SENATE

More documents

Recommendations

Info

52 <strong>SENATE</strong> Thursday, 13 October 2016 (3) If an entity has given notice under subsection (2) on becoming aware that a contravention, event or circumstances may have occurred or arisen then, despite subsection (2), the entity need not give notice again on becoming aware that the contravention, event or circumstances has occurred or arisen. Steps to be taken if contravention, event or circumstances may have occurred or arisen (4) The entity must, as soon as practicable after becoming aware that the contravention, event or circumstances may have occurred or arisen, do the following things: (a) so far as is reasonably practicable contain the potential contravention, event or circumstances; (b) evaluate any risks that, if the contravention, event or circumstances has occurred or arisen, may be related to or arise out of the contravention, event or circumstances; (c) if there is a reasonable likelihood that the contravention, event or circumstance has occurred or arisen and the effects of the contravention, event or circumstances might be serious for at least one individual—notify all individuals who would be affected. Civil penalty: 600 penalty units. Steps to be taken if contravention or event has occurred or the circumstances have arisen (5) The entity must, as soon as practicable after becoming aware that the contravention or event has occurred or the circumstances have arisen, do the following things: (a) so far as is reasonably practicable, contain the contravention, event or circumstances and undertake a preliminary assessment of the causes; (b) evaluate any risks that may be related to or arise out of the contravention, event or circumstances; (c) notify all affected individuals; (d) if a significant number of individuals are affected—notify the general public; (e) take steps to prevent or mitigate the effects of further contraventions, events or circumstances described in paragraphs (1) (b). Civil penalty: 600 penalty units. (6) If an entity has given notice under paragraph (4) (c), then despite paragraph (5) (c), the entity need not give notice under paragraph (5) (c). (5) Clause 22B, page 24 (lines 2 and 3), omit "section 18 or subsection 22A(1), (2), (4), (5) or (6) ", substitute "this Act in connection with personal information or key information about an individual included on the register ". (6) Clause 26, page 26 (line 16), omit "The Minister ", substitute "(1) The Minister ". (7) Clause 26, page 26, after subclause (1), insert: (2) Ownership of information included in the register or otherwise obtained under, or in accordance with, this Act is retained by the Commonwealth despite any agreement under subsection (1). (8) Clause 27, page 27 (lines 1 to 6), omit subclause (2), substitute: (2) The Secretary may, in writing, delegate his or her functions or powers under paragraph 17(3) (g) (about disclosing information) to an SES employee, or an acting SES employee, in the Department. (d) a person who holds or performs the duties of an office or position established by or under a law of the Commonwealth, a State or a Territory; or (e) an entity (whether incorporated or unincorporated) established for a charitable purpose. (4) This section has no effect to the extent (if any) to which its operation would result in the acquisition of property (within the meaning of paragraph 51(xxxi) of the Constitution) otherwise than on just terms (within the meaning of that paragraph). These are essential amendments which go to the heart of protecting Australia's most sensitive health information. Let's remember the government did not want this legislation scrutinised. When Labor and the crossbenchers referred the legislation to a committee they said it was unnecessary, and the health minister went so far as to label it 'hysterical'. This is an inquiry which has forced the government to make amendments to their own legislation after the Information Commissioner identified critical issues and potential loopholes. No wonder the government did not want parliament to examine the legislation closely; they had completely botched it. This is their reputation. After all, they had signed a contract with Telstra before passing or even introducing the legislation. While Labor is pleased the government has finally come, kicking and screaming, to make some of these adjustments to their legislation there is more that needs to be done. Firstly, individuals should be notified when their most sensitive health data is breached. Under the government's draft legislation, if and when there are data breaches, Telstra only has to tell the Department of Health. This is the same department that had a breach of health information recently, which took weeks to be made public, with the health minister only standing up and mentioning it in a speech at a GP conference. While we understand the government will not accept Labor's CHAMBER
Thursday, 13 October 2016 <strong>SENATE</strong> 53 amendments to ensure that the Privacy Commissioner is notified of breaches, it is not enough. Individuals deserve to be told if their most private health information is accessed inappropriately, so Labor's amendments will mandate disclosure of data breaches to affected individuals. The government will argue that the Privacy Commissioner can notify individuals if he chooses but, again, not good enough. Individuals must be told. It simply beggars belief that the government does not consider this important enough to make the change. This is consistent with Labor's position across all portfolios. The government says it agrees, but is dragging its feet on mandatory disclosure legislation. Despite many promises, the government is yet to implement data breach notification laws that would make it mandatory to let Australians know when their personal information has been compromised. Secondly, Labor has already proposed an amendment to increase the penalty for unauthorised use or disclosure of information. Under these bills the penalty for recording, using or disclosing information without authority is only $21,600. That is a drop in the ocean for an organisation like Telstra, which reported profits of almost $2.1 billion in the six months to 31 December 2015. Labor's amendments would increase the penalty for unauthorised use or disclosure of information from 120 penalty units, which is $21,600, to 600 penalty units, which is $108,000. Under the Crimes Act 1914 a court can impose a penalty up to five times this amount on a corporation. So if Telstra is the register operator it could be fined up to $540,000 for breaching the legislation. Again, the government will argue that the Privacy Commissioner can seek tougher penalties, but this should not be discretionary. If individuals or organisations inappropriately use Australians' most sensitive health data, they should be punished severely and automatically. Thirdly, Labor has proposed an amendment to make explicit that the Commonwealth will be custodians of data in the register. The explanatory memorandum states: Although the bill does not address issues of ownership or custodianship of information, the Commonwealth will be custodian of data in the register. There should be no question of explicitly outlining this in the bill as well, yet the government is refusing to include it. This raises several questions about why the government does not want to clearly state that the Commonwealth is the custodian of the data. This is an important consideration in relation to access and use of this data and, given the sensitive information at hand here, Labor's amendment is essential. These amendments are crucial. I ask that the Senate properly consider the repercussions if they are not agreed to. Senator NASH (New South Wales—Deputy Leader of The Nationals, Minister for Regional Development, Minister for Local Government and Territories and Minister for Regional Communications) (13:50): I can indicate to the chamber that the government does not support the amendments as put forward by the opposition. Senator XENOPHON (South Australia) (13:51): I can indicate that I, along with my colleagues Senators Kakoschke-Moore and Griff, do not support these amendments. I would like confirmation, subject to the government confirming to me what they have confirmed previously, that it will be introducing mandatory reporting legislation next month based on the exposure draft. Also, could the government confirm that Telstra will be an entity covered under the government's proposed legislation? I ask the minister that as well, so that is on the record. If this amendment is passed, subject to the assurances and to the commitments and undertakings from the minister, it will create a separate data breach application notification regime just with this register, which would be inconsistent with the proposed laws. It is much cleaner to improve the mandatory data breach notification laws so that all affected entities are covered at once. The current regime will suffice until the new legislation. We need to ensure that the government's new legislation is scrutinised and passed this year. I need that confirmation because our opposition to the amendment is conditional upon those assurances. Senator NASH (New South Wales—Deputy Leader of The Nationals, Minister for Regional Development, Minister for Local Government and Territories and Minister for Regional Communications) (13:52): I can confirm all of those for you. Senator POLLEY (Tasmania) (13:52): I will put on the record that, once again, we are left with having to trust a government that has consistently bungled this process from day one. Senator XENOPHON (South Australia) (13:52): The simple retort to that is that if the government duds us on this they are not going to get cooperation on pretty much anything else. I expect that the government will meet its commitments in respect of this. If they don't, there will be consequences from our point of view. The TEMPORARY CHAIR (Senator Ketter): The question is that amendments (1) to (8) on sheet 7946 be agreed to. CHAMBER
Page 1 and 2:
COMMONWEALTH OF AUSTRALIA SENATE Ha
Page 3 and 4:
FORTY-FIFTH PARLIAMENT FIRST SESSIO
Page 5 and 6:
Senator State or Territory Term exp
Page 7 and 8:
Title Minister Minister for Health
Page 9 and 10:
Title Shadow Minister Deputy Manage
Page 11 and 12:
CONTENTS—continued International
Page 13 and 14: Thursday, 13 October 2016 SENATE 1
Page 63: Thursday, 13 October 2016 SENATE 51
Page 115 and 116:
Thursday, 13 October 2016 SENATE 10
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125:
show all

SENATE

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?