Peter A Clarke

Data breach notification laws seem to be in vogue in Australia at the moment. In 90 days, on 22 February 2018, the Commonwealth Privacy Amendment (Notifiable Data Breaches) Act 2017 comes into effect for those organisations and agencies covered under the Privacy Act 1988.  That has the potential to have a major impact on the way privacy and data security is regulated in Australia and make the extent of data breaches more transparent.  It will bring Australia into line with best practice, even if the Act is far from the gold standard. It is a complicated piece of legislation which requires careful analysis of the extent of data breaches, consideration of exemptions and appreciation of which is the best options available to the affected entity to ensure compliance.

In New South Wales an opposition member, Paul Lynch,  introduced the Privacy and Personal Information Protection Amendment (Notification of Serious Violations of Privacy by Public Sector Agencies) Bill 2017 into the Legislative Assembly on 16 November 2017.  If passed, and that is a big if, it will require a public agency to to notify the Privacy Commissioner and the person who has suffered a serious violation of the privacy through a contravention of an information protection principle or privacy code of practice or whose personal information kept in a public register was disclosed  of that contravention or disclosure.  

While this is a welcome development there needs to be a very big note, played at forte, of caution.  Private member’s bills rarely become law.  And bills proposed by opposition members are especially likely to founder.  Unlike the United States and the United Kingdom bills from the non treasury benches are generally treated with suspicion and disdain.  That is partly because they are seen through the prism of politics.  It is also partly because all too often oppositions do posture and use private members bills as a means of embarrassing a government or burnishing their credentials.  Either way they are seen as a political weapon. Which is a shame but things are unlikely to change soon. Curiously what sometimes happens is a private members bill is defeated or languishes on the notice paper until Parliament is prorogued, but then reappears slightly amended as a Government Bill.  A good idea remains a good idea so while supporting an opponents bill is excellent politics, or so the logic goes, filching a sensible proposal is even better.

As with the Commonwealth scheme there is an element of balancing factors when determining whether the breach is notifiable.  Here it is found in the proposed section 59B regarding what is a serious violation of or interference with privacy.  those factors are:

The Second Reading Speech provides:

It gives me great pleasure to introduce the Privacy and Personal Information Protection Amendment (Notification of Serious Violations of Privacy by Public Sector Agencies) Bill 2017 on behalf of the Opposition. The current legislation in the field of privacy, primarily the Privacy and Personal Information Protection Act [PPIPA], dates from 1998. The significant developments in technology in recent years have increased dramatically the issues and challenges surrounding privacy and the protection of privacy. When the 1998 legislation was introduced Facebook did not exist, the iPhone did not exist, biometric identity systems seemed like science fiction, warrantless mass surveillance and closed-circuit television [CCTV] connected to a national facial recognition database seemed quite other worldly. For most people, the development of big data was beyond comprehension, let alone being on the horizon. Those developments mean that privacy breaches can have more severe consequences than there were previously, but there has been little change in the law.

The scale and capacity of technology has increased exponentially, as have the potential consequences of privacy breaches. The Government has largely allowed these issues to develop passively and has taken no real action to match technological advances. It is no surprise that community surveys show that nearly two-thirds of members of the community do not think or are uncertain that those in authority are taking privacy seriously. This is contrary to the conservative Coalition parties’ actions in 1975 in introducing the Privacy Committee Act. This was followed by the Labor Government’s legislation in 1998. To make up for the current Government’s default, the Labor Opposition has introduced two private members’ bills—the Civil Remedies for Serious Invasions of Privacy Bill 2017 and the Privacy and Personal Information Protection Amendment (State Owned Corporations) Bill 2016. The bill that I introduce today is another to deal with the ongoing challenges around privacy in a technologically changing world and in the face of an overwhelming lack of interest by the Government. If it is not about concrete or asphalt, this Government is not interested.

The object of the bill is to require a public sector agency that has caused a serious violation of the privacy of an individual by contravening an information protection principle or privacy code of practice or disclosing personal information kept in a public register to notify the individual concerned and the Privacy Commissioner of the contravention or disclosure. Currently, there is no requirement to do any such thing. The justifications of this proposal are simple, and can be stated simply. First, the community expects it. The 2017 Australian Community Attitudes to Privacy survey conducted by the Office of the Australian Information Commissioner reports that nearly everyone—in fact 95 per cent of respondents—agree that if a government agency loses their information they should be told about it. The near unanimity on that point is hardly surprising: It really is a matter of common sense, as is this bill. These concerns and views are increasing with time as technology evolves and develops.

For example, the same survey records that 69 per cent of Australians are more concerned about the privacy of their personal information when using the internet than they were five years ago. That concern has been growing over several of the Information Commissioner’s surveys—and that is in the context of an increasing emphasis by this Government on online interaction between its agencies and citizens. Mandatory notification has a number of benefits. It is an important mechanism to minimise or prevent the consequences that may flow from a breach. It is also a useful accountability mechanism. Obviously not every breach would necessitate mandatory reporting. Sensibly, it should be limited to serious breaches. It is hard to find an argument against the proposal, apart from bureaucratic convenience. The New South Wales Privacy Commissioner in her February 2015 report under section 61B of the Privacy and Personal Information Protection Act recommended this change. Recommendation 10 of that report read:

The PPIP Act be amended to provide for mandatory notification of serious breaches of an individual’s privacy by a public sector agency similar to that proposed to be provided in the Privacy Act 1988 (Cwlth).

As I have indicated, and as is self-evident, the Government has not acted on that recommendation. The recommendation points out that the Federal Parliament is pursuing this path, with its legislation coming into effect shortly. This means that there is, well and truly, a precedent for this bill—that precedent being pursued by a conservative Federal Government. Its significance, of course, is more than just as a precedent. Granted that it is coming into effect, there is an argument that there should be some broad consistency between State and Federal jurisdictions—that argument thus supporting this bill. The argument about consistency was actually made by the Department of Premier and Cabinet [DPC] in its submission concerning the commissioner’s section 61B report. So I am happy to claim support from the current Government’s DPC for this bill.

The bill provides for amendments to the principal Act, the Privacy and Personal Information Protection Act 1998—largely known as the PPIP Act, or PPIPA. Schedule 1 to the bill provides a proposed new section 59A, which provides for a meaning of “causing a serious violation of an individual’s privacy”. That occurs when an agency contravenes an information protection principle or privacy code of practice or discloses personal information kept in a public register. It is a serious breach if a reasonable person would conclude that the contravention or disclosure has resulted in, or would be likely to result in, a serious violation of, or interference with, the privacy of an individual to whom the information relates.

New section 59B itemises matters to be taken into account when determining whether an act or omission has resulted, or is likely to result, in a serious violation of or interference with the privacy of an individual. New section 59C provides that a public sector agency must take reasonable steps to notify an individual if the agency has reasonable grounds to believe it has caused a serious violation of the individual’s privacy. Methods of notification are specified. It must be given within 15 days after the agency first became aware of the circumstances that gave rise to the serious violation. New section 59D provides that a public sector agency must notify the Privacy Commissioner if the agency has reasonable grounds to believe it has caused a serious violation of an individual’s privacy. A 15-day time limit also applies to these notifications. New section 59E provides that agencies must carry out a reasonable and expeditious assessment of whether a serious violation of privacy has occurred. The assessment must be completed within 30 days.

New section 59F vests the Privacy Commissioner with power to request an agency to provide information if the commissioner has reasonable grounds to believe the agency has caused or contributed to a serious breach. The commissioner can also require the agency to notify relevant individuals of such violations. New section 59G provides that an agency must comply with the commissioner’s direction. The new division 4, entitled “Exemptions”, provides that the commissioner may declare that these provisions do not apply to an agency if satisfied that it is reasonable in the circumstances to do so, having regard to the public interest and any other matter the commissioner thinks reasonable.

New section 59I provides an exemption where the public sector agency has taken certain action. That exemption is if the agency takes action before the contravention or disclosure results in serious harm to any individual to whom the information relates and a reasonable person would conclude that the contravention or disclosure would not be likely to result in a serious violation of or interference with the privacy of the individual concerned. An exemption is provided in relation to law enforcement. Likewise, an exemption is provided where it would involve disclosure of information that is prohibited by, or under, any other Act. I commend the bill to the House.