Privacy and Personal Information Protection Amendment Bill 2022

Hansard ID: HANSARD-1323879322-129439

Hansard session: Fifty-Seventh Parliament, First Session (57-1)

Privacy and Personal Information Protection Amendment Bill 2022

Second Reading Debate

Debate resumed from 9 November 2022.

Mr MICHAEL DALEY (Maroubra) (16:50:04):

On behalf of the Opposition, I contribute to debate on the Privacy and Personal Information Protection Amendment Bill 2022. I welcome the legislation. For many years the Opposition has been trying to have this type of legislation brought forward and successfully passed through this House, but there has been inexplicable delay on the part of the Government. We live in an age in which people are beginning to learn—the hard way, I think—about the value of personal information that is held by external entities, whether those entities are government or privately owned. Some people do not care, and they will learn the hard way. They are starting to learn now as a result of recent celebrated cases of data breaches suffered by Optus and by AHM. Those data breaches have brought to the fore a greater realisation among the public of what might flow from such data breaches.

In addition, we have seen data breaches that could have been better dealt with if the Government had brought this type of legislation before the House a long time ago. Data breaches have been weaponised by this Government and used against its political opponents. That was not accidental; it was intentional. If this legislation had been in operation, the Government might have investigated those breaches more effectively. My colleague the former shadow Attorney General and member for Liverpool, Paul Lynch, recognised that when in 2016 he introduced the Privacy and Personal Information Protection Amendment (State Owned Corporations) Bill 2016. On 17 March 2016, he stated:

The object of this bill is to amend the principal Act, the Privacy and Personal Information Protection Act 1998, known as PPIPA or the PPIP Act. The amendment proposed is to remove from the principal Act the exclusion of State-owned corporations … from that Act and to extend that Act to State-owned corporations that are not subject to the Commonwealth Privacy Act. This proposal adopts a recommendation of the New South Wales Privacy Commissioner in her report under section 61B of the Privacy and Personal Information Protection Act dated February 2015 and tabled in this Parliament.

He went on to say:

The Privacy and Personal Information Protection Act provides that the public sector agencies included within its regime are legally bound by the information protection principles. These include that information about individuals must be relevant and accurate and not intrude upon personal affairs. Public concerns over these issues and potential breaches are becoming greater rather than receding. There are increasing worries, for example, about big data. The Privacy and Personal Information Protection Act provides for a regime of internal review with obligatory advice to and consultation with the Privacy Commissioner.

He continues:

The Government has taken no steps to act on this sensible recommendation. Accordingly the Opposition proposes this bill. I note the Privacy Commissioner has reiterated her position as recently as two weeks ago at a parliamentary committee hearing.

In answer to a question in the committee hearing, the Privacy Commissioner stated:

When that exemption was put in it was very much about SOCs being on a level playing field with commercial organisations. Since then SOCs are covered by the 1988 Commonwealth Act, and I think there are three prescribed under the schedule at the back. I note that the statutory review of the Privacy and Personal Information Protection Act which occurred in 2003-04 recommended that SOCs be included in the legislative regime of the New South Wales privacy legislation and the NSW Law Reform Commission made a similar recommendation that they be brought in. My view is that it is entirely appropriate.

Nevertheless, the government of the day sought to oppose the bill. That was the first step by the Opposition to drag this Government kicking and screaming to greater realisation and greater action. In fact, the member for Ku‑ring-gai, who is now a Minister, embarrassed himself particularly that day. His second reading speech records these comments:

In the Stalinist world in which Australian Labor Party members operate they think every business, regardless of circumstances, and every State owned corporation ought to be, with a stroke of a pen and without consideration of their operational requirements and individual circumstances, automatically brought under the privacy legislation.

…

This is the Stalinist one-size-fits-all approach that we often see from the member for Liverpool …

It is comical stuff. There was no action. So the former Attorney General, the member for Liverpool, had another crack when he introduced the Privacy and Personal Information Protection Amendment (Notification of Serious Violations of Privacy by Public Sector Agencies) Bill 2017. It was different subject matter from the first bill but all within the same family, the same species of action—that is, how government agencies deal with private information of citizens. On 16 November 2017 in his second reading speech he stated:

It gives me great pleasure to introduce the Privacy and Personal Information Protection Amendment (Notification of Serious Violations of Privacy by Public Sector Agencies) Bill 2017 on behalf of the Opposition. The current legislation in the field of privacy, primarily the Privacy and Personal Information Protection Act [PPIPA], dates from 1998. The significant developments in technology in recent years have increased dramatically the issues and challenges surrounding privacy and the protection of privacy.

…

The scale and capacity of technology has increased exponentially, as have the potential consequences of privacy breaches. The Government has largely allowed these issues to develop passively and has taken no real action to match technological advances.

He further stated:

The bill that I introduce today is another to deal with the ongoing challenges around privacy in a technologically changing world and in the face of an overwhelming lack of interest by the Government. If it is not about concrete or asphalt, this Government is not interested.

The object of the bill is to require a public sector agency that has caused a serious violation of the privacy of an individual by contravening an information protection principle or privacy code of practice or disclosing personal information kept in a public register to notify the individual concerned and the Privacy Commissioner of the contravention or disclosure.

That bill too fell on deaf ears. On 12 April 2018 the Attorney General—who is the same Attorney General today, the member for Cronulla—said that more time was needed. He stated:

… the Opposition appears to have developed this bill without considering whether the existing scheme for privacy breach reporting in New South Wales is adequate; without considering whether a mandatory reporting scheme is necessary or would be useful in New South Wales; without considering the resource and regulatory implications of its scheme for this State's hundreds of public sector agencies of various sizes and functions; …

In other words, "We need more time." So we waited and waited. Again, on 20 June 2019, the member for Liverpool, the shadow Attorney General, had yet another go when he introduced the Privacy and Personal Information Protection Amendment (Notification of Serious Violations of Privacy by Public Sector Agencies) Bill 2019. He stated:

It gives me great pleasure on behalf of the Labor Opposition to introduce the Privacy and Personal Information Protection Amendment (Notification of Serious Violations of Privacy by Public Sector Agencies) Bill 2019. This is almost identical with a private member's bill of similar title that I introduced in 2017. There are some minor updates, for consistency of expression from that earlier bill, the updates being proposed by Parliamentary Counsel. The substance and legal aspects of the bill have not been altered. When previously introduced to this place, the Government expressed its opposition to the measures in the bill. That opposition at the time was unpersuasive and the effluxion of time has made the case for the bill even stronger. Recent events, including a censure motion against a current Minister, have made the case for this bill, in my opinion, overwhelming.

The objects of the bill are to require a public sector agency that has caused a serious violation of the privacy of an individual by contravening an information protection principle or a privacy code of practice, or by disclosing personal information held in a public register, to notify the individual concerned and the Privacy Commissioner of that contravention or that disclosure. … The Government for the last eight years has been entirely innocent of any interest in this area.

We can now make that 12 years. He continued:

In a report dated February 2015 the commissioner, in recommendation 10 of that report, said:

The PPIP Act be amended to provide for mandatory notification of serious breaches of an individual's privacy by a public sector agency similar to that proposed to be provided in the Privacy Act 1988 (Cth).

The change proposed in this bill has already been adopted by a conservative Federal Government.

On 1 August 2019 in her speech during the second reading debate, the member for Lismore stated:

When I came to this place I expected the New South Wales Government to have a legislative agenda that included bills such as this, and was surprised to find it did not. Bills are not simply pieces of legislation; they represent the public policy priorities of the government of the day, which has a duty to represent the public policy priorities of our society and policies that are redolent of the times. This bill reflects a real problem confronting society.

Nevertheless, again, on 1 August 2019 the Attorney General and member for Cronulla stated:

The Government opposed that bill on the basis that it had been developed without consulting affected stakeholders

…

All affected agencies should be given an opportunity to comment on the design of any mandatory notification scheme before it is introduced. … It is not costed, it has not been consulted on and it has failed to provide the community with an opportunity to have their say.

In other words, it is an Opposition piece of legislation so we are going to oppose it on principle and pretend that it has not consulted on it, therefore neither have we for the past three years—to that effect. For the fourth time, on 14 November 2019, the member for Liverpool introduced the Privacy and Personal Information Protection Amendment (State Owned Corporations) Bill 2019. He stated:

A substantially similar bill was introduced by me in the previous Parliament, although it incurred the traditional and predictable opposition of the Government.

In recent years the protection and defence of privacy has not received the regard that it is due. Indeed, privacy legislation in this jurisdiction is in need of thorough reform.

Guess what? It was opposed again by the Attorney General and member for Cronulla. In this place on 27 February 2020 he stated:

I acknowledge the advocacy of the member for Liverpool for privacy reform. … Following appropriate consultation I intend to progress a government bill in the future that will propose privacy reform in this area.

…

In March 2016 the member for Liverpool introduced a bill seeking to amend the Privacy and Personal Information Protection Act [PPIPA] in a similar manner—

he did indeed—

The Government opposed that bill on the basis that it had been developed without consulting State-owned corporations and without full accounting for the effect that those provisions would have on their operations. As then Attorney General Ms Gabriel Upton, MP, emphasised in 2016, the Government does not oppose State-owned corporations being covered by privacy legislation in principle. However, it is essential that any extension of privacy legislation is done in a manner sensitive to the unique operating environment of each agency and is only introduced following appropriate consultation …

Blah, blah, blah. That was 27 February 2020. And here we are today. Once again, I pay homage to the member for Liverpool for his care and regard in this matter and others. The member for Swansea and the member for Canterbury have fought the good fight on this issue. I have regard to all of the time frames in respect of these attempted developments. In his second reading speech on 9 November 2022 the Attorney General said:

The Government has undertaken extensive consultation during the development of the bill. In July 2019 submissions were invited from the public in response to an issues paper that sought feedback on whether a mandatory scheme should be implemented in New South Wales, and if so how it should operate. The Department of Communities and Justice received 23 submissions from agencies, members of the public, local councils, universities and various advocacy and professional groups. All submissions supported a mandatory notification of data breach scheme.

We could have told the Government that four years earlier. He continued:

In May 2021 public submissions were invited…

In other words, in July 2019 the Government invited submissions. The Attorney General says in May 2021 public submissions were invited on a draft exposure bill. That is two years after 23 submissions unanimously said, "Go for it." Two years later, the Government finally gets around to drafting an exposure bill. The Attorney General said:

In May 2021 public submissions were invited on a draft exposure bill proposing a specific model for the MNDB scheme. The department received 32 submissions in response, including from agencies, State-owned corporations, interested private sector entities and interested members of the public. Those submissions indicated overwhelming support for the scheme—

we could have told the Government that—

and proposed a number of improvements to the bill. As a result of this extensive consultation, the New South Wales Government is confident the bill strikes the right balance between the need to protect individuals who are impacted by data breaches and what is appropriate and workable for agencies. I am pleased to note that the Privacy Commissioner also supports the important reforms contained in the bill.

We know that because the Government told us that in 2015—seven years ago. No-one can accuse the Attorney General of rushing things. He is a cautious and conservative man, but this takes the cake. This bill is seven years in the making. It is a good bill. It is good law, but it should have been implemented a long time ago. The tragedy is that the bill has been brought before the House in the final week of a four-year Parliament. The debate today is occurring after last Thursday's cut-off for business proceeding from the Legislative Assembly to the Legislative Council. I want the Attorney General to clarify that. If the Attorney General or the Government do not seek or are not granted urgency by the Legislative Council, this bill will lapse.

I would never impugn improper motives to the Attorney General because I think he is a good man, but I do not think Cabinet wants him to proceed with the bill with any haste whatsoever. No other conclusion can be drawn from the inordinate delay of seven years since the Privacy Commissioner recommended some of the changes inherent in this bill. To then have brought them to the House at not one minute to midnight but five seconds to midnight after the cut-off for business proceeding to the Legislative Council, one can only infer that the Government does not want the bill to proceed. Therefore, on behalf of the citizens of New South Wales, one must reasonably ask: What is the Government trying to hide? What is wrong behind the curtain of secrecy that has attended the lack of action with respect to these subject matters for so many years?

I will not go over the contents of the bill too much. It is good law, as were shadow Minister Lynch's bills. There are, and always have been, serious concerns about the sorts of breaches detailed in the bill. The problem is getting worse. It is not just Optus and Medibank and AHM. It is not just the private sector. It is within the government sector as well. The laws are well overdue. I want the Attorney General to say that Cabinet has already determined that urgency will be sought in the Legislative Council so it can get this business done finally in this term of Parliament. It should have been done in the previous term of Parliament.

Ms JODIE HARRISON (Charlestown) (17:09:04):

I contribute to debate on the Privacy and Personal Information Protection Amendment Bill 2022. I share the concerns of the shadow Attorney General and member for Maroubra. The Privacy and Personal Information Protection Act [PPIPA] is the basis of this State's privacy laws. It dictates how New South Wales government agencies manage personal information. It was introduced in 1998, and a lot has changed since then. In this age of online information it seems that every detail of our lives is being kept and recorded in one form or another by social media corporations, by online advertising firms, by the businesses we trust with our telecommunications and health insurance, and of course by government agencies. While the PPIPA has been amended from time to time in the nearly quarter of a century since it was enacted, elements of it are still in need of modernisation.

From the outset, I join my colleagues in not opposing the bill. It is about time that this legislation was brought into Parliament and that those opposite finally engaged in PPIPA reform. The PPIPA does not currently require mandatory notification of data breaches by government agencies. That leaves the NSW Privacy Commissioner to oversee a voluntary reporting scheme, which encourages agencies that have experienced serious data breaches to report the details of the breach to the commissioner. Given that, the proposals contained in the bill are a set of commonsense reforms, amending the act to establish the mandatory notification of data breaches scheme, which will require New South Wales public sector agencies to act to contain any breach and assess the likely severity of any impact on New South Wales citizens. It will require an agency to notify those citizens and, if the agency assesses that the breach is likely to result in serious harm, the Privacy Commissioner as well. It will require the said agency to issue a public notification if an impacted individual cannot be identified or it is not reasonably practical to notify them.

The bill expands the regulatory responsibilities of the Privacy Commissioner to include investigation and monitoring agency compliance with the mandatory notification of data breaches scheme, empowering them to access agencies' premises as needed and to report on agencies' systems, policies and procedures. The bill also removes the exclusion of State-owned corporations from the Act and extends the Act to cover those which are not subject to the Commonwealth Privacy Act 1988. The amendments carry over to the Fines Act 1996, removing a provision requiring Revenue NSW to notify of unlawful disclosures under a separate scheme, and the Government Information (Public Access) Act 2009, putting in place a conclusive presumption that there is an overriding public interest against the disclosure of information related to an assessment of an eligible data breach under the scheme.

As I have said, the reforms in the bill are common sense. They sound very familiar as well. My colleague the member for Liverpool, in his role as shadow Attorney General on this topic, has moved bills no less than four times previously, including in 2016 with the Privacy and Personal Information Protection Amendment (State Owned Corporations) Bill, in 2017 with the Privacy and Personal Information Protection Amendment (Notification of Serious Violations of Privacy by Public Sector Agencies) Bill, and twice in 2019 when both those bills were reintroduced. Each and every time the member for Liverpool and then shadow Attorney General, Paul Lynch, introduced those bills, the Government opposed those much-needed reforms. It is playing catch‑up. It seems that the horse has bolted to a certain extent.

The Government has proven to be almost wilfully negligent in its refusal to engage in PPIPA reform. Now the Government is introducing what effectively is the same legislation on the third last day before an election; after the cut-off date for business which passes this House to go to the other Chamber; and too late to help the thousands of people in my electorate and the millions of people across the State who might have fallen prey to criminals who try to dupe them out of their money and steal their identities. That is outrageous, not least of all because Australia has been hit by two major data security breaches in a matter of weeks. As many as nine million current and former customers of Optus had their personal information hacked from the company's database, including everything from their names and birthdates to passport information and driver licences. Then hackers hit Medibank and AHM, exposing the private medical records of patients on the dark web and revealing such intimately personal details like whether they had had an abortion or had been treated for drug and alcohol abuse. Those are examples of what can happen when data is breached.

This Government holds a considerable amount of personal information, so the bill is sadly overdue. Data breaches generate considerable and understandable anxiety amongst the Charlestown electorate. A number of constituents contacted my office in the immediate aftermath of the Optus hack wanting some idea of what they could do to secure their information and what support was available. Unfortunately, advice from the Government was not forthcoming in a timely manner. As the extent of the privacy breach became clear, the Minister's office promised at 9.00 a.m. to provide details on how to assist concerned constituents. By 4.51 p.m. on that day that advice had still not been received, and there was an incredible amount of concern. Instead, the Minister chose to post on Twitter and failed to advise my electorate office, or any other electorate office, of the supports in place for those impacted.

The anxiety since the breach has been pronounced. One man in his seventies approached me at a street stall concerned that the information that he had given to become a member of a club might be exposed. Another commented on my Facebook page that just days after the hack he was woken at 4.17 a.m. by a call from an unknown number. The Optus hack comes after a major data breach at Service NSW in May 2021 exposed the personal data of 186,000 of the State's citizens, including me and a number of other MPs, and saw 3.8 million documents leaked to criminal actors. By the Government's own admission, that attack happened because Service NSW did not use multi-factor authentication for staff logins, meaning that the agency responsible for most face-to-face interactions that citizens have with their government was not following the guidance from the Australian Cyber Security Centre.

Indeed, a report published last year by the Auditor-General indicates at least 26 government agencies may be vulnerable to this type of attack. The Service NSW breach was a stunning lapse from members opposite. While it is not surprising that public sector agencies such as Service NSW hold sensitive information about citizens—including personal, health and financial information—what will come as a surprise to many of my constituents is that it is currently not mandatory for public sector agencies to report data breaches of personal and health information.

Just today it has been reported that a woman who fled her abuser, a man with links to organised crime, after securing help from support services and the police, has had her safety compromised because of an oversight by Service NSW. After managing to get to safety in New South Wales, she contacted Service NSW to update her driver licence and registration, making sure that they knew she had fled Queensland to escape an abusive situation. Service NSW promised that everything would be sent to her new address. Instead, it was all sent to her old address in Queensland, exposing her private information to her abusive ex-partner. That case is horrific and it represents a microcosm of what is at stake when we talk about the privacy and security of personal information. In my contribution to debate on the Privacy and Personal Information Protection Amendment (Service Providers) Bill 2020 I said:

It is possible that the information harvested by these criminals could fall into the hands of hostile state actors, rogue non-state actors, criminal syndicates and even terrorists.

The Australian Federal Police Commissioner, Reece Kershaw, has now confirmed that a network of Russian criminals is responsible for the Medibank hack. As horrible as the impacts on individuals may be, this goes far beyond inconvenience and anxiety for customers afflicted by these hacks. I do not oppose the bill, but I must ask why has it taken the Government so long to introduce this legislation. What has it been waiting for? Why has the Government dragged its feet for so long that now this reform will not be able to be considered by members in the other place, unless urgency is sought? Members opposite have once again failed to do the right thing by the people of this State.

Mr MARK COURE (OatleyMinister for Multiculturalism, and Minister for Seniors) (17:19:17):

—I support the Privacy and Personal Information Protection Amendment Bill 2022. The New South Wales Government is focused on providing quality and innovative services to our customers. Increasingly our customers expect services that are easy to use, digital and personalised. Those services require the Government to collect personal information. Unfortunately, with any collection of information there is the risk of a security breach. It is vital that the Government demonstrates accountability and responsibility with regard to the personal information that it collects. The people of New South Wales should feel confident that when they engage with government agencies, their information will be treated with care and respect, and that their privacy and security will be taken seriously. We all understand that data breaches cannot be avoided completely. The people of New South Wales understand that too.

The Government and the private sector alike face ongoing privacy and security risks, ranging from cyber attacks to human error. It is important that when those risks materialise, we have a clear and consistent response that prioritises the people at risk of harm. The bill will establish a mandatory notification of data breach scheme for all New South Wales government agencies and State-owned corporations. All agencies will be under the same obligation and framework when faced with a suspected data breach. When faced with a data breach resulting from unauthorised access, disclosure or loss of personal information, the agency will be required to immediately make all reasonable efforts to contain the breach. That is very important.

The scheme will also require the Privacy Commissioner to assess whether a reasonable person would conclude that it is likely to result in serious harm to the person whose information has been breached. That assessment ensures that agency resources are focused on notifying those at greatest risk of a breach. If the agency assesses that the breach is likely to result in serious harm to an individual, it must notify the Privacy Commissioner—this is really important—as well as impacted individuals. As a fallback requirement, where impacted individuals cannot be identified, or it is not reasonably practicable to notify them, the agency must issue a public notification. The scheme will also expand the powers of the Privacy Commissioner to enable the commissioner to investigate, monitor, audit and report on the scheme.

The mandatory notification of data breach scheme is one of a range of measures that the New South Wales Government is taking to protect customer information and support customers if a breach occurs. The scheme will complement the work of ID Support NSW, Cyber Security NSW, and the Information and Privacy Commission, as well as dedicated programs to increase and uplift capability in privacy awareness and management across government. This work demonstrates the Government's very important commitment to the privacy and security of personal information. It aims to give the people of New South Wales the confidence to continue to access the services and digital offerings that make their day-to-day lives easier in the knowledge that government agencies have clear, mandatory protocols in place for managing data breaches. I commend the bill to the House.

Ms YASMIN CATLEY (Swansea) (17:23:38):

I make a contribution to debate on the Privacy and Personal Information Protection Amendment Bill 2022. I echo the sentiments of the shadow Attorney General and make clear that Labor will not oppose the bill. This important legislation will strengthen the New South Wales Privacy and Personal Information Protection Act 1998, which I will refer to as "the Act". It dictates how New South Wales government agencies manage personal information. The current Act does not cover State-owned corporations, which simply elect to follow the Act or not, or are governed by the Commonwealth Privacy Act 1988. Currently, government agencies are not required to disclose a data breach. Instead, the Privacy Commissioner oversees a voluntary reporting scheme for agencies to report a data breach to the commissioner to assess, provide advice on and investigate. That opt-in system is simply not working, with data breaches going either undetected or unreported.

The Privacy and Personal Information Protection Amendment Bill 2022 will amend the Act to establish a scheme, which will apply to all New South Wales public sector agencies, for mandatory notification of data breaches. Under the proposed amendments, in the event of a suspected data breach, an agency will be required to contain and assess the likely severity of the breach on impacted citizens; notify the Privacy Commissioner as well as impacted individuals if the agency assesses that the breach is likely to result in serious harm to an individual; and issue a public notification when impacted individuals cannot be identified, or when it is not reasonably practicable to notify them.

To support the mandatory notification of data breaches scheme, the powers of the Privacy Commissioner will be expanded to investigate and monitor agency compliance with the scheme. The bill will also remove the exclusion of State-owned corporations from the Act and extend the Act to cover State-owned corporations not subject to the Commonwealth Privacy Act 1988. The reforms in the bill are long overdue, with the introduction of a mandatory notification of data breaches and the extension of the Act to cover State-owned corporations long advocated for by Labor. It is disappointing that the Government has acted only in this final sitting fortnight of the Fifty-Seventh Parliament. The Government has had the opportunity to support this reform before now. The Opposition has moved four separate private members' bills on this issue. I thank the then shadow Attorney General, Paul Lynch, for bringing those bills to the Parliament on four separate occasions. The Government failed to support them.

All of those proposed bills predated the March 2020 data breach at Service NSW, which exposed over 100,000 citizens' data. Some impacted citizens have still not been notified, with that figure reported to be as high as 40,000 in August 2021. I cannot emphasise enough the importance of government transparency when it comes to data breaches. In the past few years in particular, citizens have trusted governments with substantial amounts of personal data. It is crucial that governments not only maintain the confidence of the public in safeguarding their data but are also agile in updating legislation to reflect our ever-evolving world.

A breach of public confidence on the protection of data would have a devastating impact on the further digitisation of government services. That is why this Government must be transparent with the New South Wales people on any potential data breaches. The public will trust the Government to protect its data when the right safeguards are put in place. One need only look at the uptake of the COVID-19 check-in system during the height of the pandemic. At the time, I worked with the Minister for Customer Service and Digital Government to pass legislation in this House that put in place restrictions on which government agencies could access the data. That gave the public confidence that the data could be used only for the purpose that it was collected. That was an example of this Parliament embracing an agile approach to protect its citizens. I acknowledge the member for Ryde and the Minister, who is retiring from this Parliament. His legacy will be digital implementation. It has been a delight to work with him. I strongly hope that his future is one he can continue to be proud of. That bipartisan approach was embraced by the Parliament and by the New South Wales public sector agencies.

Managing cyber risks

We cannot talk about privacy and data protection without talking about cybersecurity—the two are intrinsically linked. There will always be bad actors seeking to steal government data, whether they be criminals or foreign State actors. Governments must always be on the front foot in ensuring that cybersecurity is a priority for all public sector agencies. That is an area where New South Wales can do better. The Auditor-General's July 2021 report, entitled , which focused on Transport for NSW and Sydney Trains, found that the Government is not managing cybersecurity risks effectively. That finding is deeply concerning. It is critical that each public sector agency's leadership team makes addressing cybersecurity risks a priority. That is not just my view; the Deputy Auditor-General told an upper House inquiry into cybersecurity that executive leadership must value the importance of cybersecurity.

Managing cyber risks

The report found that neither Transport for NSW nor Sydney Trains has fostered a culture that values cybersecurity risk management in executive decision-making. That culture cannot continue in our public sector agencies. The data breaches at Optus and Medibank made clear what is at stake when cybersecurity risk management is not prioritised. I note the announcement on the weekend by the Hon. Clare O'Neil, the Minister for Cyber Security, and the Hon. Mark Dreyfus, the Attorney General, to establish a permanent joint standing operation against cyber criminals. That operation will be led by the Australian Federal Police and Australian Signals Directorate.

The next steps in strengthening our cybersecurity resilience go beyond just fostering a culture that establishes cybersecurity as a priority. They include empowering citizens to have control over their own data, who they share it with and what content they choose to share. Labor is committed to an agile approach to policymaking to protect citizens' data and fight back against those forces that seek to breach citizens' privacy. It is the responsibility of the New South Wales Parliament to make sure that it achieves that, too.

Mr MARK SPEAKMAN (CronullaAttorney General) (17:30:47):

— In reply: I thank all members who contributed to debate on the Privacy and Personal Information Protection Amendment Bill 2022, including the members representing the electorates of Maroubra, Charlestown, Oatley and Swansea. I address some of the matters that the member for Maroubra raised. First, he suggested that there was some nefarious plot by the Government to introduce the bill in the dying days of the Parliament, with some bad faith on its part that it did not intend to pass the bill. We want the bill passed. The member spoke about the risk of the bill not being given urgency in the Legislative Council but the Government will certainly seek that urgency, which would not be obtained only if the Labor Opposition teamed up with some crossbenchers to deny it. It is certainly our intention to see the supported legislation passed in this term of Parliament.

The contribution by the member for Maroubra did not contain a lot of substantive analysis. He did not go through the detail of the bill to any degree but focused on what he said was an inordinate delay in bringing the bill before the House. The Government has consulted thoroughly and drafted the bill carefully to ensure that it is the best possible one in this area. That is why the bill appears to have consensus support in the Chamber. Consultation on the bill has been extensive, unlike the bills introduced by the member for Liverpool. I do not detract from the good intentions of the member but, largely, there was no consultation on those bills. For example, for this bill, there has been consultation with the Information and Privacy Commission, State-owned corporations and government agencies. That consultation raised a number of significant matters that required additional consideration, which we have given and made appropriate changes.

Following the public consultation that was undertaken, it is not a matter of just sitting there and falling asleep and stagnating. We have made key amendments to the bill. For example, we have amended the proposed power of entry for the Privacy Commissioner to ensure that there is proper procedure before the exercise of power. We have amended, compared with an exposure draft, the wording of the assessment threshold to make it identical with that of the Commonwealth. The amendments were assessed as unlikely to change the operation of the threshold in practice. We have established additional requirements for the approval of an extension to the assessment period to ensure that that occurs only where appropriate. We have expanded the circumstances where an agency is required to issue a public notification, and an agency will be required to issue a public notification only where it is unlikely to identify, or able to notify, impacted individuals.

We have clarified that an agency will not be required to include in the notification to the Privacy Commissioner the personal information that was the subject of the breach. Instead, it will be sufficient for the agency to provide a description of the information that was breached. We have clarified that there would be reciprocal information-sharing provisions between the Privacy Commissioner and Cyber Security NSW. We have expanded the information that must be included in the register for eligible data breaches, including the steps the agency has taken to mitigate the harm caused by the breach. We have expanded the circumstances where an agency can confirm with another agency the name and contact details of a notifiable individual and whether the individual is deceased. So the agency will now be able to utilise this provision when preparing to notify impacted individuals in accordance with the recommendation made by the Privacy Commissioner. We have included a regulation-making power for the exemption for ongoing investigations and proceedings to allow consideration of whether the exemption should be expanded to include other types of investigations on a case-by-case basis.

Slow and steady wins the race or a stitch in time saves nine. I could probably think of other metaphors, but what we have done is take the time to consult carefully with a wide range of stakeholders and with the public to get the details right. I have just given examples of where those details have been refined in that consultation process. In contrast, the bills introduced by the member for Liverpool did not have that degree of consultation and there were defects. It is all very well for the member for Maroubra to say that there was overwhelming support for many years for a mandatory notification of data breach scheme. But the problem was that there were considerable issues with the way that the member's bill was drafted. In particular, a threshold of serious invasion of privacy rather than serious harm meant that his bill was not consistent with or harmonious with the Commonwealth legislation.

Incompatibility with the Commonwealth scheme is important where some State agencies have what I will call Commonwealth information—tax file numbers and so on—and it is important to have a consistent scheme. That is the issue. In the end, we have arrived at a first among Australian States or Territories. Again, it is all very well for the member for Maroubra to complain about delay but we are still the first State or Territory in the country to have a mandatory notification of data breach scheme. In this area we lead some governments in this country. It is not just important to have legislation that requires notification; it is important to try to prevent data breaches in the first place. In response to some of the observations of the member for Charlestown, I note the following significant proactive steps that this Government has taken to prevent data breaches.

We have continued to grow Cyber Security NSW, which is dedicated to uplifting the cybersecurity maturity of all New South Wales Government entities. In 2020 we allocated $60 million to establish and fund Cyber Security NSW across three years. Since that time, Cyber Security NSW has grown rapidly to provide a range of support services and tools to enhance the Government's holistic capability to prevent, detect and respond to cybersecurity incidents aimed at government entities. For instance, the provision of training for New South Wales Government is a primary area of focus for Cyber Security NSW. We are aware, as a government, that cybersecurity is not set and forget. Protecting the private information of New South Wales citizens requires ongoing investment and a continual advancement of our capabilities. Cyber Security NSW has a vast range of governance and operational initiatives underway to enhance this Government's cybersecurity moving forward.

We have established ID Support NSW—again, an Australian first. We are leading the country. It provides a no-wrong-doors approach to support New South Wales customers who are affected by identity misuse, regardless of the source of the compromise. Additionally, ID Support NSW plays a role in uplifting privacy and cyber resilience across both the public and private sectors through an education and awareness campaign. This has been a thorough and careful process. I have identified some of the details of the legislation that have been tweaked as a result of this consultation. With this legislation, New South Wales will lead State and Territory governments in Australia as the first Australian State or Territory to have a mandatory notification of data breach scheme. It is the result of careful consultation. It will be compatible with the Commonwealth scheme, unlike Labor's proposals that have been dished up from time to time.

Previously one of my colleagues described one of Labor's bills as a pink batts for privacy—not costed, not consulted on. It failed to give the community an opportunity to have its say. In contrast, this bill has been consulted on thoroughly. As a result, we have refined the detail. But, at the same time, we are not just passing laws; we are investing huge amounts of money, huge amounts of resources, to ensure that we can prevent data breaches where possible because we know that, sometimes through accident and unintentional disclosure but, sadly, more and more often through cyber attacks, the data of our citizens will be exposed. We are doing all we reasonably can to prevent those data breaches happening. When, sadly, they do happen, we will now have a first for Australian States and Territory: a scheme in place to require mandatory notification so that private citizens can mitigate the harm they may suffer and at the same time require agencies to take all reasonable steps to mitigate that harm. That is the reply. I commend the bill to the House.

The DEPUTY SPEAKER:

The question is that this bill be now read a second time.

Motion agreed to.

Third Reading

Mr MARK SPEAKMAN:

I move:

That this bill be now read a third time.

Motion agreed to.