Mr ANOULACK CHANTHIVONG (Macquarie Fields) (10:24): I make a contribution to the debate on the Privacy and Personal Information Protection Amendment (Notification of Serious Violations of Privacy by Public Sector Agencies) Bill 2019. I thank and acknowledge the work of the shadow Attorney General and member for Liverpool for bringing this important bill to the House and all my parliamentary colleagues who have made contributions to the debate on this bill. The collection of personal data has never been greater in the history of human civilisation. Technological advancements in hardware and software have the made storage, access, usage, extraction and manipulation through analysis and automated algorithms all the more easy. Gigabytes and terabytes of data can be sent out to a global audience with a click of a computer mouse, a link on a text message or an attachment to an email. Those actions are not always done for proper purposes and may have significant personal and privacy consequences for the individuals involved.
A number of my colleagues have raised many valid points on why the bill is required. I focus on two points: public sector responsibility and trust; and the importance of privacy and the balance of power between those who provide the data and those who control it. Parliament and public sector agencies must always lead the way in setting public standards. Indeed, we should be over and above what is expected. In recent times, we have seen a major erosion in public trust in government institutions. Let me share some data with you—no pun intended given the nature of this bill.
The Australian National University's post-2016 study contains the following results: 56 per cent believe government is run for big interests; 26 per cent of people think government can be trusted; and only 12 per cent believe it is run for the benefit of the people. These are concerning results about what our people think of how government operates. It is our responsibility to find ways to continually improve public services and to increase public confidence in public administration. One of the simplest ways is to own up when a violation has been made and to notify affected people of the violation that led to the breach of their personal data.
Schedule 1 of the bill proposes new sections 59A, 59B, 59C and 59D of the Privacy and Personal Information Protection Act 1998. Proposed new sections 59A and 59B outline when a public sector agency "causes a serious violation of an individual's privacy". Proposed new sections 59C and 59D clearly outline the obligations of a public sector agency that is in breach to notify affected individuals and the Privacy Commissioner, respectively, of any serious violation of privacy it has caused.
It is not and should not be the responsibility of the individuals involved to inquire whether a public sector agency has breached their private data; even worse if they learn of the breach from an external source. Depending on the type of privacy data violation, a breach could create an uncomfortable and potentially embarrassing scenario for the people involved. It is not difficult for a public sector agency to redress a data breach for the people it exists to serve. How could members opposite honestly say that the Liberal‑Nationals Government is in the business of public service if they do not support the bill? If Government members do not support the bill it will not be because the bill has no merit, but rather because it is a Labor bill.
The move towards electronic public administration for all public documents and application forms necessitates increased data collection. Governments are becoming increasingly data‑dependent and data‑driven. Accordingly, they have a responsibility to ensure that people's private data is in every instance. I acknowledge that inadvertent data breaches may occur on the odd occasion in the absence of a systematic failure of process. On such occasions it is imperative for the public sector agencies involved to do the right thing by the public and notify affected individuals at the earliest opportunity.
If that responsibility is too onerous, proposed new sections 59F and 59G of the Privacy and Personal Information Protection Act contained in schedule 1 of the bill provide the Privacy Commissioner with enforcement powers to direct public sector agencies to notify individuals whose privacy has been breached. Hopefully, it will never come to that because public sector agencies should do the right thing by the people they serve and notify them of any breaches involving their personal data, without having to be reminded of their responsibilities and coerced into action.
In an age where private citizens are continually handing over personal data in their interactions with public sector agencies, and in every action they undertake, they must be confident that their personal data will be handled with care at all times. However, should the situation arise where a violation has taken place, inadvertently or otherwise, public sector agencies owe it to affected people to rectify the situation as soon as possible by proactively notifying them of a data breach. It is the courteous and respectful thing to do and goes a long way in building public confidence in government services.
One of the fundamental tenets of our strong and enviable democracy is the right to privacy and anonymity. In an age of technology, terabyte personal data collection and social media, our privacy is continually and incrementally being stripped away—sometimes voluntarily but not always.
The protection of privacy is a mechanism to ensure a better and more equal balance of power for those who have control over a person's individual data and those who have provided the data — either through necessity or voluntarily — but have no control over that data once it has been provided. Public service is important and we want to make sure that we continue to serve the people we represent. I commend the bill to the House.