Privacy Amendment (Notifiable Data Breaches) Bill 2016 read a third time in the House of Representatives

February 8, 2017 |

Yesterday the second reading speeches of the Privacy Amendment (Notifable Data Breaches) Bill 2016 concluded and the Bill was read a third time.  It is now heading to the Senate. Given the Opposition and the Xenaphon team are supporting its passage the Bill is likely to be debated quickly and pass unamended. Though the Senate being the Senate it is not out of the realm of possibilities that some form of amendment is possible.  It is likely to be enacted well before the winter break.

The Hansard reads:

Mark Dreyfus

Labor supports the Privacy Amendment (Notifiable Data Breaches) Bill 2016. We support this bill because, in fact, it is our own bill. In 2013, Labor in government introduced the Privacy Amendment (Privacy Alerts) Bill 2013. That bill, like this one, made it mandatory for regulated entities under the Privacy Act to alert consumers when their personal data had been breached—whether through accident or malice. That 2013 bill followed an extensive report by the Australian Law Reform Commission in 2008, which recommended the Privacy Act be amended to provide as follows:

An agency or organisation is required to notify the Privacy Commissioner and affected individuals when specified personal information has been, or is reasonably believed to have been, acquired by an unauthorised person and the agency, organisation or Privacy Commissioner believes that the unauthorised acquisition may give rise to a real risk of serious harm to any affected individual.

A failure to notify it would result in a civil penalty. The ALRC went on to clarify that ‘specified personal information’ should include personal information as well as sensitive personal information—for instance, a unique identifier that links someone’s Medicare number to their name and address.

After extensive consultation, Labor responded to that recommendation with our privacy alerts bill, which I introduced as Attorney-General on 29 May 2013. That bill had bipartisan support and passed in this House but, sadly, lapsed at the 2013 election before it could pass in the Senate. With the total absence of action from the Abbott government, Labor introduced a private senators’ bill in 2014 to the same effect as the 2013 bill. That, again, lapsed at the 2016 election. The best we got from the Abbott-Turnbull government in the 43rd Parliament was an exposure draft released in 2015, which went nowhere. That followed the February 2015 recommendation of the Parliamentary Joint Committee on Intelligence and Security—as part of that committee’s report on mandatory data retention—to the effect that a mandatory data breach notification scheme be introduced by the end of 2015. The coalition government agreed, in its response to the intelligence committee’s recommendation, that it would do so, but it failed.

The government’s inertia has been baffling. It has taken the government more than three years to introduce a simple, straightforward bill that has bipartisan support. The reasons for this delay are totally beyond me. Many Australians would be shocked to learn that it is not already mandatory for agencies or companies to notify them when their personal data has been breached. For example, the Department of Health, Department of Social Services, a bank or an online store could accidentally leak your data today, and you may not hear about for another few years—or at all. That is the current situation.

If consumers are not informed that their personal data has been breached until months or even years after the fact, it removes their ability to take remedial action. They cannot change their credit card details and they cannot keep a watch for suspicious activity; they are totally powerless because they are unaware. This is clearly unacceptable.

And while the government has waited and delayed, the situation has worsened. We have had example after example of data breaches—sometimes serious and sometimes not notified until a very lengthy period has elapsed. A prime example is the Catch of the Day case, where the personal data of some or all of its two million customers was hacked and stolen in 2011, but the customers were not told until 2014. This, rightly, caused outrage when it came to light. Moreover, the company did not report the hack to the Australian Federal Police when it happened in 2011.

This bill is designed to prevent exactly this kind of situation. Corporations—or, indeed, Public Service departments—must not be allowed to delay reporting of a serious breach of personal data because of fear of the damage it might cause to the reputation of the company or organisation. They must disclose to affected customers as soon as the breach is known. Australians deserve to know so they can act to protect themselves.

The threshold test for an eligible data breach is outlined in proposed section 26WA of the bill. It provides that an eligible data breach happens if it is ‘likely to result in serious harm’. In contrast, the threshold test in the Privacy Amendment (Privacy Alerts) Bill 2013 was ‘real risk of serious harm’. The test ‘likely to result in serious harm’ could be seen as a slightly higher threshold, particularly when combined with the list of relevant matters for consideration to help guide whether harm is likely or unlikely. However, the ALRC report For your information: Australian privacy law and practice noted that in international law the terms ‘likelihood’ and ‘real risk’ are similar and related. The term ‘a real risk of serious harm’ has been defined to mean ‘a reasonable degree of likelihood’, ‘real and substantial danger’ and ‘a real and substantial risk’.

The Law Council in their submission on the exposure draft of the bill expressed concern that the ‘real risk’ test was unclear. They view the 2016 bill as an improvement on the exposure draft version of the bill. The new test responds to stakeholder concerns about the practicability of determining what degree of probability and what kind of harm would be captured in the phrase ‘real risk of serious harm’. It will provide greater certainty for regulated entities to be able to comply with their obligations.

The protections for consumers contained in this bill become even more vital with the worrying trend of this government to outsource the handling of personal data from the public sector to the private sector. This includes the sell-off of ASIC’s corporate registry, which holds critical information on more than two million companies in Australia. It holds the names of directors of companies, company names and corporate histories. It is a key resource for journalists and the public who wish to find out more about Australian companies. Business owners are required to lodge a lot of detail with ASIC, not all of which is made public, which undoubtedly they would not want to fall into the wrong hands.

In the midst of the election last year, we heard that the Turnbull government would award the contract for managing sensitive medical records to Telstra, which will be in charge of the new national cancer screening registry from next year. The contract, estimated to be worth $180 million over three years, is the first time such sensitive data will have been in corporate hands. Telstra does not have a spotless history in terms of taking care of its customers’ data, and has had a number of breaches looked at by the Office of the Australian Information Commissioner. In 2014, Telstra was fined $10,200 for exposing the personal data of nearly 16,000 customers online. I quote from The Australian in an article dated 11 March 2014:

The finding is the latest stain on Telstra’s lax privacy record. In 2012 the telco received a similar warning from the Privacy Commissioner for publishing the personal information of more than 730,000 customers online. It also received warnings for breaches of customer data in 2010 when a mailing list error resulted in about 220,000 letters with incorrect addresses being mailed out.

In an era such as this, when personal health data is being handed over to a big corporate with a patchy privacy record, the passage of this bill is more important than ever.

Then we have the proposed privatisation of the Medicare data system, which the government pledges is no longer going ahead—but who knows whether they will keep to that promise. If it did go ahead, this would possibly be the largest transfer of personal health and financial data from public to private hands ever undertaken by a government. It is vitally important that the protections contained in this bill are in place before that happens—if, indeed, it does happen.

To conclude, it is extraordinary that it has taken the coalition government more than 3½ years to introduce a bill almost identical to one passed by this House with bipartisan support in June 2013. I regret that it has taken the government so long to act, but I am glad that it has finally done so. I commend this bill to the House.

Rebekha Sharkie (Xenaphon team)

This bill is important because it contributes to increased accountability and transparency—a key issue for the Nick Xenophon Team. In particular, its aim is to protect the rights of individuals in an increasingly complex digital world. When passed, it will ensure that an entity that holds data must take action to inform an individual if there is a likely risk of serious harm as a result of unauthorised access or unauthorised disclosure of their information. The Nick Xenophon Team default position is to support legislation that seeks to rebalance the power between corporations and individuals by giving greater protection to ordinary people.

This bill has a long history. Its genesis can be traced back to Nick Xenophon and his concerns about safeguards, or lack thereof, in the legislation about data retention and access to metadata—and we remember the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015. At the time my colleague Senator Nick Xenophon expressed concern because the capacity of the state to have everyone’s information, in terms of who they have contacted, should carry with it a need for much greater scrutiny and protections. Unfortunately, adequate protections were not built into the legislation at that time. While not completely addressing our concerns about the retention of metadata, this bill attempts to reduce the risk to individuals of their data being accessed or disclosed in an unauthorised way, meaning that they have an opportunity to take their own action to minimise the damage.

Of broad concern to the community would be the security of health data. This comes into sharp focus in the context of legislation to establish a cancer screening register that was recently passed by this parliament. Understandably, there have been concerns expressed about the privacy and security of the data held, because the register will be established and operated by a private sector company—Telstra, which won the tender to operate the register.

Telstra does not have a good track record in relation to protection of customer data. In 2013 Telstra accidentally released the personal information of almost 16,000 customers, including names, addresses and phone numbers. This information was accessible via Google search for almost a month. At the time the breach was discovered, Telstra was already subject to a direction from the communications watchdog to improve its customer data protection following a 2011 breach which involved 234,000 customers.

The National Cancer Screening Register will have two main purposes. The first will be to manage a contact database linked to reminders to undertake cancer screening. The second is of greater concern, because it will hold a further personal cancer health record containing test results, treatments and other sensitive information. The latter is why it is important to have the provisions in this bill before us so that if a breach were to occur, Telstra would be obligated to notify affected individuals.

The Red Cross blood donor service recently experienced one of the most significant data breaches ever seen in the health sector. It affected more than 500,000 blood donors. Personal information, including being identified, whether correctly or incorrectly, as having at-risk sexual behaviour was accidentally placed on an insecure computer environment due to human error. The Red Cross acted appropriately under the current voluntary code; it informed individuals and set up an information site. This legislation will ensure that in any similar situation the organisation will be obligated to take such action.

Closer to home for me, the South Australian Health Service is experiencing serious internal breaches, resulting in five staff being sacked for inappropriately accessing patient records. Up to 20 additional staff have also been disciplined. It is unclear whether the patients in each of those circumstances were notified of the breach of their privacy.

One of the core principles of the Nick Xenophon Team is transparency and, of course, accountability. This must apply to governments, and also corporations must accept the social contract they have with the community. When individuals provide data to companies they expect those companies to protect the privacy of that data. That is at the heart of the social contract.

This bill brings corporations to account and forces them to take responsibility for their social contract, especially when things go wrong—as they sometimes do. This is a win for the Nick Xenophon Team; but, more importantly, it is a win for the average citizen who puts their trust in companies to protect the integrity of their personal data. The Nick Xenophon Team will continue to push for increased government and corporate accountability. We have recently negotiated with the government during the passage of the registered organisations legislation to deliver increased whistleblower protections. That will protect informants who shed light on unconscionable dealings.

We will continue to push for measures such as a national anticorruption commission. We want to see political donations declared in a more timely manner and we want to review duplicated services at a federal, state and local government level, and to determine the most appropriate entity to deliver those services. We will continue to fight for ordinary Australians who have lost trust in their government.

To conclude: members of the public must be advised when there is a privacy breach involving their personal data so that they can access what action they may take to minimise harm to themselves. In an increasingly digital environment, corporations must take responsibility for protecting the data of their clients and their customers, and to do it effectively. And if they fail, they must be held to account. Thank you.

Michael Keenan

I do thank the honourable members for their contributions to this debate, particularly the member for Isaacs and the member for Mayo.

The Privacy Amendment (Notifiable Data Breaches) Bill 2016 will amend the Privacy Act 1988 to introduce a mandatory data breach notification scheme. The purpose of the scheme is to ensure that individuals can take steps to protect themselves in the event that their personal information is compromised by any data breach. The bill implements the government’s response to the Parliamentary Joint Committee on Intelligence and Security‘s February 2015 Advisory report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014.

The bill creates a mandatory data breach notification scheme which applies to Australian government agencies and private sector organisations subject to the Privacy Act. These entities will be required to notify an individual whose personal information is subject to unauthorised access, unauthorised disclosure or loss, where a reasonable person would consider the individual is at likely risk of serious harm as a result.

The extensive consultation undertaken on this bill has ensured that it strikes an appropriate balance between effectively protected individuals whilst remaining workable for business. The bill complements the existing information security requirement in the Privacy Act, and will provide individuals with confidence that they will be notified in the event of a data breach which places them at likely risk of serious harm. In an environment where entities collect and use growing volumes of personal information in their business activities and where individuals enter into increasing numbers of online transactions, the bill is an important consumer protection measure to build on the strong privacy legislation protections already provided for within existing Australian privacy legislation.

Bill read a second time.

Michael Keenan (Stirling, Liberal Party, Minister for Justice) Share this | | Hansard source

by leave—I move:

That this bill be now read a third time.

Question agreed to.

Bill read a third time.

One Response to “Privacy Amendment (Notifiable Data Breaches) Bill 2016 read a third time in the House of Representatives”

  1. Privacy Amendment (Notifiable Data Breaches) Bill 2016 read a third time in the House of Representatives | Australian Law Blogs

    […] Privacy Amendment (Notifiable Data Breaches) Bill 2016 read a third time in the House of Representat… […]

Leave a Reply