A major review of Tasmania’s privacy laws is underway to address “multiple gaps” in existing legislation, as the fallout continues over a hack against a third-party provider that compromised state government data.
The review, to be conducted by the University of Tasmania’s Tasmanian Law Reform Institute, was initiated at the request of Independent MP Meg Webb and began accepting public submissions on Tuesday.
Although following a spate of data breaches, the request dates back to December 2019. After applying for a grant from the Solicitors Guarantee Fund, the institute received a portion of the funding requested in May 2020.
According to an issues paper finalised before the release of the Privacy Act Review report, there is currently “no comprehensive privacy regulation” in the state, with protections instead “fragmented across different laws that protect different types of privacy”.
Further “complexity” is introduced when the Commonwealth Privacy Act and other international regulations like the European Union’s General Data Protection Regulation are taken into account, the paper said.
The state’s main piece of legislation is the Personal Information Protection Act (PIPA) 2004, which is binding on government agencies and their contractors but not non-government organisations, such as not-for-profits.
PIPA also ignores the possibility that de-identified information can be re-identified, disregards “unsolicited personal information, and fails to grant “special protections for biometric information, unlike Commonwealth law”.
“While a detailed piece of legislation, there are multiple gaps in its scope, operation, and enforcement that can jeopardise privacy,” the issues paper said, adding that “advances in technology can exacerbate the impact of these gaps”.
Tasmanian Law Reform Institute director Professor Jeremy Prichard said the review would seek to address these gaps by recommending possible reforms to Tasmanian law in consultation with government and other stakeholders.
“Some of our laws were written two decades ago, so we need to examine how well they apply to new surveillance technologies, facial recognition systems, biometric data and so on,” he said in a statement.
Potential reforms on the table include allowing individuals the right to request that their information be erased – as is being considered at a federal level – and the right to object to their information being processes.
Other “gaps” being considered centre on enforcement, namely penalties for a breach of obligations, and a mandatory data breach notification scheme as has been introduced in New South Wales and is now being considered by Queensland and Victoria.
“These gaps, together with the fragmented landscape of protections under both legislation and general law, means that some circumstances that endanger privacy may fall between the cracks of legal regulation,” the issues paper said.
The review, which will take submissions until July 11 and produce a report later this year, comes less than six weeks after 150,000 people were impacted by a data hack on third-party file transfer service GoAnywhere.
Around 16,000 documents from the Department for Education, Children and Young People compromised in the data breach were published on the dark web, reportedly by Russian ransomware group Cl0p.
“To date, 16,000 stolen documents have been released by the hackers. I can confirm that approximately 150,000 individuals and businesses… have been directly affected by the cyber incident,” Tasmanian Minister for Science and Technology Madeleine Ogilvie said last month.
Do you know more? Contact James Riley via Email.