As the federal government announces its $230 million cybersecurity strategy, legislation that would let people know when their personal data has been hacked will not pass before the election — again.
After promising to bring on mandatory data breach notification legislation for more than a year, the government appears poised to finally introduce a bill in budget week. It is one of 27 pieces of legislation — including the budget appropriation bills — listed to be introduced into the winter sitting of Parliament beginning in May. But given Prime Minister Malcolm Turnbull has already indicated he intends to go to the Governor-General sometime between Opposition Leader Bill Shorten’s budget reply speech on May 5 and May 11 to dissolve both houses of Parliament and bring on a double dissolution election for July 2, it is unlikely that the legislation will pass before the election.
The exposure draft of the legislation, released by the government late last year, would require companies and organisations to inform people affected by a compromise of their personal data if there were a real risk of serious harm posed by the release of the information. For example, if a person’s credit card details, identification details, passwords or other information were leaked or obtained fraudulently. At the moment, companies report to the Privacy Commissioner on breaches on a voluntary basis, and while many companies have improved their reporting over the past few years, there are still incidents where companies, such as the online shopping site Catch of the Day, wait years before letting customers and the Privacy Commissioner know that a breach has taken place.
The legislation has received a mixed response from industry and government. The Department of Immigration and Border Protection isn’t clear on whether secrecy provisions in its draconian Border Force Act would prevent it from complying with the legislation. The Australian Industry Group said it wasn’t convinced of the need for the legislation because existing privacy law was sufficient, and it would place a burden on businesses to report to government every time they had a data breach.
The ABC (yes, the national broadcaster) and the Insurance Council of Australia argued that businesses should only be required to report if there is a threat of physical or financial harm, because under the current proposal, psychological and emotional harm can vary from person to person.
Telstra, which itself has been victim to a number of data breaches — but has informed the public and the Privacy Commissioner in the past — has argued that the threshold for businesses to report breaches is far lower than it would like.
While the government can introduce and pass legislation to repeal the Road Safety Remuneration Tribunal in just one day, this will be the second time mandatory data breach notification legislation has been introduced and not passed. The last time was by the former Gillard-Rudd government in 2013.
Are there exclusions for data breaches by security agencies?
creeps and crooks, all of them!
We cannot uninvent the mass surveillance security state, nor stop the huge investment of commercial interests in mining almost as ubiquitous data, because it would interfere with our convenient modern 21stC lives. What modern person wants to have to order fresh milk when the fridge can deal with such mandanity through the Internet of Things?
The only protection we, the People, might be able to winkle out of the overweening State, were we so blessed as to have a political party opposed to such hegemony – yeah, I know, I’m dreaming – is to DEMAND, as free citizens – yeh, yeh, dreamin’ – the instant Right to know what is held on us, in real time.
Dream 0n.
As you and the Crikey Censorship Team are far more aware of I.T. threats to Australia from fundamentalist terrorists and their ilk than do most of your devoted camp followers Joshua, you have far less excuse for trivialising these issues.