Speaking up for Privacy and Personal Information Protection

17 September 2020

PRIVACY AND PERSONAL INFORMATION PROTECTION AMENDMENT (SERVICE PROVIDERS) BILL 2020

Second Reading Debate

Ms JODIE HARRISON(Charlestown) (10:25:30):I support the Privacy and Personal Information Protection Amendment (Service Providers) Bill 2020. The bill has been introduced by the shadow Attorney General and member for Liverpool. I congratulate the shadow Attorney General on bringing forward this bill because in the twenty-first century few things are more important and less well understood by the general public than the protection of private data. When the Privacy and Personal Information Protection [PPIP] Act was introduced at the end of the last century, the internet was still in its infancy. Google was founded in September that year and Facebook would not be conceived of until 2004. It is not surprising that in the 22 years since proclamation of the Act numerous attempts have been made to expand and amend it. I am dismayed that the Government has opposed Labor's previous attempts to amend and reform privacy law. This bill will expand the PPIP Act to clearly cover State contracted service providers and contractors. This bill will bring the PPIP Act into line with the Federal Privacy Act and with the Health Records and Information Privacy Act, which regulates some contractors.

The discrepancy between the various different pieces of legislation makes no sense and creates an uneven regulatory framework for an area of policy that has only become more important in recent years and will become even more important still. The bill also will help to implement a recommendation of the 2015 report of the Privacy Commissioner that followed a survey of non-government organisations and showed the necessity of strengthening the privacy framework. The then Privacy Commissioner, Dr Elizabeth Coombs, wrote:

I am concerned about the lack of formal privacy protection for clients of some State Owned Corporations (SOCs) and recommend that all NSW SOCs be subject to privacy regulation. This can be achieved by ensuring coverage by the PPIP Act

I recommend amendments to the PPIP Act to ensure no diminution in the protection of privacy and personal information in the outsourcing of government services to private sector and not for profit service providers

This repeated the concerns expressed in a statutory review of the PPIP Act undertaken in 2004 and reemphasised in a 2017 special report. Dr Coombs then said:

Misuses of personal information and data breaches are not random events; they result from poor organisational governance and practice, and the conduct of employees and contractors data breach notifications and complaints to my Office are increasing.

In concluding her report, Dr Coombs said:

For Governments wishing to participate in the global information economy, the confidence of citizens that their privacy and information will be protected, is essential if accurate and complete information is to be provided.

The type of reform that the bill proposes would, Dr Coombs wrote:

establish mechanisms that deliver real benefits to those individuals within NSW who experience incursions into their informational privacy rights.

In an age of smart phones and social media,- where our every activity is often documented by choice and just as often traced without our consent, it has never been more important to safeguard data.

The necessity of tightening data protection regimes was thrown into sharp focus recently. In April a catastrophic data breach at Service NSW saw cyber criminals steal 3.8 million documents, potentially exposing the birth certificates, credit card details, medical records and financial information of up to 186,000 people. This leaves the Government with a potential liability of $7.44 billion because compensation of up to $40,000 is payable from public sector agencies to people who suffer loss or damage as a result of a privacy breach. In the aftermath of this breach, a number of residents of the Charlestown electorate reached out to me concerned that their data had been exposed and was now in the hands of cyber criminals.

One elderly man, who had been a victim of identity theft, told me in detail how damaging the experience had been for him and for his family. Years after his data was exposed he was still trying to extricate himself from the mess. Those exposed by the Service NSW breach may have to wait until Christmas to find out about that breach. As one constituent told me via social media, "It's as though the horse has already bolted." Another said, "In the meantime those individuals who have had their data stolen are potentially having their life savings stolen and their credit history destroyed." It is possible that the information harvested by these criminals could fall into the hands of hostile state actors, rogue non-state actors, criminal syndicates and even terrorists.

These concerns might have seemed alarmist once, but when the PPIPA Act was introduced smart phones seemed like science fiction. In 2020 we conduct a lot of our business via Zoom and most of our banking by smartphone app. We shop online, we live through social media, we access government services through online portals, and the digital frontier has become an important theatre in the fight against extremism of all stripes. As more and more services move online, as more and more services once delivered by government are being delivered by private contractors and as more and more people come to rely on the integrity of government computer networks to safeguard their information and privacy we need to make sure their information is kept safe.

Breaches such as the Service NSW catastrophe undermine confidence in our government services. One constituent said on social media, "Excellent, [the breach is a] good reason not to have our info because it clearly cannot be guaranteed to be protected." Efforts to contain the COVID-19 pandemic have made it clear that trust in government is important in a crisis. How can we expect people to trust government if we cannot even protect their data? The Government should support this bill. The Government should support that the protections for personal data provided by the PPIPA Act should apply equally to that data that is held by organisations the Government pays to provide services. My constituents in Charlestown expect that their personal information, if given to the Government, or someone acting on behalf of the Government, is safe and well regulated. We in this Parliament need to do whatever we can to ensure that safety. The potential liabilities to the State and the potential damage data breaches can do to individual lives require this. I support this sensible and well-crafted bill.