MARK DREYFUS MP

Member for Isaacs

Privacy by Design Awards 2024

02 May 2024

Privacy is critical to the functioning of our free and democratic society. It underpins freedom of association, expression and belief, and is of upmost importance to promoting trust in government and industry.

THE HON MARK DREYFUS KC MP

ATTORNEY-GENERAL
CABINET SECRETARY
MEMBER FOR ISAACS

Privacy by Design Awards 2024

Good evening and thank you very much for the invitation to speak to you at this important annual event.

I begin by acknowledging the Gadigal people of the Eora Nation as the Traditional Custodians of the lands on which we meet today, and pay respect to their Elders, past and present. I also extend that respect to Aboriginal and Torres Strait Islander people here today.

Thank you to CyberCX and the Tech Council of Australia for hosting this awards ceremony. I would like to acknowledge their ongoing contribution to privacy reform, cyber security and Australia’s technology sector.

Acknowledgements
I would like to extend my appreciation to you all for joining us here this evening. In particular, I would like to acknowledge:

  • Carly Kind, the recently appointed privacy commissioner. Ms Kind commenced in February and brings a wealth of knowledge and experience to this important role,
  • Jacqui Davy and her ongoing contribution to privacy work,
  • Alastair MacGibbon and his expertise and passion for cyber issues, and
  • The members of the judging panel who have lent their time and expertise to support tonight’s awards.

I’d also like to thank Angelene Falk, the Australian Information Commissioner, who was unable to join us tonight.

Angelene will be concluding her tenure as the Australian information Commissioner later this year and I thank her for her contribution to the Office of the Australian Information Commissioner over many years, her leadership, and her contribution both as the Information Commissioner, and as the Privacy Commissioner.

It’s time for privacy reform

As everyone in this room is well aware, the personal privacy of citizens is under attack – both here in Australia and overseas.

We live in a world where data breaches and cyberattacks are now all too commonplace, and where cybercriminals and nefarious state actors seek out our personal information for financial gain or global strategic advantage.

The global economy relies on data and personal information.

We are all constantly producing valuable personal information as we go about our daily lives.

In the ‘Digital Age’, rapidly-evolving technologies are having a profound impact on the ways in which we engage with each other and the world around us.

Just about all of us are online, nearly all of the time, but in return for this Australians are increasingly being asked to share their personal information in online transactions. And they expect that when they do, their information will be protected and that they will maintain control over it.

Privacy in a digital world is more important than ever to individual Australians, and to society overall.

We know Australians are concerned about the protection of their personal information, and of the risks associated with the misuse or mismanagement of their information.

And we know Australians want more done to strengthen protections of their personal information.

The OAIC's Australian Community Attitudes to Privacy found 89% of Australians want stronger legislation to protect their personal information.

87% of parents want more legislation that protects children’s privacy.

Deloitte Australia’s Privacy Index 2023 shows similar results.

86% of respondents want new rules and regulations around data storage and processing, and 90% of people want greater efforts made to safeguard data and ensure privacy.

The recent large-scale data breaches and cyber incidents affecting millions of Australians have been a sobering reminder of these risks.

These breaches exposed the personal information of Australians to the risks of identity fraud, causing distress to many.

They also exposed the fact that the Privacy Act, which is the primary vehicle for regulating personal information of Australians, is woefully outdated and unfit for the digital age.

The speed of tech innovation and the rise of artificial intelligence underpins the need for legislative change.

It is clear that personal information has immense value – not just to individuals, but to those engaged in marketing, research, product development and advertising.

But the Privacy Act framework dates back to the 1980s and is not fit for purpose for our modern economy.

It’s past time we stopped treating the most personal and private information of Australians as an asset that entities hold.

The Government is committed to finding solutions to these challenges.

Following the major data breaches in late 2022, the Government swiftly developed amendments to the Privacy Act to significantly increase maximum penalties, and to provide the Office of the Australian Information Commissioner with enhanced enforcement powers.

The Government has also appointed Ms Carly Kind as a standalone Privacy Commissioner, restoring the Office of the Australian Information Commission to its three Commissioner model.

After nine years of inaction under the former government there is still more to do, and an overhaul of the Privacy Act is needed.

An almost three-year review process, which began in late 2020, has involved extensive consultation with the business sector, media organisations, cybersecurity experts, consumers and civil society – many of the people in this room.

In 2023, the Government responded to that review and set out a reform pathway to better protect Australians’ privacy.

Since then we have continued to consult with privacy experts, business and media organisations to develop these proposals and ensure we get them right.

But one thing is clear. Australia can no longer afford to have inadequate privacy protections. It is vital that our privacy laws properly protect our personal information to promote security and trust in the systems we engage with daily.

Effective privacy regulation builds confidence, which in turn supports data-driven innovation and growth, and the digital economy.

A failure to improve Australia’s privacy standards would not only have implications for individuals, but has the potential to adversely impact the international competitiveness of Australian business. We must keep pace and more closely align with global standards.

Weak privacy laws can also have a devastating impact on women fleeing family violence, allowing their abusers to track them, and cause further harm by sharing their most intimate images and personal information.

At the request of the Prime Minister I will now be bringing forward legislation in August to overhaul the Privacy Act and protect Australians from doxxxing - the malicious use of their personal and private information. We will also seek to strengthen laws against hate speech.

This work will complement work already underway across government as we seek to strengthen online safety for all Australians.

Over the next few months I will be calling on my colleagues on all sides of the federal parliament to work with me and the Government to ensure that the personal information of Australians is adequately protected.

Governments, industry and businesses also have an important responsibility to support and build technologies - and develop and implement practices and capabilities - that uphold these expectations.

Privacy by Design
The awards that we are here to celebrate tonight reflect this important commitment to privacy.

The finalists’ work embodies the Privacy by Design Principles, as developed by Dr Ann Cavoukian to see the proactive embedding of privacy and data protection into the technologies, practices and infrastructure that deal with personal information.

Privacy by Design fosters consumer confidence in the products and technologies that we use.

It encourages entities to consider the privacy risks and management strategies across their particular information handling lifecycles.

It recognises that great technological developments and advancements should operate within the ethical bounds of privacy.

There are clear opportunities and benefits for government, industry, and business in incorporating privacy by design to more proactively protect the personal information of all Australians.

Digital ID
That’s why the Albanese Government has taken steps to better protect Australians engaging with the digital economy by passing legislation to ensure identity verification services are secure, to protect the privacy of Australians, and strengthen and expand Australia’s Digital ID System.

This supports development of a national, economy-wide Digital ID system that provides Australians with a voluntary, secure, convenient and inclusive way of proving who they are online.

This work incorporates the legislative framework to create an economy-wide Digital ID system in Australia, while providing Australians with the assurance that accredited Digital ID providers meet high standards for privacy and security.

The Digital ID system has been informed by the operation of the Trusted Digital Identity Framework and extensive stakeholder consultation over several years.

The legislative framework will strengthen the existing voluntary Accreditation Scheme for Digital ID service providers, and expand the Australian Government Digital ID System for use by Commonwealth, state and eventually, private sector organisations.

The privacy safeguards within the legislative framework are an important example of privacy by design in action.

Accredited entities will be required to comply with either the Commonwealth Privacy Act or State or Territory privacy law when providing their accredited service.

This includes application of the Commonwealth notifiable data breaches scheme or a state equivalent where it exists.

These features are significant as they establish a clear framework to ensure appropriate protection of personal information and notification of eligible data breaches.

The legislation further protects privacy for users by requiring express consent for verification and authentication; prohibiting data profiling and ‘one to many’ biometric matching, and; including additional safeguards over law enforcement access to information.

These privacy protections recognise the sensitivity of the information that will be held by accredited entities, and the serious implications of mismanagement or mishandling practices for Australians who place their trust in government and industry service providers.

Identity Verification Services Act
Australia’s Digital ID system is supported through the identity verification services that enable Australians to easily, and securely, create a Digital ID.

Secure and efficient identity verification is critical to protecting the privacy of Australians when engaging with the digital economy.

The identity verification services are the only automated national capability that can be used to securely verify identity against government records.

These services allow private and public sector agencies to securely verify personal information with the consent of the individual against existing government records such as passports, driver licences and birth certificates.

They are crucial to the daily operations of government and industry, and form a fundamental part of Australia’s efforts to prevent identity crime.

The Identity Verification Services Act 2023 established a legislative framework to support the continued operation of services, and includes important safeguards to limit the use and disclosure of personal information, and how the services can be used to establish minimum security standards and privacy obligations and to provide security and data breach reporting requirements.

This ensures the Act strikes the right balance between achieving fast identity verification and maintaining strong privacy standards.

Enhancements to Credential Protection Register
The 2022 Optus data breach affected about 10 million Australians, including the compromise of 100,000 passports.

Following this incident, the Albanese Government enhanced the identity verification services through the creation of the Credential Protection Register. The Register protects those whose personal details have been stolen from suffering further harm by preventing their compromised credentials being used as forms of identity.

Since October 2022, over 300,000 attempts to use stolen identity credentials have been blocked by the Register. For example, the Register has prevented attempts to create a myGovID using a compromised Passport and establish new services with telecommunications providers using a compromised driver’s licence.

We know victims of identity crime face ongoing uncertainly, never knowing when a crime is going to be perpetrated in their name using stolen credentials. In 2023, the Government committed over $3 million to allow individuals affected by a data breach to have their identity credentials added to the Register in a more timely manner and to develop a mobile application so that victims of identity crime can be notified when their compromised identity credentials were being used and to take action.

Building on the success of the Register, I am very pleased to announce that the Government will be providing an additional $11 million over the next four years to empower all Australians, not just those that are already victims, to self-manage and protect their identity credentials through a new mobile application, which will have expanded functionality.

Through the mobile application, an individual will have the ability to enable or disable the use of their identity credentials for the purpose of verifying their identity and receive notifications whenever they are used. This will allow an individual to fully disable the use of their credentials for identity verification purposes until they are ready for them to be used.

The application will also allow an individual to see, in real time, if someone has, for example, used their passport to update their details at the Australian Taxation Office. In this situation the individual could then immediately take action to prevent further fraudulent activity.

Control and transparency are fundamental concepts behind privacy by design. These changes will give Australians full control and visibility of when and how their identity credentials are being used, providing the opportunity to disrupt identity crime.

Privacy Act Reforms
The Government is also carefully considering a range of proposals that would further entrench Privacy by Design Principles into our Commonwealth framework.

This includes requiring that privacy notices should be clear, up-to-date, concise and understandable.

The introduction of a ‘fair and reasonable’ test could assist to ensure that the collection, use and disclosure of personal information by entities are fair and reasonable in the circumstances.

The Government is also considering options to respond to recommendations in relation to high risk privacy practices, by expanding the range of entities required to conduct Privacy Impact Assessments for activities with high privacy risks.

These include instances involving new or changed ways of handling personal information that have a significant impact on the privacy of individuals – such as certain kinds of facial recognition technology, or the use of biometric information for identification when used in public spaces.

The Government has also agreed that the types of personal information to be used in substantially automated decisions which have a legal, or similarly significant effect on an individual’s rights should be clearly outlined in privacy policies.

There will also be a right for individuals to request meaningful information about how these decisions are made.

The Government has agreed-in-principle that a statutory tort for serious invasions of privacy should be introduced, to complement the Privacy Act protections.

Based on recommendations made by the Australian Law Reform Commission in 2014, the proposed tort would regulate a broader range of privacy harms, such as the physical intrusion into an individual’s private space, and would extend to individuals and entities who are not otherwise required to comply with the Privacy Act.

The proposed tort will be designed so that privacy protection is appropriately safeguarded and balanced with other rights, including freedom of speech and freedom of the media.

The Government has also agreed-in-principle that individuals should have more direct access to the courts to seek remedies for breaches of the Privacy Act through a direct right of action.

The direct right of action would enable individuals who suffer loss or damage as a result of an interference with their privacy to seek compensation.

This important reform will help enhance individuals’ control over their personal information.

The Government is also considering requiring entities to develop maximum and minimum retention periods for personal information they hold and specifying these in their privacy policies.

Consultation with industry is ensuring that the implementation of the reforms is both feasible and balanced with the regulatory burden on industry.

The Attorney-General’s Department has also convened a cross-jurisdictional engagement forum to facilitate jurisdictions updating each other on key developments in privacy reform and to allow States and Territories to provide feedback on Commonwealth privacy reform proposals, including implications for the work of State and Territory government agencies.

Conclusion
We live in an age where it has never been easier to collect vast amounts of personal data, or to use that information to monitor or harm us.

It is now time to ensure our privacy laws are fully equipped to address the challenges the digital age brings, and match community expectations about the importance of protecting personal information.

Privacy is critical to the functioning of our free and democratic society. It underpins freedom of association, expression and belief, and is of upmost importance to promoting trust in government and industry.

Appropriate privacy protections will empower individuals to exercise more control over how they – and others – use this valuable asset and provide further guards against identity fraud and scams.

The right privacy protections will also encourage industry innovation, and allow businesses to maintain their social licence to deliver digital services and ensure that Australia is seen as a trusted trading partner.

I look forward to continued engagement and cooperation to ensure Australia is a world leader in information privacy protection.

Thank you very much, and my congratulations to all finalists and winners tonight.