Senator LUDLAM (Western Australia-Co-Deputy Leader of the Australian Greens) (19:06): I move the second reading amendment standing in my name:
At the end of the motion, add:
but further consideration of this bill be made an order of the day for the first sitting day after the Government has tabled the Privacy Impact Assessment conducted by the Department of Immigration and Border Protection.
I rise to add a contribution by the Australian Greens tonight. We have some quite severe concerns about the Migration Amendment (Strengthening Biometrics Integrity) Bill 2015, and I want to acknowledge that some of those have already been put on the record by Senator Brown for the Labor Party, and I also want to acknowledge those committee stage amendments that have been brought forward by the opposition. I think it is unlikely that we will get to debate them tonight, but I indicate in principle support by the Australian Greens.
One of the issues that I do not think Senator Brown went into in her contribution is that a privacy impact assessment was undertaken for this bill and the government is refusing to put that into the public domain. This goes to the second reading amendment that the Greens propose and that I have moved. It was one of the key recommendations that came out of the Parliamentary Joint Committee on Intelligence and Security, which did not oppose the use of biometric data for the purposes that the immigration department intends, as I do not think the opposition opposes it. But they did throw up a red flag around the importance of conducting a privacy impact assessment. The government appeared to have accepted that recommendation, ensured that it was undertaken but is refusing to release it to the parliament.
If the parliament and the senators who are expected to debate this bill are in receipt of the information that has been collected, it would probably make the committee stage of this debate much smoother when we get back to it tomorrow. In the absence of that document, the only conclusion we can draw is that it contains information that would be concerning or alarming, and these are not trivial or hypothetical matters. The Legal and Constitutional Affairs Legislation Committee that conducted the inquiry into this bill of which my colleague, Senator Hanson-Young, was a part, called for the release of that document for full inquiry. If we take this a jump back to the last time significant expansion of powers in this regard was put through this parliament-which was the foreign fighters bill-that was the instance in which the PJCIS, which again includes a majority of coalition senators, recommended that the Privacy Commissioner conduct a privacy impact assessment prior to any further legislation in this area.
The reason why it is so important that this is done is that parliament has had regard to the privacy impacts of successive pieces of legislation passing through here. Earlier in the year, obviously, there was the mandatory data retention bill, which creates very fine-grained information relating to the telecommunications devices that we use and carry around. This bill incorporates material that is much more intimate even than that traffic-fingerprints, retina scans and photographs that can be fed into facial recognition algorithms. Of course it is important to the immigration department and at airport checkpoints to know who is coming in and out of the country, but this is a department that has actually got something of a pretty sorry record of maintaining that material.
One of the privacy principles that was so cheerfully violated by the mandatory data retention bill was the concept embedded in one of the principles that was legislated and updated by this very government: that you should never collect more information than you need for the purpose that you are bringing to bear. It appears the way that this bill is drafted and the reason why stakeholders have raised such significant concerns is that the discretion for the kind of material that can be collected-and the manner in which it can be collected and the people from whom it can be collected-is extraordinarily broad and leaves enormous discretion in the hands of those who would be collecting the information. That is why it is so important that that privacy impact assessment be put on the table before this bill proceeds. It is effectively the impact of the Australian Greens proposed amendment.
A number of groups have raised very significant concern-Australian Lawyers for Human Rights, the Australian Privacy Foundation, the Refugee Council of Australia, the New South Wales Council for Civil Liberties and the Law Council of Australia. These are groups that have had cause to raise significant concerns around legislation brought through this parliament by this government for the last 18 months-in fact, for its entire term. It is becoming quite a familiar roll call of organisations-civil society and legal organisations across the country-who have raised extraordinary alarm at the nature, the thought processes and world view that underlie successive pieces of legislation. They are effectively grabs for power by the state over private individuals without equivalent protections being set up at the same time.
When you look at some of the statements that still exist with no sense of irony on the Liberal Party's webpage about how your founding principles were about protecting individuals from arbitrary power of the state, the depth of the power grabs that have been occurring is remarkable. Regrettably, in the absence of that key piece of information that is being withheld from this parliament, we have to conclude that what we see here tonight is another one of those grabs for power.
The key concerns relate to the security of the data that is collected, and that goes to ensuring that it will not be hacked, leaked and distributed. Given the extraordinary intimacy of this detail that is being collected on people-not just suspects, but everybody transiting our borders-and if this material were to fall into the wrong hands, it could lead to one very obvious scenario: identity theft. If you have this information on an individual, you can assume their identity in almost trivial ways and wreck people's lives.
The Department of Immigration and Border Protection accidentally leaked the personal details of nearly 10,000 asylum seekers in Australia via its website, and that had to be exposed by a media organisation. But, rather than apologise to those people, the department and the minister, who was responsible at the time, got quite defensive about this extraordinary act that was perpetrated on asylum seekers. The risks for Australian citizens living in a fortunate place such as this go to things like identity theft and a whole range of other nasty and adverse consequences that you could consider. But the risks for asylum seekers fleeing violent or totalitarian regimes to then find that their material has been leaked-and we know that database was accessed a number of times before that document was pulled and made no longer accessible-could be a matter of life and death. It is absolutely that serious. This is not a department that has inspired confidence in the past.
The bill appears to provide for a protracted period of retention and, if it is about identifying people who are traversing our borders, you would not expect that that was necessary. The collection of data from children and incapable persons without parents and without any kind of oversight or protection for those vulnerable individuals may run contrary to the United Nations Convention on the Rights of the Child-something that I would have thought that coalition MPs, giving them the benefit of the doubt, would care about quite a bit.
There are insufficient safeguards around the department's use of its new powers, and certainly around the ministerial discretion and the potential for scope creep to occur with respect to the data. For example, Australian law enforcement agencies around Australia are currently collaborating on facial recognition systems-and we went into this in budget estimates a couple of weeks ago-that would allow agencies to cross-match passports, driver's licences and, presumably, a dataset such as this one that is being collected at our borders, to try and identify persons of interest. Again, that is mostly for legitimate purposes. But the only things that prevent this material being used for illegitimate purposes are legal protections, safeguards, oversight and independent assessments of the impact on privacy. That is precisely what is being withheld from this parliament and that is what the Australian Greens second reading amendment goes to.
I thank the Scrutiny of Bills Committee for doing that work behind the scenes. It probably does not appear to be all that glamorous; nonetheless, it is extraordinarily important. The committee's Alert Digest No. 3 of this year states:
Of concern, from a scrutiny perspective, is the enormous breadth of this discretionary power. ... it is clear by the terms of the provision that personal identifiers can be collected for any circumstance ‘where a link to the purposes of the Migration Act or the Migration Regulations can be demonstrated'. ... Given the voluminous content of the Migration Act and regulations, this approach (of not requiring collection to be linked to limited, specified legitimate purposes) represents a fundamental change in approach to the collection of this particularly sensitive category of personal information.
I do not know if there are any other speakers on the second reading list, but, when the minister is given the opportunity to sum up and we go into the committee stage, we will be very interested to know exactly why the powers that are being sought by the immigration department are this broad, what they are going to do to protect people's private information. I hope when we reconvene in the morning to continue debate on this bill there will be laid on the table by the responsible minister that privacy impact assessment. If I am reading the situation wrong, and others wrong, and that assessment has not been done, then there will be questions to be answered about that. But if that document exists, there is absolutely no conceivable reason why it should not be put before this chamber.
The Law Council, who we look to-and who I would have thought the government would also look to-as a moderating influence on power such as this has recommended that the bill not be passed until parliament and the Australian community have the opportunity to consider the results of a privacy impact statement on the bill conducted by the Privacy Commissioner. We can tick that off because there is a second reading amendment on the table. They have also proposed that an independent guardian should be appointed to an unaccompanied minor if biometric information is required to be taken from the minor under the Migration Act. They propose that guidance be provided in the bill on what criteria need to be satisfied before a person is assessed as 'incapable' and that the government consult with stakeholders in the disability and trauma sector on what criteria should be used.
Before we close, I want to acknowledge that the two linked amendments that the AFP have brought forward relate effectively to mandatory data breach notification. That is something I think should be on the statute books already; it should be unnecessary for opposition senators to bring such an amendment forward, but I acknowledge that they have done so. At the moment, you would assume that if somebody is collecting sensitive personal information on you-over which you will lose all control and have no agency over what happens to it-there are three obligations. The first obligation is to collect absolutely no more information than is necessary-and the department appears to be failing that test as the bill seems to be drafted. The second obligation is to make sure that your systems are absolutely watertight and that appropriate and very high levels of protection of that private data are put in place so that the material does not walk. The department, on a couple of very high profile occasions, has failed that test as well. The third obligation should be that if you have collected more than is necessary, if your data security has failed and that material has walked and it has been accessed by third parties who have no business looking at it, then your primary obligation is to notify the people whose privacy has been breached.
The opposition amendment, which the Australian Greens will be supporting, goes to precisely that. That is an obligation the department should owe to people. It is an obligation they owe to those asylum seekers. It is an obligation, ironically, that they owe to President Obama and those others whose material was compromised by I think quite a trivial misreading of an Excel spreadsheet or some other event not that long ago. But particularly where people's private information is at stake, if the department loses control of it their obligation should absolutely be to notify those people. Mandatory data breach notification should be on the statute books in this country not just for this narrow case but much more broadly. It was a commitment the government undertook when they passed mandatory retention a short time ago. They said they would get around to it by the end of the year. That is a measure that should pass this parliament by the end of the week. There is no excuse for delay. I look forward to putting some of these questions to the minister directly when we get to the committee stage.