aspect of anything that might cause them to be considered as having done the wrong thing. I think we will find they are extremely focused on that, and we think that is appropriate.
In terms of data breaching—and I assume you are talking about the mandatory notification for data breaching moved by the Labor Party—certainly the bill, as amended by the government yesterday, already imposes a legal obligation on a contracted service provider. The contracted service provider and the secretary are to notify the Information Commissioner when they become aware of a data breach, or a possible data breach, in the handling of personal information on the register. The government amendment also includes a requirement for certain actions to be taken in response to the data breach, including containing and evaluating the risks associated with the breach and prevention of future breaches. Other steps include the Department of Health working with the Information Commissioner about notifying affected individuals. Any data breaches will be handled using established protocols for personal information breaches. As you referred to before, the amendments are in line with the provisions in the My Health Records Act 2012. It ensures a very systematic and measured response. At the same time I think we need to note that any mandatory requirement may well not give us the outcome we are looking for.
Richard Di Natale (Victoria, Australian Greens) Share this | Link to this | Hansard source
In regard to the haste with which we are proceeding with this legislation, what are the financial implications for the contract with Telstra if this legislation were not to pass during this sitting period?
1:37 pm
Fiona Nash (NSW, National Party, Deputy Leader of the Nationals) Share this | Link to this | Hansard source
My advice is that there are delay penalties, but the bigger impact—and I think everybody would be well aware of this—is actually not getting it up and running at the date that is targeted.
Richard Di Natale (Victoria, Australian Greens) Share this | Link to this | Hansard source
Could you provide me with some advice about the quantum of those delay penalties?
Fiona Nash (NSW, National Party, Deputy Leader of the Nationals) Share this | Link to this | Hansard source
I will have to take that on notice for you, Senator, but I will endeavour to come back to you very quickly with it.
Richard Di Natale (Victoria, Australian Greens) Share this | Link to this | Hansard source
I have just one further question about the recommendations made by the Information Commissioner. I note that many of those have been adopted by the government and I think they are sensible changes. I am interested as to why the government initially was of a persuasion not to have an inquiry into the legislation, not to take that evidence, because without those changes the legislation that was proposed to the Senate would have been inconsistent with My Health Record and many of the changes that the Information Commissioner has suggested.
1:38 pm
Fiona Nash (NSW, National Party, Deputy Leader of the Nationals) Share this | Link to this | Hansard source
My understanding is that it was simply a matter of time.
The TEMPORARY CHAIR: The question is that amendments (1) to (3) on sheet 7945 be agreed to.
1:45 pm
Helen Polley (Tasmania, Australian Labor Party, Shadow Parliamentary Secretary for Aged Care) Share this | Link to this | Hansard source
by leave—I move amendments (1) through to (8) on sheet 7946 together:
(1) Clause 4, page 3 (lines 21 and 22), omit the definition of contracted service provider.
(2 ) Clause 4, page 6 (line 10), definition of protected information, 'after "personal information ", insert ", key information ".
(3) Clause 18, page 19 (line 13), omit "120 penalty units ", substitute "600 penalty units ".
(4)Clause 22A, page 20 (line 24) to page 23 (line 31), omit the clause, substitute:
22A Data breaches
(1) This section applies to an entity if:
(a) the entity is:
(i) the Commonwealth, the Minister or the Commonwealth Chief Medical Officer, performing functions under this Act; or
(ii) engaged by the Minister, on behalf of the Commonwealth, to perform services for or on behalf of the Commonwealth in connection with functions of the Commonwealth, the Minister or the Commonwealth Chief Medical Officer under this Act; or
(iii) any other person performing work relating to the purposes of the register; and
(b) the entity becomes aware that:
(i) a person has, or may have, contravened this Act in a manner involving an unauthorised collection, recording, disclosure or other use of information about an individual; or
(ii) an event has, or may have, occurred (whether or not involving a contravention of this Act) that compromises, may compromise, has compromised or may have compromised, the security or integrity of the register; or
(iii) circumstances have, or may have, arisen (whether or not involving a contravention of this Act) that compromise, may compromise, have compromised or may have compromised, the security or integrity of the register; and
(c) the contravention, event or circumstances directly involved, may have involved or may involve the entity.
Note: This section applies to an entity when the entity becomes aware of a matter referred to in paragraph (b) regardless of when that matter arose or occurred or if the matter is ongoing at the time the entity became aware of the matter.
Notifying the Information Commissioner
(2) The entity must, as soon as practicable after becoming aware of the contravention, event or circumstances, notify the Information Commissioner of the contravention, event or circumstances.
Civil penalty: 600 penalty units.
(3) If an entity has given notice under subsection (2) on becoming aware that a contravention, event or circumstances may have occurred or arisen then, despite subsection (2), the entity need not give notice again on becoming aware that the contravention, event or circumstances has occurred or arisen.
Steps to be taken if contravention, event or circumstances may have occurred or arisen
(4) The entity must, as soon as practicable after becoming aware that the contravention, event or circumstances may have occurred or arisen, do the following things:
(a) so far as is reasonably practicable contain the potential contravention, event or circumstances;
(b) evaluate any risks that, if the contravention, event or circumstances has occurred or arisen, may be related to or arise out of the contravention, event or circumstances;
(c) if there is a reasonable likelihood that the contravention, event or circumstance has occurred or arisen and the effects of the contravention, event or circumstances might be serious for at least one individual—notify all individuals who would be affected.
Civil penalty: 600 penalty units.
Steps to be taken if contravention or event has occurred or the circumstances have arisen
(5) The entity must, as soon as practicable after becoming aware that the contravention or
event has occurred or the circumstances have arisen, do the following things:
(a) so far as is reasonably practicable, contain the contravention, event or circumstances and undertake a preliminary assessment of the causes;
(b) evaluate any risks that may be related to or arise out of the contravention, event or circumstances;
(c) notify all affected individuals;
(d) if a significant number of individuals are affected—notify the general public;
(e) take steps to prevent or mitigate the effects of further contraventions, events or circumstances described in paragraphs (1) (b).
Civil penalty: 600 penalty units.
(6) If an entity has given notice under paragraph (4) (c), then despite paragraph (5) (c), the entity need not give notice under paragraph (5) (c).
(5) Clause 22B, page 24 (lines 2 and 3), omit "section 18 or subsection 22A(1), (2), (4), (5) or (6) ", substitute "this Act in connection with personal information or key information about an individual included on the register ".
(6) Clause 26, page 26 (line 16), omit "The Minister ", substitute "(1) The Minister ".
(7) Clause 26, page 26, after subclause (1), insert:
(2) Ownership of information included in the register or otherwise obtained under, or in accordance with, this Act is retained by the Commonwealth despite any agreement under subsection (1).
(8) Clause 27, page 27 (lines 1 to 6), omit subclause (2), substitute:
(2) The Secretary may, in writing, delegate his or her functions or powers under
paragraph 17(3) (g) (about disclosing information) to an SES employee, or an acting SES employee, in the Department.
(d) a person who holds or performs the duties of an office or position established by or under a law of the Commonwealth, a State or a Territory; or
(e) an entity (whether incorporated or unincorporated) established for a charitable purpose.
(4) This section has no effect to the extent (if any) to which its operation would result in the acquisition of property (within the meaning of paragraph 51(xxxi) of the Constitution) otherwise than on just terms (within the meaning of that paragraph).
These are essential amendments which go to the heart of protecting Australia's most sensitive health information. Let's remember the government did not want this legislation scrutinised. When Labor and the crossbenchers referred the legislation to a committee they said it was unnecessary, and the health minister went so far as to label it 'hysterical'.
This is an inquiry which has forced the government to make amendments to their own legislation after the Information Commissioner identified critical issues and potential loopholes. No wonder the government did not want parliament to examine the legislation closely; they had completely botched it. This is their reputation. After all, they had signed a contract with Telstra before passing or even introducing the legislation.
While Labor is pleased the government has finally come, kicking and screaming, to make some of these adjustments to their legislation there is more that needs to be done. Firstly, individuals should be notified when their most sensitive health data is breached. Under the government's draft legislation, if and when there are data breaches, Telstra only has to tell the Department of Health. This is the same department that had a breach of health information recently, which took weeks to be made public, with the health minister only standing up and mentioning it in a speech at a GP conference. While we understand the government will not accept Labor's amendments to ensure that the Privacy Commissioner is notified of breaches, it is not enough. Individuals deserve to be told if their most private health information is accessed inappropriately, so Labor's amendments will mandate disclosure of data breaches to affected individuals.
The government will argue that the Privacy Commissioner can notify individuals if he chooses but, again, not good enough. Individuals must be told. It simply beggars belief that the government does not consider this important enough to make the change. This is consistent with Labor's position across all portfolios. The government says it agrees, but is dragging its feet on mandatory disclosure legislation. Despite many promises, the government is yet to implement data breach notification laws that would make it mandatory to let Australians know when their personal information has been compromised.
Secondly, Labor has already proposed an amendment to increase the penalty for unauthorised use or disclosure of information. Under these bills the penalty for recording, using or disclosing information without authority is only $21,600. That is a drop in the ocean for an organisation like Telstra, which reported profits of almost $2.1 billion in the six months to 31 December 2015. Labor's amendments would increase the penalty for unauthorised use or disclosure of information from 120 penalty units, which is $21,600, to 600 penalty units, which is $108,000. Under the Crimes Act 1914 a court can impose a penalty up to five times this amount on a corporation. So if Telstra is the register operator it could be fined up to $540,000 for breaching the legislation. Again, the government will argue that the Privacy Commissioner can seek tougher penalties, but this should not be discretionary. If individuals or organisations inappropriately use Australians' most sensitive health data, they should be punished severely and automatically.
Thirdly, Labor has proposed an amendment to make explicit that the Commonwealth will be custodians of data in the register. The explanatory memorandum states:
Although the bill does not address issues of ownership or custodianship of information, the Commonwealth will be custodian of data in the register.
There should be no question of explicitly outlining this in the bill as well, yet the government is refusing to include it. This raises several questions about why the government does not want to clearly state that the Commonwealth is the custodian of the data. This is an important consideration in relation to access and use of this data and, given the sensitive information at hand here, Labor's amendment is essential. These amendments are crucial. I ask that the Senate properly consider the repercussions if they are not agreed to.
1:50 pm
Fiona Nash (NSW, National Party, Deputy Leader of the Nationals) Share this | Link to this | Hansard source
I can indicate to the chamber that the government does not support the amendments as put forward by the opposition.
1:51 pm
Nick Xenophon (SA, Independent) Share this | Link to this | Hansard source
I can indicate that I, along with my colleagues Senators Kakoschke-Moore and Griff, do not support these amendments. I would like confirmation, subject to the government confirming to me what they have confirmed previously, that it will be introducing mandatory reporting legislation next month based on the exposure draft. Also, could the government confirm that Telstra will be an entity covered under the government's proposed legislation? I ask the minister that as well, so that is on the record.
If this amendment is passed, subject to the assurances and to the commitments and undertakings from the minister, it will create a separate data breach application notification regime just with this register, which would be inconsistent with the proposed laws. It is much cleaner to improve the mandatory data breach notification laws so that all affected entities are covered at once.
The current regime will suffice until the new legislation. We need to ensure that the government's new legislation is scrutinised and passed this year. I need that confirmation because our opposition to the amendment is conditional upon those assurances.
1:52 pm
Fiona Nash (NSW, National Party, Deputy Leader of the Nationals) Share this | Link to this | Hansard source
I can confirm all of those for you.
Helen Polley (Tasmania, Australian Labor Party, Shadow Parliamentary Secretary for Aged Care) Share this | Link to this | Hansard source
I will put on the record that, once again, we are left with having to trust a government that has consistently bungled this process from day one.
Nick Xenophon (SA, Independent) Share this | Link to this | Hansard source
The simple retort to that is that if the government duds us on this they are not going to get cooperation on pretty much anything else. I expect that the government will meet its commitments in respect of this. If they don't, there will be consequences from our point of view.
Chris Ketter (Queensland, Australian Labor Party) Share this | Link to this | Hansard source
The question is that amendments (1) to (8) on sheet 7946 be agreed to.