BILLS;Privacy Amendment (Privacy Alerts) Bill 2014;Second Reading – 19 Jun 2014

Before I start my substantive speech on the Privacy Amendment (Privacy Alerts) Bill 2014, I would like to make some comments about some of the comments made by the previous speaker. He talked about a lack of transparency and a lack of planning and, very typically, kept referring to things that happened when we were in government. I would just like to point out some of the issues around Infrastructure Australia, where people have been gagged and sent on gardening leave so that there is no transparency and no planning to be done. So we will look forward to those speeches coming up later in the session, Senator Back. Can I also say that this is not a new situation for anyone in either of the chambers.

Turning to the privacy legislation we are debating, I point out that Labor is the party that cares about protecting Australian’s privacy. It is Labor that understands that Australians care about who has their data and how it is used. It was the Labor Party that enacted the Privacy Act in 1988 and it was the Gillard Labor government that made significant improvements to that Privacy Act.

I remind Senator Back that this bill is substantially the same as the Privacy Amendment (Privacy Alerts) Bill 2013, which passed the House last year but lapsed when the parliament was prorogued before the 2013 election. It was the important next step, put forward by the Attorney-General Mark Dreyfus, and I am glad that it has returned to the parliament as a private senator’s bill thanks to Senator Singh, one of my Tasmanian Labor colleagues.

The 2013 bill was passed in the House of Representatives on 6 June 2013 with the support of the coalition, and I hope that they will vote in support of this bill in this place. I am disappointed that the Liberal Party did not consider this bill important enough for the current Attorney-General to put forward as government business. Once again, it has taken the Labor Party to push this important reform. I am disappointed that the Liberal-Nationals government did not think that the security of the personal and financial data of Australian citizens was worthy of their time.

Once again, the Liberal-Nationals government has shown that it is out of touch with the concerns and expectations of the Australian people. Once again, the Liberal-Nationals government has shown that it is out of touch with the realities of the 21st century and the changes to the way that customers and clients interact with businesses and government agencies.

The issue that this bill deals with is timely, given that, in the digital world we now inhabit, a large amount of our private data is held by businesses, government agencies and organisations that we interact with on an everyday basis. Our personal data is held by everyone—from banks, credit card companies, telecommunications companies, government agencies, libraries, supermarkets, pharmacies and department stores to, often, our local coffee places or bookstores.

Large companies and government agencies, in particular, often hold personal data that we would not want to go public or fall into the wrong hands. As time progresses the amount of data held by companies and government organisations, and the number of companies and government organisations that hold data, is likely to grow considerably. Unfortunately, though, despite our best efforts and best assurances, breaches of our data can and do occur.

We have seen breaches of privacy from multinational companies and small businesses. I will give you some recent examples. The Department of Immigration and Border Protection, in February this year, accidentally published personal details of around 10,000 asylum seekers held in Australia. The major software company Adobe was hacked in October last year, with 130 million user records being stolen. In November and December last year, a similar event occurred to the American retailer Target, with data from around 40 million credit and debit cards stolen. In February 2013, the Australian Broadcasting Corporation revealed that the personal details of almost 50,000 internet users had been exposed online after the ABC’s main website was hacked. In 2009, in Lancashire, England, a health worker lost a memory stick containing the medical details of more than 6,000 prisoners and ex-prisoners from Her Majesty’s Prison Preston.

With the number of organisations holding our data increasing, the number of breaches is likely to increase into the future. In their submission to the Senate inquiry for the 2013 bill, the Office of the Australian Information Commissioner—the OAIC—noted that a significant number of Australian organisations had suffered a data breach. In their evidence, they said:

… 21 per cent of Australian organisations interviewed had experienced a data breach, and a 14 per cent of organisations interviewed were unsure if they had experienced a data breach.

Furthermore their evidence highlighted that in instances of an admitted breach:

  • 18 per cent of organisations interviewed did not notify anyone outside the organisation of the data breach;
  • 68 per cent did not notify affected customers of the data breach; and
  • 79 per cent did not notify affected suppliers of the data breach.

Australians would not, and do not, consider such practices to be good enough. Furthermore, the OAIC noted:

There is evidence that the incidence of data breaches is increasing on a global scale and within Australia …

This evidence would be of concern to most Australians.

Whether the breach occurs due to an accident while using technology, the loss or theft of technology like laptops or flash drives, or it is due to deliberate and criminal attacks on network infrastructure or assets, the result is still the same: the personal data of Australians entering the public sphere, with the possibility of its use for nefarious purposes.

And no matter how that data is breached, Australians believe it is reasonable that they be informed, and expect to be informed, when their data is breached. In a survey conducted last year, the OAIC reported that 96 per cent of Australians believe they should be notified of data breaches that affect them. After all, it is their information which has been mishandled. And if you know your data has been breached, there are a number of precautions that you can take to protect yourself from loss. These precautions include changing passwords, changing or cancelling credit cards and switching service providers, amongst other precautions.

It would be a surprise to most Australians to find out that there is not currently an obligation for them to be informed when their personal data is breached. In fact, most Australians would be horrified to know that there is not an obligation for them to be notified when there is a serious breach of their personal data.

In my time as chair of the Joint Select Committee on Cyber-Safety, there were many occasions when the committee heard evidence of the need for mandatory breach reporting laws. During our inquiry into cyber-safety and senior Australians, University of Canberra Centre for Internet Safety director, Alastair MacGibbon, told the committee:

… we do not actually know how many data breaches there are in Australia and we do not know how much of our personal identifiable information is out there because there is no compulsion to report such breaches either to the individuals or to a central Commonwealth authority like the Privacy Commissioner or others.

He said:

We believe that the Australian Law Reform Commission report, particularly in relation to its recommendations about data breach notification … should be followed up.

Similarly, the Australian Communications Consumer Action Network, or ACCAN, in their submission to the inquiry on the 2013 bill, said:

It is entirely possible that there have been a great many more incidents that have gone unreported, leaving consumers with no knowledge that their personal information has been mishandled or accessed without authorisation, and unable to seek any redress or take action to limit possible damage arising from these breaches.

This bill puts in place a compulsory notification regime in order to ensure that all Australians are informed if their personal data have been breached, and builds on the privacy regime Labor implemented in government. I think it is a reasonable requirement, and most Australians would agree.

Because the bill requires organisations to report breaches to affected clients, it will also encourage government agencies and private sector organisations to lift their security standards and be more transparent about their information-handling practices. It will ensure that all organisations covered by this bill will take data security much more seriously. I know that many organisations are increasingly taking data security seriously and have robust systems in place. They take the security of their customers’ and clients’ data seriously and they have become aware of just how important it is, because it can cause serious damage to their brand when data breaches occur.

This bill will also help all businesses and organisations more widely, enabling industry, consumers and regulators to have more information about data breaches. A better picture will form of what leads to breaches, either accidental or malicious, and what measures and mitigations all parties can take to prevent or respond to breaches that do occur. It will help inform and encourage best practice.

This bill is a long overdue measure recommended by the Australian Law Reform Commission way back in its 2008 report, For your information: Australian privacy laws and practice. The 2013 bill was referred to the Legal and Constitutional Affairs Legislative Committee, which reported on it in June 2013. Submissions strongly supported the introduction of mandatory data breach notification provisions for Commonwealth government agencies and certain private sector organisations including the Australian Law Reform Commission, the ALRC, and the Office of the Australian Information Commissioner, the OAIC.

There are a significant number of benefits of compulsory breach notifications both for individuals and organisations. The OAIC gave evidence that said:

Identity theft and personal fraud is an increasingly problematic issue in Australia. In the 2010/11 financial year, personal fraud cost Australians $1.4 billion. Further, 1.2 million Australians aged 15 years and over were victim to at least one incident of identity fraud in that year; a significant increase from 806,000 victims in 2007-8.

These are extraordinary figures. They are figures that should be of concern to all senators in this place.

Time and time again as chair of the cybersafety committee, I heard of the devastating impact of identity theft and fraud particularly amongst senior Australians. I have heard evidence of individuals losing tens of thousands, even hundreds of thousands of dollars through identity theft. Australian Bureau of Statistics data shows that in 2010-11, 0.3 per cent of Australians, some 44,700 people, were victims of identity theft and another 3.7 per cent of the population, some 662,300 Australians, were victims of credit card fraud.

Identity theft is not a victimless crime. The lives of thousands of Australians are ruined each year—utterly ruined. Family homes are lost. Marriages fail and families fall apart. And it often begins with data breaches. However, the OAIC gave evidence to the Senate inquiry into the 2013 bill, saying:

In some circumstances, notification can prevent or limit identity theft and personal fraud by helping to protect personal information against misuse, loss or unauthorised access, modification or disclosure. Specifically, where personal information has been compromised, notification can be essential in helping affected individuals regain control of that information and mitigate potential harm. For example, where an individual’s identity details have been stolen, once they have been notified the individual can take steps to regain control of their identity information by changing passwords or account numbers, or requesting the reissue of identifiers. Such steps help prevent or limit the risks resulting from the theft of personal information.

Of course, personal data extends just beyond financial data. The Australian Law Reform Commission’s report of May 2008, For your information: Australian privacy laws and practice, illustrates this point, saying:

Other types of personal information, such as health information, if disclosed, could subject a person to discriminatory treatment or damage to his or her reputation. Informing a person that such information has been disclosed makes that person aware of what may be the possible consequences of the breach.

Australians have a right and an expectation that their confidential personal information, whether their financial information, health information or any other personal information, be kept secure and private. They have a right to be informed when breaches occur. That is why the bill we are debating today is of such importance. Individuals that have their data breached due to the actions or negligence of companies or government agencies do not have to sit passively by. They can actively take steps to minimise their risk of suffering identity theft or being the victim of other crimes—if only they know of the breach; they must know of the breach.

Notification can also be of benefit to the organisation in which the data breach occurred. The OAIC in their evidence, mentioned previously, says:

Notification can help rebuild public trust and demonstrate to the public that the entity takes the security of personal information seriously, and is working to protect affected individuals from the harms that could result from a data breach.

There are also commercial benefits for those companies with good, strong data protection notification regimes or privacy alert regimes and those with good information on privacy practices in being trusted more by their customers. As the Cybersafety Law and Policy Centre at the University of New South Wales Faculty of Law said:

The reputation risk of being seen to behave inappropriately is transferred to the non-discloser, who now stands out and is clearly not responding appropriately.

This bill will require all entities currently regulated by the act to notify affected individuals and the OAIC where there has been a data breach that gives rise to a ‘real risk of serious harm’ to an affected individual. A real risk is defined as a risk that is not a remote risk. Therefore, only the more serious data breaches will need to be notified. The OAIC will have the power to compel notification to affected individuals where it becomes aware of a serious data breach that has not been notified as a result of an individual’s complaint or otherwise. The OAIC will also be given the power to exempt an entity from the notification requirement where it is in the public interest to do so.

The notification must contain at least four key pieces of information. First, it must contain a description of the breach. Secondly, it must contain a list of the types of personal information that were accessed or disclosed. Thirdly, the notification must contain recommendations about the steps that individuals should take in response to the breach. Finally, contact information for affected individuals to obtain more information and assistance must be included. Noncompliance with the scheme would attract the normal Privacy Act remedies. These remedies can take a number of forms and could include public or personal apologies, compensation payments or enforceable undertakings. A civil penalty could be sought where there has been serious or repeated noncompliance with mandatory notification requirements. I expect that a majority of Australians would see this as fair and reasonable.

This proposal has strong support from state and federal information privacy commissioners, from IT security companies and from privacy and consumer advocates, and this proposal is becoming a norm globally. In support of this view, the Cyberspace Law and Policy Centre at the University of New South Wales Faculty of Law gave evidence to the inquiry into the 2013 bill that:

Mandatory Data Breach Notification is increasingly the norm, and something we support in general: it has been law in parts of the USA for a decade, is increasingly common in other countries, and has been under discussion in Australia for years. The general concept is also increasingly accepted in Australia, including by some businesses who appreciate the transparency behind it as a necessary part of earning the essential ingredient, consumer trust and confidence in e-commerce and online systems in an environment where absolute security clearly can clearly not be promised.

The public is increasingly concerned with how their data is managed and protected. They are aware of just how much it could cost them through identity theft and other nefarious uses of their private information.

Australians have an expectation that they will be informed if their personal data is breached, and Australians deserve to be informed if their personal data is breached. If a corporation or agency’s data is breached, it is the customer, as I said, or the client of the business or agency who could end up with all the problems. As Professor Phair from the Cyber-Safety Policy Centre at the University of New South Wales told the Joint Select Committee on Cyber-Safety:

The other problem is that if you are an SME or even a large organisation and you have had a data breach—lost a whole lot of customer identifying data, including credit cards et cetera, the CVV2 track data on the back, which is even more important—

that is, the three numbers on the back of your credit card that you often have to give when you are buying online—

you have been compromised as an SME. You have moved on and brought in an IT security company to mop up the problem. Everything is good, but it is all those people that bought off your website who have the heartache for quite some time.

That is why this legislation we are debating today is so important.

Australian customers or clients should have the right to find out, so that they can change passwords and take other precautions. They should know which companies and which government organisations are failing to hold their data safely. Australians also want and expect penalties for companies and organisations that fail to notify when they have not kept our data secure. That is why I call upon the Senate to support this bill.