Attorney General gives a speech at the Privacy and Compliance Forum in Sydney on 12 June 2013
June 12, 2013 |
The Attorney General gave a wide ranging speech at the Privacy Reform and Compliance Forum in Sydney today.
Absent greetings and formalities it provides:
It is very timely that we are having detailed discussions about privacy reform and compliance in Australia. It is a very exciting time for privacy policy in Australia.
We are fast approaching the commencement of the Government’s new privacy reforms in March 2014.
And I hope we will also have a new mandatory data breach notification scheme commencing next year. As many of you would know, the bill passed the House of Representatives last week and is now ready for consideration by the Senate.
It is important that we gather for events such as these to raise awareness about significant changes in the law, and how best to meet new compliance requirements.
As we move towards March 2014, it is important that all of us, including regulators, privacy practitioners, compliance and information experts, industry representatives and privacy advocates are aware of what is coming, and are taking appropriate steps to prepare for it.
In recognition of this important work, I am pleased to announce that we have today released a position paper setting out the detail of the Privacy Regulations which will support the new legislation.
The Regulations described in the paper, which is available from my Department’s website, will also be in force from 12 March 2014. By providing certainty in the full suite of regulations now, this paper will greatly assist all who are regulated by the Privacy Act in implementing and preparing for the reforms.
In addition to detailed discussion of the March 2014 reforms, this forum provides the perfect opportunity to discuss emerging privacy reform issues.
For example, I am pleased to see that the forum will consider the privacy implications of issues such as cloud computing, social networking and ‘big data’.
These issues raise significant privacy challenges, and I will be very interested in the views of all the participants here in options for addressing these challenges.
In taking on the role of Attorney-General, I was very pleased that it included responsibility for privacy law and policy development.
Privacy is often a key consideration in the development of law and justice policy.
It intersects with, and counterbalances, many other law and justice issues for which I have responsibility, such as law enforcement and national security.
I often see media reports declaring the end of privacy, or that younger generations are not concerned about their privacy.
What I have learned in my time as Attorney-General is that reports about the death of privacy are grossly exaggerated.
It is clear to me that Australians feel very strongly about the protection of their privacy.
I’m yet to receive a letter from an individual complaining that they receive too much privacy.
In the online environment, it is now commonplace to read detailed privacy notices, adjust privacy settings on social media sites, and expect high levels of data security.
Australians are becoming very familiar with their privacy rights.
Community attitudes about privacy have not waned. In fact, I think they have strengthened.
The Federal Privacy Commissioner will tell you that there is a healthy flow of privacy complaints and inquiries to the Office of the Australian Information Commissioner.
While many people are prepared to provide their personal information to businesses or a government agency, many will do so only where they are satisfied that the information will be given appropriate privacy protections.
And many people are aware of their right to complain if something goes wrong.
My hope is that the new reforms will build even more confidence in the Australian community about the privacy practices of government agencies and businesses by facilitating even more open, transparent and secure handling practices involving personal information.
The major privacy reforms enacted by the Government in late 2012 will commence on 12 March 2014. That is about nine months from today.
If you are a private sector business or government agency that is regulated by the Privacy Act, you should be well advanced in getting ready to comply with these changes.
These are the most significant reforms to the Privacy Act 1988 since it was enacted nearly 25 years ago.
They will implement many of the recommendations made by the Australian Law Reform Commission in its 2008 report on privacy.
I would like to spend a bit of time going through some of the key measures in the reforms.
First, they will introduce new Australian Privacy Principles.
These are unified principles that will apply to both government agencies and private sector organisations.
The Australian Privacy Principles set out standards, rights and obligations in relation to the handling and maintenance of personal information by government agencies and businesses.
Many are based on existing National Privacy Principles and Information Privacy Principles in creating rules about the collection, use, disclosure, quality and security of personal information.
As recommended by the Australian Law Reform Commission, the Australian Privacy Principles are structured to more accurately reflect the ‘life cycle’ of personal information.
Importantly, the first new Principle (APP 1) will require government agencies and private sector organisations to develop detailed, clear, open and transparent privacy policies.
We see this as commonplace now. Whenever we visit an internet site of a company, we invariably expect to see on the home page a link to a clearly written and transparent privacy policy.
APP 1 will make this a required standard that all entities regulated by the Privacy Act will need to implement.
The move towards a unified set of principles was a key recommendation of the Australian Law Reform Commission.
The Commission found that the existence of two sets of privacy principles caused difficulties for agencies and organisations seeking to comply with the Privacy Act.
There may be circumstances when an organisation or agency is subject to both the Information Privacy Principles and the National Privacy Principles.
For example, an Australian Government contractor may be bound under the Act to comply with the National Privacy Principles but also may be bound by contract to comply with the Information Privacy Principles.
This reform will cut red tape and duplication. It will clarify and simplify the obligations of agencies and organisations with respect to privacy.
This simplification may go some way to offsetting costs associated with implementing a new regime for privacy regulation.
While most of the Australian Privacy Principles are based on existing concepts in the Information Privacy Principles and National Privacy Principles, there are some important new Australian Privacy Principles which I would like to briefly touch on.
First, there are new principles specifically related to direct marketing and cross-border disclosure of personal information.
Direct marketing is a legitimate and important activity for the growth of Australia’s digital economy.
I’m pleased to see there is a session at this forum dedicated to discussing direct marketing.
Significant innovation has occurred in this area in recent years, and it is becoming an important tool for businesses to effectively market their products and services to Australians.
However, it is important that consumers are able to exercise the same types of choices that they enjoy outside the online environment.
These include clear rights to opt out of receiving direct marketing material.
The new direct marketing principle reflects this balance by allowing legitimate direct marketing to occur, while protecting the rights of consumers in how their personal information is used and disclosed for that activity.
Similarly, a new principle (‘APP 8) contains new rules about the cross-border disclosure of personal information.
This is a very important provision because Australians are concerned whenever personal information they provide to an organisation or agency is sent overseas.
APP 8.1 sets out a requirement for an Australian Privacy Principle entity that chooses to disclose personal information to overseas recipients to ‘take such steps as are reasonable in the circumstances’ to ensure that the overseas recipient does not breach the Australian Privacy Principles.
The general requirement to take reasonable steps to ensure compliance will be qualified by a number of exceptions.
For example, this might be where an individual gives a properly informed consent to the disclosure, or where the disclosure happens pursuant to an international information-sharing agreement.
Where this occurs, accountability for the personal information is effectively transferred to the foreign recipient.
However, if accountability has not been transferred by an agency or organisation, the new reforms will provide that such an entity will be taken to have breached the Australian Privacy Principles in certain situations.
In general terms, that will be where the overseas recipient does something that would be a breach of the Australian Privacy Principles, if those Principles had applied to those acts or practices.
This provision is necessary because the personal information of Australians is increasingly being sent overseas.
While I accept that this is happening for a range of legitimate reasons, I believe that Australian agencies and organisations should not be able to abandon responsibility for the handling of that information once it has left Australia.
The Australian Privacy Principles also provide for a higher standard of protection of an individual’s “sensitive information”, including health related information and biometric data.
The use of biometric information and templates is on the increase, and not just by government agencies.
It is clear that this type of information is useful in a number of contexts for both agencies and organisations.
For example, some companies need high levels of assurance about the identity of a particular individual, before allowing that individual to transact with the company.
The collection of biometric information may be the only appropriate means to facilitate this.
It may also be in the interests of that individual that they do not become victims of identity fraud.
Similarly, I am aware that some government service delivery agencies use voice biometrics to verify the identity of their customers.
However, the idea that a private sector organisation could be holding large amounts of biometric information, collected through means such as facial recognition technology, does raise genuine concerns among some individuals.
There is a place for the appropriate use of biometric information but I strongly believe that it must be accompanied with rigorous privacy protections.
That is why the new Australian Privacy Principles provide that the collection of sensitive information, which includes biometric information, must occur after consent is given by the individual concerned, unless an exception applies.
I hope the Australian Privacy Principles can be the basis for the development of more consistent and harmonised privacy regimes in state and territory jurisdictions.
The Australian Law Reform Commission found that Australia’s privacy framework was inconsistent, complex and fragmented.
The Australian Law Reform Commission found that this created an unjustified compliance burden and costs, impediments to information sharing and national initiatives, and confusion about who to approach to make a privacy complaint.
It found there were clear benefits in having a nationally consistent privacy regime.
The Australian Privacy Principles substantially reflect the recommendations of the Australian Law Reform Commission and I would encourage State and Territory jurisdictions to carefully consider adopting it, or key aspects of it, as a model.
The new reforms will also introduce more comprehensive credit reporting into Australia for the first time.
The reforms will allow credit providers to have additional information to make a more robust assessment of credit risk, and to assist those providers to meet their responsible lending obligations.
It is expected that this reform will lead to decreased levels of over-indebtedness and lower credit default rates.
More comprehensive credit reporting is also expected to improve competition and efficiency in the credit market, which may result in reductions to the cost of credit for individuals.
The reforms will also rewrite the credit reporting provisions in the Privacy Act to achieve greater consistency, simplicity and clarity.
They will update the provisions to more effectively address the significant developments in the operation of the credit reporting system since the provisions were first enacted in 1990.
The new credit reporting provisions will provide additional consumer protections by enhancing obligations and processes dealing with notification, data quality, access and correction, and complaints.
Important ongoing work is currently underway to underpin these new measures.
A credit reporting code is being developed by industry, and regulations are being finalised by my Department.
The new reforms will also introduce strengthened powers for the Privacy Commissioner.
It is important that the regulator has the necessary tools to promote compliance.
These will include the power to accept enforceable undertakings, conduct privacy performance assessments, and seek civil penalty orders.
A civil penalty may be imposed by a court where an organisation or agency is found to have committed a serious or repeated interference with the privacy of an individual.
I’m glad to see that a lot of work is underway, particularly at the Office of the Australian Information Commission, in preparing for a smooth transition to the new regime.
The Office of the Australian Information Commissioner has already produced a number of useful and informative resources.
It also plans to release a range of guidance material over the next few months to assist businesses and government agencies to prepare for, and implement, the new changes.
I encourage everyone here today to continue to monitor the Information Commissioner’s website to look at all the material on its ‘Privacy Reforms’ page as part of preparing for the new changes.
On 29 May, I introduced into Parliament another major privacy reform: the Privacy Amendment (Privacy Alerts) Bill 2013.
This Bill will implement a key and long-standing recommendation of the Australian Law Reform Commission to introduce a mandatory data breach notification scheme.
Studies undertaken by Unisys and the University of Canberra show overwhelmingly that Australians want to be told about a data breach involving their personal information.
Notification of data breaches will empower individuals to take corrective or remedial action to change or resecure personal information.
The simple act of cancelling a credit card or changing a password gives that individual the opportunity to limit the possibility of identity theft or fraud.
We currently have a voluntary system in Australia. I know that many of you have systems in place to adhere with the voluntary system, and some have notified the Office of the Australian Information Commissioner and affected individuals where appropriate.
I believe that system is not adequate.
Data breaches are underreported to the Information Commissioner, and we continue to find out about them only through media reports.
Recent studies by McAfee show that around 21% of Australian businesses have suffered data breaches.
Those figures do not match the notifications to the Information Commissioner.
Large scale data breaches continue to occur, and every incident that is reported in the media continues to raise community concerns about the need for a mandatory scheme.
As recently as February this year, the Australian Broadcasting Corporation (ABC) revealed that the personal details of almost 50,000 internet users had been exposed online after the ABC’s main website was hacked.
Only last month, the Privacy Commissioner opened an investigation into reports of a data breach involving Telstra.
A media report indicated that the personal information of thousands of Telstra customers has been found online using a simple Google search.
One search found approximately 1677 customer records in one of the spreadsheets, which contained Telstra customers’ names, phone numbers, plan names and home addresses.
A further three spreadsheets contained 8201 customer records that contained names and telephone numbers.
This followed other large scale breaches in recent years at Telstra, and others at Medvet and Sony PlayStation.
A mandatory notification requirement will act as an incentive to the holders of personal information to adequately secure that information, leading to an improvement in information security practices.
A mandatory data breach notification scheme will also provide better information to government and the public on the scope and frequency of data breaches.
That could be vital in the development of measures to combat the frequency and severity of data breaches.
As many of you are aware, the Government has undertaken extensive consultation in the development of this Bill and we believe it strikes the right balance.
Mandatory data breach notification schemes are established across the United States, and are being seriously considered in other places like the European Union, New Zealand and Canada.
They are an important consumer protection measure in the digital age, and one that can operate to the benefit of those businesses that are customer focused.
The Bill introduced in the Commonwealth Parliament contains some important key measures.
First, it will apply to those entities subject to the existing Privacy Act.
They will be required to notify the Office of the Australian Information Commissioner and affected individuals of serious data breaches.
These will be breaches that give rise to a ‘real risk of serious harm’ to an affected individual, or breaches involving particular types of information that has been prescribed.
A ‘real risk’ is defined as a risk that is not a remote risk. That is to ensure that there is no requirement to report breaches that involve only a slight, faint or improbable risk.
In addition, the real risk must relate to ‘serious harm’. The term ‘harm’ has been defined to make it clear that it includes certain types of harm such as financial, economic, and reputational harm.
That is in addition to the normal dictionary definition of the ‘harm’ which would include physical harm.
The concept of ‘serious’ is intended to be based on the same concept that currently appears in the Office of the Australian Information Commissioner guide.
The Office of the Australian Information Commissioner guide will continue to provide guidance on the factors that entities should consider when assessing whether the harm is ‘serious’.
For example, currently it notes that harm could be ‘serious’ where it could lead to events like identity theft, financial fraud, fraud against the Medicare and PBS systems, health fraud.
Or it could be ‘serious’ where it could be used to create discrimination or disadvantage or, in extreme cases, blackmail.
Under the Bill, notifications will have to contain:
- a description of the breach,
- a list of the kinds of personal information concerned,
- contact information for affected individuals to obtain more information and assistance, and
- recommendations about the steps that individuals should take in response to the breach.
This is basic information, and only that which is necessary for an individual to take appropriate action to limit possible damage.
It also is enough information for the Office of the Australian Information Commissioner to know how the entity is responding, and for the Office to decide on whether it should offer assistance to the entity.
The Privacy Commissioner will have the power to compel notification to affected individuals where the Commissioner becomes aware of a serious data breach that has not been notified and it is in the public interest to do so.
That might arise as a result of an individual’s complaint or through a media report.
The Australian Information Commissioner would also have the power to exempt an entity to provide notification if it is in the public interest to do so. For example, there may be national security implications raised by a notification of a data breach.
As you all know, Parliament rises before the end of this month. I hope that the Bill can be passed before then and is up and running in March 2014.
I know that many of you will be interested in other reform developments.
You may recall that the Government announced in March that the issue of whether a statutory cause of action for serious invasions of privacy will be referred to the Australian Law Reform Commission.
I appreciate that some would like a definitive answer on this question.
But it is clear that prior consultations on this issue by the Australian Law Reform Commission and in the Government’s 2011 consultation paper showed that there was little consensus, even among privacy advocates, on how this legal right should be created.
A range of issues have been raised, including whether a tort would create a more litigious culture, how it would impact on free speech and how the implied right to political communication would be balanced with an individual’s right to sue.
I believe it is important that this issue fresh consideration in light of changing conceptions of community privacy and the rapid growth in information technology capabilities.
I have asked the Australian Law Reform Commission to conduct an inquiry into the protection of privacy in the digital era.
The inquiry will address both prevention and remedies for serious invasions of privacy.
The Government strongly believes in protecting the privacy of individuals, but this must be balanced against the Australian public’s right to freedom of communication and expression.
I have asked the Australian Law Reform to ensure that the importance of freedom of expression and other rights and interests are appropriately balanced.
The Government will carefully consider the findings of the Australian Law Reform Commission before making a final decision.