Senate

Second Reading Speech

Senator BRANDIS (Queensland-Attorney-General, Vice-President of the Executive Council and Leader of the Government in the Senate)

I table the explanatory memoranda relating to the bills and I move:

That these bills be now read a second time.

I seek leave to have the second reading speeches incorporated in Hansard.

Leave granted.

The speeches read as follows-

The Regulatory Powers (Standardisation Reform) Bill 2016 represents the first substantial tranche of Commonwealth Acts to trigger the operation of the Regulatory Powers (Standard Provisions) Act 2014.

The Regulatory Powers Act provides for a standard suite of provisions in relation to monitoring and investigation powers, as well as provisions regulating the use of civil penalties, infringement notices, enforceable undertakings and injunctions.

That Act commenced on 1 October 2014, but only has effect where Commonwealth Acts are drafted or amended to trigger the standard provisions in that Act.

By standardising regulatory powers across the Commonwealth, the Act is intended to:

•

significantly reduce the length of legislation governing each regulatory regime

•

provide greater clarity and consistency for agencies that need to exercise powers with respect to multiple regulatory regimes

•

make it easier for businesses that are subject to multiple regimes to understand and comply with the law, and

•

facilitate the development of a common body of law.

The Regulatory Powers Act also ensures that Commonwealth regulatory powers are sufficiently certain and predictable, while being flexible, to ensure that agencies with specialised functions can operate effectively.

This Bill will amend 15 Commonwealth Acts to repeal existing provisions providing for regulatory regimes and instead apply the standard provisions of the Regulatory Powers Act.

Those Acts fall within the portfolios of the Attorney General's Department and the Departments of Agriculture and Water Resources; Defence; Employment; Health; Industry, Innovation and Science; and Social Services.

In most instances, the Bill will not alter existing arrangements because application of the Regulatory Powers Act will result in either the substitution of an equivalent provision or a provision that is the same in effect with modernised terminology or minor technical changes reflecting current drafting standards.

Where necessary, the amendments will modify the operation of the Regulatory Powers Act to retain existing regulatory powers that do not have equivalent provisions in the Regulatory Powers Act.

In a small number of instances, the Bill will alter existing arrangements because application of the Regulatory Powers Act will result in the acquisition of new provisions or additional powers or functions. This only occurs where such provisions are necessary for the effective performance of duties or functions and the effective exercise of powers under the Regulatory Powers Act.

Alignment with the Regulatory Powers Act also provides an opportunity to consider whether existing regulatory powers or functions are still relevant and appropriate.

Accordingly, in some cases the Bill will either repeal or narrow existing regulatory provisions that do not have equivalent provisions in the Regulatory Powers Act on the basis that those existing provisions are no longer required or required in their current form.

The standard provisions of the Regulatory Powers Act represent best practice in relation to regulatory powers of general application. That Act also includes operational safeguards, and maintains Parliamentary scrutiny over application of that Act to specific regulatory regimes.

The Bill will also make minor amendments to the Regulatory Powers Act to clarify the operation of certain provisions and remove unreasonable administrative burdens on agencies exercising regulatory powers under the Regulatory Powers Act.

Those amendments relate to:

•

the ability to secure evidence of a contravention when exercising monitoring powers

•

the age of photographs for identity cards

•

the time period for the making of a civil penalty order, and

•

the cap on the amount to be stated in an infringement notice.

Implementing the Regulatory Powers Act supports the Government's regulatory reform agenda, as that Act intends to simplify and streamline Commonwealth regulatory powers across the statute book.

Over the last 20 years there has been an enormous proliferation of regulatory powers and associated provisions, across the Commonwealth statute book. Those powers and provisions vary in their breadth and detail, resulting in inconsistency or unnecessary duplication across regimes.

Standardisation provides regulatory agencies with the opportunity to use more uniform powers, and increase legal certainty for businesses and individuals who are subject to those powers.

PRIVACY AMENDMENT (RE-IDENTIFICATION OFFENCE) BILL 2016

The Privacy Amendment (Re-identification Offence) Bill 2016 is part of the Australian Government's endeavours to ensure that the considerable benefits associated with the release of public sector datasets can be realised whilst upholding the highest standard of information security and protecting the privacy of Australians.

The Bill will amend the Privacy Act 1988 to introduce prohibitions on the re-identification of de-identified information and disclosure of re-identified information.

The publication of major datasets is an important part of 21st century government, and is an important part of this Government's Digital Transformation Agenda.

On the 7th of December 2015, the Australian Government released its Public Data Policy Statement. The Statement provides a clear mandate for Australian Government Agencies to optimise the use and re-use of public sector data. The Statement provides that, when releasing datasets, Australian Government entities will uphold the highest standards of security and privacy.

The publication of government datasets, including de-identified data, enables the government, policymakers, researchers, and other interested persons to take full advantage of the opportunities that new technology creates to improve research and policy outcomes.

By way of example, the Minister for Social Services, Minister Porter recently drew attention to the benefits of research with anonymised data, and how it can help break the cycle of welfare dependency by identifying the risk factors leading to such dependency.

To ensure that the datasets released by the Australian Government are protected to the highest standard, the Department of the Prime Minister and Cabinet will put in place a process to govern the release of new anonymised datasets on data.gov.au.

However, in a rapidly changing digital environment it is important to recognise that methods that were sufficient to de-identify data in the past may become susceptible to re-identification in the future.

Of considerable concern is the potential to re-identify personal information, particularly an individual's sensitive personal information. Such re-identification has the potential to significantly affect an individual's privacy and to undermine the benefits associated with the release of public sector datasets.

Prohibition of re -identification and disclosure of re -identified personal information

The Bill prohibits the re-identification or attempted re-identification of de-identified information released by, or on behalf of, Australian Government Agencies, as well as prohibiting the disclosure of re-identified personal information.

These prohibitions will only apply to information that has been published on the basis that it is de-identified and in a generally available publication such as on data.gov.au.

The Bill introduces criminal offences and civil penalty provisions for the re-identification of de-identified personal information or the disclosure of such information. These penalties are intended to act as a strong deterrent against re-identification and disclosure, and reflect the damage that can be caused to individuals by such actions.

Requirement to notify agencies of re -identification

Importantly, the Bill requires entities that have re-identified de-identified personal information to inform the responsible agency of this as soon as practicable. This ensures the agency can rapidly respond to protect individuals' privacy by taking down and de-identifying the dataset using current techniques. The responsible agency can then direct the entity on how to handle the re-identified information.

This notification requirement applies to both intentional and unintentional re-identification-capturing, for example, circumstances where an entity has inadvertently re-identified personal information, for example by comparing different datasets. Entities that contravene this requirement will face civil penalties but will not be subject to criminal sanction.

Retrospectivity of the Bill

The new offences in the Bill will operate retrospectively from the 29th of September 2016; the day after the Government announced its intention to introduce these offences. This creates a strong disincentive for entities to attempt re-identification while Parliament considers the Bill. Releases of private information can have significant consequences for individuals beyond their privacy and reputation, which cannot be easily remedied. This warrants swift and decisive action by the Australian Government to prohibit such conduct.

Application of the Bill

The Bill is intended to apply more broadly than the general provisions in the Privacy Act, and will apply to the actions of individuals, organisations and businesses, including small businesses. Importantly, exemptions will apply so that the Bill will not affect the legitimate actions of agencies and researchers working with public datasets.

Australian Government Agencies will be exempt when performing their functions or when authorised by law to ensure they can continue to perform their ordinary functions and activities such as matching a de-identified dataset to another dataset or undertaking decryption activities to test information security.

Importantly, the Bill provides a power for the Minister to make a determination to exempt entities from the prohibitions and requirements of the Bill if it is in the public interest. This means entities engaging in valuable research in areas such as testing the effectiveness of de-identification techniques, cryptology or information security can be granted an exemption so that this legitimate research may continue. Research into methods for effective de-identification of data is an important privacy protection strategy in an era of big data.

The Bill exempts determinations by the Minister from the disallowance scheme in the Legislation Act 2003. This will provide certainty about the application of the law and provide commercial certainty to entities who require exemptions in order to undertake research projects. Before making a determination the Minister must consult with the Australian Information Commissioner, which provides additional scrutiny and transparency.

Australian Information Commissioner powers

As part of the Bill's enhancement of privacy protections, the Bill provides additional powers to the Australian Information Commissioner. Where an agency is informed of the re-identification of information it must inform the Australian Information Commissioner. This will allow the responsible agency to engage with the Australian Information Commissioner on the issue and provide the Australian Information Commissioner with the opportunity to investigate the matter. To this end the Bill also provides investigation powers to the Australian Information Commissioner in relation to contraventions of the Bill to support the Commissioner's existing power to seek civil penalty orders in relation to civil penalty offences under the Privacy Act.

Conclusion

The Bill will provide stronger safeguards for the privacy of individuals whilst supporting the Australian Government's commitment to the release of de-identified public sector datasets.

It will do so by deterring the re-identification of de-identified personal information in government datasets as well as the disclosure of such re-identified information and by ensuring that agencies are notified of re-identification so that they can take any necessary steps to rapidly address issues with published datasets.

Importantly, the Bill will not affect the legitimate acts of government or researchers.

The Bill will act in tandem with administrative processes to be developed by the Department of the Prime Minister and Cabinet to govern the release of new anonymised datasets on data.gov.au to ensure the integrity of public datasets published by the Commonwealth.

Debate adjourned.

Ordered that further consideration of the second reading of these bills be adjourned to 7 November 2016, in accordance with standing order 111.

Ordered that the bills be listed on the Notice Paper as separate orders of the day.