22 August 2019
Dr MARJORIE O'NEILL (Coogee) (10:30): I support the Privacy and Personal Information Protection Amendment (Notification of Serious Violations of Privacy by Public Sector Agencies) Bill 2019. I commend my colleague the shadow Attorney General, the member for Liverpool, for introducing the bill and for all the work he and his staff have done in its formation. I also recognise the contributions of my other colleagues, in particular the members representing the electorates of Lismore, Prospect and Canterbury. It is clear from their contributions that they and all Opposition members understand that the role of legislators is to act on the priorities of the public and that this bill addresses a real and significant problem confronting contemporary, modern society.
Modern government has institutionalised a reliance on data sharing and storage. As citizens in 2019, to interact with government departments and participate in the common life of New South Wales, we are required to share our private information. That can no doubt be effective as it allows the public service to do its job better and allows the public to get better and quicker results for their inquiries. However, it also poses significant risk to the security and confidentiality of personal data. This apathetic Government, in whom the public's trust is misplaced, is ignoring that risk. Our role as legislators is to take the lead on emerging issues and provide the model for industries to use as best practice; in data security, we are failing in that duty. The bill defines when a public sector agency causes a serious violation of an individual's privacy. It provides the criteria or matters to be determined if privacy has been violated in a serious manner. It makes it compulsory for public sector agencies to notify an individual about any serious violations of their privacy. It makes it compulsory for public sector agencies to inform the Privacy Commissioner about serious violations of an individual's privacy. It also contains a range of measures arising from the four operative inclusions in the Act.
The leak of motorists' personal data sourced from Revenue NSW earlier this year can be characterised only as a serious violation and a lack of requirement to notify in the public domain. The breach made clear the need for the bill to protect the people of New South Wales. I take this opportunity to give a voice specifically to the youth of this State, who do not know life without the internet. The government tracks their every move, including their health records. At no stage have those people given their express permission to government departments to hold that information. In academia, these generations of young people are commonly referred to as digital natives. There is a common belief that digital natives are technologically savvy—which might be the case—but it is easy to identify that unlike members in this place, the digital natives are yet to fully consider the long-term ramifications of identity theft, reputational affliction and of the significant repercussions of data breaches like that seen with Revenue NSW.
The compounding effect for most young people today is that they have never had an option of opting out. From birth their every move, purchase, health concern or run-in with the law is recorded digitally but not once have they consented to that occurring. The sheer number of young people who will have their data tracked without the option of opting out is mind-boggling. The repercussions of a major breach in New South Wales are real and worrying. In recent years we have seen high-profile, globally significant data breaches in the private sector. Around the 2016 United States presidential election the length and depth of data insecurity in modern society was laid bare. In 2015 the personal data of 87 million Facebook users was acquired via 270,000 Facebook users who used a Facebook app called This Is Your Digital Life.
Giving the third-party app permission to acquire data also gave the app access to information on the user's friend network, resulting in the data collection of about 87 million users, the majority of whom had not given Cambridge Analytica explicit permission to access their data. The data was then weaponised to present what amounted to propaganda onto the news feeds of individuals whose votes may have been swayed. There will be over 7½ million people with online accounts with Services NSW and some five million digital driver licences. A break on that scale would have unknown repercussions on the public and the individuals they are connected with overseas.
The events brought the world of data security to a new low, but since then social media companies and all those entities that interact in the data sharing space are on notice for their behaviour and any breaches are covered by privacy law. However, the New South Wales government departments are not. It is disappointing that the Government has not shown more support for this crucial bill when it is clear that more needs to be done. Worse, it seems the Government is happy with breaches occurring so that the information can be used in the private sectors for private benefit. In electorates across the State, people have been encouraged to sign up to a Service NSW account, which requires the integration of a lot of personal data into the one, enormous pool of information, ripe for the picking by private interests. In August 2018 in my electorate of Coogee, more than 140,000 New South Wales drivers across Sydney's eastern beaches region were eligible to participate in a new metro trial of the digital driver licence.
If the Government wants to make the digitisation of information essential for people to engage in day‑to‑day life, it needs to take some leadership on these issues and support the bill. The millions of people across the State who are forced to have online accounts with Service NSW have a right to know that their personal data is secure. I repeat: If the Government wants to make the digitisation of information essential for people to engage in their day-to-day lives, like driving a car, it needs to take some leadership on these issues and support the bill.
If it does not, I am sure later this year I will be back debating a bill that the Government will have put forward on similar themes and direction. That will lead to several more months of data insecurity and risk to the people of New South Wales. The goals of the bill are crucial for the personal security of people in my electorate of Coogee and across New South Wales. The bill will ensure that all public agencies that are found to have violated the privacy of residents of the State notify that person and the Privacy Commissioner of the breach.
Both those steps are essential for continual improvement of data security: The individual is given cause to reflect on the way they share their information and with which government entities it is prudent to share it, whilst the Privacy Commissioner is then tasked with investigating the leak, working with the agency that caused it and developing a mechanism to avoid similar breaches in the future. It is pretty simple. Never before has government been so outrun by an industry within society and, therefore, information technology and sharing poses a significant risk to the effectiveness of government in protecting its people.
As legislators, we have no option but to chase technological innovation and at every turn, ensure that the people of New South Wales do not come to harm due to a lack of regulation and intervention. The unique significance of the bill is that it is created to protect individuals from mistakes made by this Government. If we cannot be industry leaders, if we cannot be the model for data security, then we cannot hope private industry to follow. The public deserves this law; it deserved it years ago when government departments began forcibly moving the data of private citizens online. I commend this bill. May it give greater security to the people of New South Wales and act as a prompt for vigilance from this Government in the realm of cyber protection.