Senate debates

Wednesday, 8 February 2017

Bills

Privacy Amendment (Notifiable Data Breaches) Bill 2016; Second Reading

5:45 pm

Photo of Concetta Fierravanti-WellsConcetta Fierravanti-Wells (NSW, Liberal Party, Minister for International Development and the Pacific) Share this | | Hansard source

I move:

That this bill be now read a second time.

I seek leave to have the second reading speech incorporated in Hansard.

Leave granted.

The speech read as follows—

The Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) will amend the Privacy Act 1988 (Privacy Act) to require entities subject to the Privacy Act to notify the Australian Information Commissioner and affected individuals if the entity experiences a data breach of a kind specified in the Bill.

High profile data breaches in recent years, such as breaches involving the dating website Ashley Madison or the US Office of Personnel Management, have demonstrated the potential harm that can result to individuals following unauthorised access to or unauthorised disclosure of personal information.

The rationale for mandatory data breach notification is that, if an individual is at likely risk of serious harm because of a data breach involving their personal information, receiving notification of the breach can allow the individual to take action to protect themselves from that harm. For example, an affected individual might change an online password or cancel a credit card after receiving notification that their personal information has been compromised in a data breach.

Forty-seven US States currently have mandatory data breach notification schemes to deal with data breaches of this kind. Canada and the European Union have introduced schemes which are yet to commence, while New Zealand has also committed to introducing a scheme.

By contrast, with the exception of eHealth data breaches falling under the My Health Records Act 2012, mandatory data breach notification does not exist in Australia. The former Labor Government's Privacy Amendment (Privacy Alerts) Bill 2013 received bipartisan support to introduce such a scheme, but did not pass before Parliament was prorogued for the 2013 election.

Background to the Bill

The mandatory data breach notification scheme contained in this Bill implements a commitment the Government made in response to the Parliamentary Joint Committee on Intelligence and Security's February 2015 Advisory Report on the Telecommunications(Interception and Access) Amendment (Data Retention) Bill 2015.

The Australian Law Reform Commission (ALRC) recommended the introduction of a mandatory data breach notification scheme in its 2008 review of Australian privacy laws.

Following that review, the Australian Privacy Commissioner established a voluntary data breach notification scheme based on the principles the ALRC recommended, and published guidance material about appropriate data breach notification practices.

The voluntary scheme received 107 notifications in 2015-16, which is 245% higher than the 44 notifications received in 2009-10.

Despite this scheme, the Commissioner has publicly expressed concerns that data breaches in Australia are underreported.

The Bill draws on the ALRC's recommendation and practical experience gained from the Commissioner's voluntary scheme and associated guidance material. It is also expected that the Commissioner would issue guidance material under the mandatory scheme to assist entities to comply.

Consultation undertaken in developing the Bill

The Bill has also been subject to extensive consultation before introduction to ensure that the proposed scheme provides effective privacy protections for Australians without placing an unreasonable regulatory burden on industry.

Exposure draft legislation and explanatory material was released for public consultation between 3 December 2015 and 4 March 2016. Forty-seven public submissions were received on the exposure draft, most supportive of the proposal or supportive subject to particular technical changes.

The Attorney-General's Department also held discussions with a broad range of industry and civil society stakeholders during the consultation period.

The Government considered all stakeholder contributions made during the consultation. This has helped ensure that the Bill's mandatory data breach notification scheme is workable for regulated entities while still protecting the privacy of individuals.

Operation of the Bill

The Privacy Act currently requires most Australian Government agencies, private sector organisations with annual turnover of more than $3 million, and specific kinds of smaller organisations (such as health service providers) to take reasonable steps to protect personal information they hold. Equivalent requirements also apply to specific other kinds of information, such as tax file number information.

The Bill's mandatory data breach notification scheme applies to all entities who are subject to these existing requirements and experience an 'eligible data breach'. An eligible data breach is 'notifiable', as per the Bill's title, where it satisfies conditions specified in the Bill and no exceptions to notification apply.

An eligible data breach, in short, is where there is unauthorised access, unauthorised disclosure or loss of personal information that a reasonable person would conclude is likely to result in serious harm to individuals.

Experiencing an eligible data breach under the Bill will not necessarily mean that the entity concerned has breached the existing Privacy Act information security requirements. For example, it is possible that, despite having taken reasonable steps to secure personal information it holds, an entity may nonetheless experience a data breach due to human error or other circumstances that are not reasonably foreseeable.

Where an entity has reason to suspect that an eligible data breach may have occurred, the entity is required to undertake a reasonable and expeditious assessment of the circumstances. If an entity has reasonable grounds to believe they have experienced an eligible data breach, after an assessment or otherwise, the entity must notify the Information Commissioner and affected individuals. The entity has flexibility to notify affected individuals directly, or if that is not practicable, to publish an online notice about the eligible data breach.

Entities are required to undertake notification in these forms unless an exception applies. These exceptions are designed to balance privacy protections of individuals with other matters in the public interest, such as avoiding prejudicing activities of law enforcement agencies or disclosing information where that disclosure would be inconsistent with a secrecy provision in another law.

An exception will also apply where an entity can determine with a high degree of confidence that it has taken action to remediate the harm arising from an eligible data breach before that harm has occurred.

Finally, entities can apply to the Information Commissioner for an exception from the notification requirement, either altogether or for a specific period of time. The Commissioner has an additional power to direct an entity to notify an eligible data breach.

The mandatory data breach notification scheme in the Bill is connected to the existing enforcement framework under the Privacy Act. This means that the Information Commissioner's existing investigatory powers will apply in the event that an entity breaches a requirement of the Bill.

This will ensure that the Commissioner can investigate possible non-compliance with the mandatory data breach notification scheme, and potentially make a determination requiring the entity to remedy such non-compliance. In the case of serious or repeated non-compliance, the Commissioner can also apply to a court to impose a civil penalty.

Conclusion

This Bill will improve the privacy protections of Australians in the event of a data breach without placing an unreasonable regulatory burden on business. The extensive consultation undertaken in developing the Bill will ensure that the Bill's mandatory data breach notification scheme is both workable and effective.

Debate adjourned.

Ordered that the resumption of the debate be made an order of the day for a later hour.