House of Representatives

Privacy Amendment (Notifiable Data Breaches) Bill 2017

Second Reading Speech

Mr Keenan (Minister for Justice and Minister Assisting the Prime Minister for Counter-Terrorism)l

I move:

That this bill be now read a second time.

The Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the bill) will amend the Privacy Act 1988(Privacy Act) to require entities subject to the Privacy Act to notify the Australian Information Commissioner and affected individuals if the entity experiences a data breach of a kind specified in the bill.

High-profile data breaches in recent years, such as the breaches involving the dating website Ashley Madison or the US Office of Personnel Management, have demonstrated the potential harm that can result to individuals following unauthorised access to or unauthorised disclosure of personal information.

The rationale for mandatory data breach notification is that, if an individual is at likely risk of serious harm because of a data breach involving their personal information, receiving notification of the breach can allow that person to take action to protect themselves from that harm. For example, an affected individual might change an online password or cancel a credit card after receiving notification that their personal information has been compromised in a data breach.

Forty-seven US states currently have mandatory data breach notification schemes to deal with data breaches of this kind. Canada and the European Union have introduced schemes which are yet to commence, whilst New Zealand has also committed to introducing a scheme.

By contrast, with the exception of eHealth data breaches falling under the My Health Records Act 2012, mandatory data breach notification does not exist yet in Australia. The former Labor government's Privacy Amendment (Privacy Alerts) Bill 2013 received bipartisan support to introduce such a scheme, but did not pass the parliament before the 2013 election.

Background to the bill

The mandatory data breach notification scheme contained in this bill implements a commitment the government made in response to the Parliamentary Joint Committee on Intelligence and Security's February 2015 report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015.

The Australian Law Reform Commission (ALRC) recommended the introduction of a mandatory data breach notification scheme in its 2008 review of Australian privacy laws.

Following that review, the Australian Privacy Commissioner established a voluntary data breach notification scheme based on the principles the ALRC recommended, and published guidance material about appropriate data breach notification practices.

The voluntary data scheme received 107 notifications in 2015-16, which is 245 per cent higher than the 44 notifications received in 2009-10.

Despite this scheme, the commissioner has publicly expressed concerns that data breaches in Australia go underreported.

The bill draws on the ALRC's recommendation and practical experience gained from the commissioner's voluntary scheme and associated guidance material. It is also expected that the commissioner would issue guidance material under the mandatory scheme to assist entities to comply.

Consultation undertaken in developing the b ill

The bill has also been subject to extensive consultation before introduction to ensure that the proposed scheme provides effective privacy provisions for Australians without placing an unreasonable regulatory burden on industry.

Exposure draft legislation and explanatory material was released for public consultation between 3 December 2015 and 4 March this year. Forty-seven public submissions were received on the exposure draft; most supported the proposal or were supportive subject to particular technical changes.

The Attorney-General's Department also held discussions with a broad range of industry and civil society stakeholders during the consultation period.

The government considered all stakeholder contributions made during the consultation. This has helped ensure that the bill's mandatory data breach notification scheme is workable for regulated entities while still protecting the privacy of individuals.

Operation of the bill

The Privacy Act currently requires most Australian government agencies, private sector organisations with annual turnover of more than $3 million and specific kinds of smaller organisations (such as health service providers) to take reasonable steps to protect personal information they hold. Equivalent requirements also apply to specific other kinds of information, such as tax file number information.

The bill's mandatory data breach notification scheme applies to all entities who are subject to these existing requirements and experience an 'eligible data breach'. An eligible data breach is 'notifiable', as per the bill's title, where it satisfies conditions specified in the bill, and no exceptions to notification policy apply.

An eligible data breach is where there is unauthorised access, unauthorised disclosure or loss of personal information that a reasonable person would conclude is likely to result in serious harm to individuals.

Experiencing an eligible data breach under the bill will not necessarily mean that the entity concerned has breached the existing Privacy Act information security requirements. For example, it is possible that, despite having taken reasonable steps to secure personal information it holds, an entity may nonetheless experience a data breach due to human error or other circumstances that are not reasonably foreseeable.

Where an entity has reason to suspect that an eligible data breach may have occurred, the entity is required to undertake a reasonable assessment of the circumstances. If an entity has reasonable grounds to believe they have experienced an eligible data breach, after an assessment or otherwise, the entity must notify the Information Commissioner and affected individuals. The entity has flexibility to notify affected individuals directly or, if that is not practicable, to publish an online notice about the eligible data breach.

Entities are required to undertake notification in these forms unless an exception applies. These exceptions are designed to balance privacy protections of individuals with other matters in the public interest, such as avoiding prejudicing the activities of law enforcement agencies or disclosing information where that disclosure would be inconsistent with a secrecy provision in another law.

An exception will also apply where an entity can determine with a high degree of confidence that it has taken action to remediate the harm arising from an eligible data breach before that harm has occurred.

Finally, entities can apply to the Information Commissioner for an exception from the notification requirement, either altogether or for a specific period of time. The commissioner has an additional power to direct an entity to notify an eligible data breach.

The mandatory data breach notification scheme in this bill is connected to the existing enforcement framework under the Privacy Act. This means that the Information Commissioner's existing investigatory powers will apply in the event that an entity breaches a requirement of the bill.

This will ensure that the commissioner can investigate possible noncompliance with the mandatory data breach notification scheme, and potentially make a determination requiring the entity to remedy such noncompliance. In the case of serious or repeated noncompliance, the commissioner can also apply to a court to impose a civil penalty.

Conclusion

This bill will improve the privacy protection of Australians in the event of a data breach without placing an unreasonable regulatory burden on business. The extensive consultation undertaken in developing the bill will ensure that the bill's mandatory data breach notification scheme is both workable and effective.

Debate adjourned.