The Privacy and Personal Information Protection Amendment Bill 2022 is welcome legislation. 

People put a lot of trust in the state to take care of their personal information. This bill is a step in the right direction but we can't wait until another Optus or Medibank data breach to make the government of the day act. 

Abigail spoke in parliament about the bill. 

Ms ABIGAIL BOYD (21:16): On behalf of The Greens, I speak in support of the Privacy and Personal Information Protection Amendment Bill 2022. This reform is long overdue. It is a small part of a much wider body of work that needs to be done regarding our digital rights and data sovereignty. Australia is lagging a long way behind other jurisdictions. We have weak data protection laws, meaning big corporations and organisations hoard our personal information in poorly protected, poorly encrypted servers and repositories—a honeypot for would‑be bad actors. The bill does not do anything to keep our information safer from theft. It merely imposes a mandatory obligation on State‑owned corporations and public sector agencies to disclose to people impacted by a breach of data held by that corporation or agency. Frankly, it is astonishing that the obligation does not already exist and that it requires legislating at all.

The people of this State entrust enormous amounts of their personal, health and financial information to public sector agencies. The Greens are realistic and recognise sophisticated bad actors exist in the cyber space who may be successful in penetrating whatever security arrangements may be in place to protect our data and in making away with bundles of personal information. Ideally, we would have robust systems in place to encrypt or distribute that information in a way that would render the raw data unusable to anyone other than the intended user. But we are not yet at that stage. With that realism in mind, it is not too much to expect that people would be swiftly informed of any breach of personal information, potential or otherwise, so that they can take appropriate measures to safeguard their identity. It is inexcusable for a public sector agency to withhold that notification or deny the public the right to know what is happening with their personal details for fear of reputational damage or public outrage.

Maybe a little more public outrage at data protection failures would provide the impetus for the Government to pick up the pace and implement more robust safeguards to protect our information. A mandatory obligation to notify would also result in more active monitoring by agencies to determine whether a breach has in fact occurred. Recently we have seen just how dangerous data breaches can be. Breaches of data held by Optus and Medibank are two high‑profile and recent examples. The communication of those breaches was inadequate and confusing, but at least there was an attempt.

It is scary to consider the breaches of personal information that may have occurred prior to the introduction of the bill and that have gone unreported and unaddressed. The introduction of a mandatory notification of data breach scheme was a recommendation in the reportScan of the Artificial Intelligence Regulatory Landscape – Information Access & Privacy, prepared by the Information and Privacy Commission. I hope that the bill is the first of many reforms to come out of the recommendations of that report. The report also raises strong concerns, which The Greens share and have been raising, around the increasing use of artificial intelligence and algorithmic decision‑making.

The use of AI in high‑risk areas, particularly when that includes the use of biometrics and facial recognition, has been called out by the Human Rights Commissioner and the Privacy Commissioner as a concern. The Privacy Commissioner's report makes some recommendations around this that I hope will be adopted, and which I will be agitating for. The issue of digital rights and privacy—of regulation and responsible use of technology—is only going to become more urgent. I look forward to working next year with whomever forms government to push this issue forward, to ensure our digital rights regulation and legislation keeps pace with evolving technology trends and to hopefully help shape some responsible and ethical norms in this space. This bill is a small but positive step in the right direction, and The Greens support it.