Senator Keneally: in light of the new and important oversight responsibilities that the draft bill would confer on the Privacy Commissioner, will the government be providing the Privacy Commissioner with any additional resources?
Ms Chidgey (Attorney General’s Department): There's no intention to provide additional resources. The Privacy Commissioner is able to undertake this work within their existing resources.
"Another issue that I raised with the Attorney-General during discussion about this bill relates to the funding of the Office of the Australian Information Commissioner. In short, I do not think that the evidence of the Attorney-General's Department at last Wednesday's COVID-19 Senate select committee hearing that the commissioner requires no additional resources to fulfil her new oversight responsibilities is credible.In fact, it is incredible. You do not have to take my word for it. Just last October, the Information Commissioner told Senate estimates that her office is already underresourced.The Attorney-General has advised me that his department is engaging with the commissioner to ensure that she has the necessary resources to perform the important oversight functions provided for in this bill, the Privacy Amendment (Public Health Contact Information) Bill 2020. While I welcome that engagement and look forward to receiving an update over coming days or weeks, there is no question in my mind that additional funding is urgently required. The only question is how much.
It is also important to remember that for years the government has refused to appoint a standalone information commissioner, a standalone freedom of information commissioner or a standalone privacy commissioner. Instead, one person currently occupies all three of these important and demanding roles. As I've said repeatedly, this is unacceptable. In light of the new responsibilities that this bill would confer on the Office of the Australian Information Commissioner, now more than ever the government needs to appoint a standalone, dedicated privacy commissioner. The appointment of a full-time and properly resourced privacy commissioner rather than a commissioner forced to split her time between three different and demanding roles would make a further valuable contribution to building public confidence in the COVIDSafe app. It should not take a public health crisis for the government to show that it takes seriously the privacy of Australians.
- The commissioner will be able to undertake a formal assessment of whether an entity subject to the Privacy Act, or a state or territory health authority handling COVIDSafe app data, is complying with the requirements in this bill. And to deal with complaints.
- The commissioner will also have discretion to refer matters that may constitute a breach of a state or territory privacy law to the responsible state or territory privacy regulator.
- The commissioner will provide regular public reports on the performance and exercise of her new powers and functions under part VIIIA.
- The bill applies the existing Notifiable Data Breaches Scheme for which the commissioner is responsible to COVIDSafe app data under section 94S. The bill requires the administrator of the National COVIDSafe Data Store, or a state or territory health authority handling COVIDSafe app data, to notify the commissioner of any data breach involving COVIDSafe app data. The commissioner will then have the power to require the breach to be notified to affected individuals.The notification requirement would be automatic in the event of a data breach, which is much stronger than the protection in the Privacy Act's existing data breach notification requirements.