Hacks highlight need for privacy policy reform


Ms JODIE HARRISON (Charlestown): I contribute to the debate on the Privacy and Personal Information Protection Amendment Bill 2022. I share the concerns of the shadow Attorney General and member for Maroubra.

The Privacy and Personal Information Protection Act [PPIPA] is the basis of this State's privacy laws. It dictates how New South Wales government agencies manage personal information. It was introduced in 1998, and a lot has changed since then.

In this age of online information it seems that every detail of our lives is being kept and recorded in one form or another by social media corporations, by online advertising firms, by the businesses we trust with our telecommunications and health insurance, and of course by government agencies. While the PPIPA has been amended from time to time in the nearly quarter of a century since it was enacted, elements of it are still in need of modernisation.

From the outset, I join my colleagues in not opposing the bill. It is about time that this legislation was brought into Parliament and that those opposite finally engaged in PPIPA reform.

The PPIPA does not currently require mandatory notification of data breaches by government agencies. That leaves the NSW Privacy Commissioner to oversee a voluntary reporting scheme, which encourages agencies that have experienced serious data breaches to report the details of the breach to the commissioner.

Given that, the proposals contained in the bill are a set of commonsense reforms, amending the act to establish the mandatory notification of data breaches scheme, which will require New South Wales public sector agencies to act to contain any breach and assess the likely severity of any impact on New South Wales citizens.

It will require an agency to notify those citizens and, if the agency assesses that the breach is likely to result in serious harm, the Privacy Commissioner as well. It will require the said agency to issue a public notification if an impacted individual cannot be identified or it is not reasonably practical to notify them.

The bill expands the regulatory responsibilities of the Privacy Commissioner to include investigation and monitoring agency compliance with the mandatory notification of data breaches scheme, empowering them to access agencies' premises as needed and to report on agencies' systems, policies and procedures.

The bill also removes the exclusion of State-owned corporations from the Act and extends the Act to cover those which are not subject to the Commonwealth Privacy Act 1988.

The amendments carry over to the Fines Act 1996, removing a provision requiring Revenue NSW to notify of unlawful disclosures under a separate scheme, and the Government Information (Public Access) Act 2009, putting in place a conclusive presumption that there is an overriding public interest against the disclosure of information related to an assessment of an eligible data breach under the scheme.

As I have said, the reforms in the bill are common sense. They sound very familiar as well. My colleague the member for Liverpool, in his role as shadow Attorney General on this topic, has moved bills no less than four times previously, including in 2016 with the Privacy and Personal Information Protection Amendment (State Owned Corporations) Bill, in 2017 with the Privacy and Personal Information Protection Amendment (Notification of Serious Violations of Privacy by Public Sector Agencies) Bill, and twice in 2019 when both those bills were reintroduced.

Each and every time the member for Liverpool and then shadow Attorney General, Paul Lynch, introduced those bills, the Government opposed those much-needed reforms. It is playing catch‑up. It seems that the horse has bolted to a certain extent.

The Government has proven to be almost wilfully negligent in its refusal to engage in PPIPA reform. Now the Government is introducing what effectively is the same legislation on the third last day before an election; after the cut-off date for business which passes this House to go to the other Chamber; and too late to help the thousands of people in my electorate and the millions of people across the State who might have fallen prey to criminals who try to dupe them out of their money and steal their identities.

That is outrageous, not least of all because Australia has been hit by two major data security breaches in a matter of weeks. As many as nine million current and former customers of Optus had their personal information hacked from the company's database, including everything from their names and birthdates to passport information and driver licences. Then hackers hit Medibank and AHM, exposing the private medical records of patients on the dark web and revealing such intimately personal details like whether they had had an abortion or had been treated for drug and alcohol abuse. Those are examples of what can happen when data is breached.

This Government holds a considerable amount of personal information, so the bill is sadly overdue. Data breaches generate considerable and understandable anxiety amongst the Charlestown electorate.

A number of constituents contacted my office in the immediate aftermath of the Optus hack wanting some idea of what they could do to secure their information and what support was available.

Unfortunately, advice from the Government was not forthcoming in a timely manner. As the extent of the privacy breach became clear, the Minister's office promised at 9.00 a.m. to provide details on how to assist concerned constituents. By 4.51 p.m. on that day that advice had still not been received, and there was an incredible amount of concern. Instead, the Minister chose to post on Twitter and failed to advise my electorate office, or any other electorate office, of the supports in place for those impacted.

The anxiety since the breach has been pronounced. One man in his seventies approached me at a street stall concerned that the information that he had given to become a member of a club might be exposed. Another commented on my Facebook page that just days after the hack he was woken at 4.17 a.m. by a call from an unknown number.

The Optus hack comes after a major data breach at Service NSW in May 2021 exposed the personal data of 186,000 of the State's citizens, including me and a number of other MPs, and saw 3.8 million documents leaked to criminal actors. By the Government's own admission, that attack happened because Service NSW did not use multi-factor authentication for staff logins, meaning that the agency responsible for most face-to-face interactions that citizens have with their government was not following the guidance from the Australian Cyber Security Centre.

Indeed, a report published last year by the Auditor-General indicates at least 26 New South Wales government agencies may be vulnerable to this type of attack. The Service NSW breach was a stunning lapse from members opposite.

While it is not surprising that New South Wales public sector agencies such as Service NSW hold sensitive information about citizens—including personal, health and financial information—what will come as a surprise to many of my constituents is that it is currently not mandatory for New South Wales public sector agencies to report data breaches of personal and health information.

Just today it has been reported that a woman who fled her abuser, a man with links to organised crime, after securing help from support services and the police, has had her safety compromised because of an oversight by Service NSW. After managing to get to safety in New South Wales, she contacted Service NSW to update her driver licence and registration, making sure that they knew she had fled Queensland to escape an abusive situation.

Service NSW promised that everything would be sent to her new address. Instead, it was all sent to her old address in Queensland, exposing her private information to her abusive ex-partner. That case is horrific and it represents a microcosm of what is at stake when we talk about the privacy and security of personal information. In my contribution to debate on the Privacy and Personal Information Protection Amendment (Service Providers) Bill 2020 I said:

It is possible that the information harvested by these criminals could fall into the hands of hostile state actors, rogue non-state actors, criminal syndicates and even terrorists.

The Australian Federal Police Commissioner, Reece Kershaw, has now confirmed that a network of Russian criminals is responsible for the Medibank hack. As horrible as the impacts on individuals may be, this goes far beyond inconvenience and anxiety for customers afflicted by these hacks.

I do not oppose the bill, but I must ask why has it taken the Government so long to introduce this legislation. What has it been waiting for? Why has the Government dragged its feet for so long that now this reform will not be able to be considered by members in the other place, unless urgency is sought? Members opposite have once again failed to do the right thing by the people of this State.