With an election on the horizon, there are several draft laws (“bills”) before the parliament and out for public consultation that will significantly impact the ICT industry. Some aspects of the proposed legal changes will create new business opportunities, while others will impose new regulatory requirements.
Intermedium’s best guess is that parliament will be suspended in early April, soon after the Budget on 29 March 2022, for an election on either 7, 14, or 21 May. Thus, there will only be six sitting days for the senate to debate draft legislation: between 8-10 February and 29-31 March.
In this narrow timeframe, the government will be aiming to pass the bills with the support of Labor, rather than relying on the votes of cross bench senators. This may require making some concessions (on scope, penalties, introducing sunset clauses), but would provide affected entities with some stability if there is a change of government.
Trusted Digital Identity Framework Bill
The Trusted Digital Identity Framework (TDIF) is an accreditation scheme established in 2015, overseen by the DTA (we reported the original RFI in June 2015).
In October 2021 the government publicly released an exposure draft of the Trusted Digital Identity Bill 2021 for public consultations. It will create a legal framework to enable various Digital Identity credentials to be used across state, territory, and private sector services.
The bill has not yet been introduced to parliament: and as such, has virtually no chance of being passed before the election, which may have significant knock-on effects on major technology projects underway to support the TDIF.
The government provided steady funding to develop the GovPass credential from 2016-20, before bundling digital funding into a $1.2 billion covid recovery package in the 2020-21 Budget. The December 2021 MYEFO includes a further $161 million over two years for the “Digital Identity system.”
|Second Pass Business Case||$16.8 m||---||---||---||---||---||---||---|
|GovPass Development||---||$22.7 m||$92.4 m||$67.1 m||---||---||---||---|
|Digital Identity System||---||---||---||---||---||---||$80 m||$81 m|
New Zealand is also in the process of establishing a similar framework. The Digital Identity Services Trust Framework Bill was introduced to the NZ parliament in October 2021.
Minister Stuart Robert continues to strongly advocate for expanding the existing Digital Identity regime in his speeches and industry meetings, but some experts continue to raise concerns about possible overreach.
Data Transparency and Availability Bill
The government has been trying to overhaul the national data sharing regime ever since the Productivity Commission report into Data Availability and Use was released in 2017.
After almost four years of consultations, the government is on the cusp of passing legislation to establish a much narrower sharing regime than originally envisaged. Sources confirm that many of Labor’s earlier concerns have been resolved in negotiations – and the bill is “almost there”.
The Office of National Data Commissioner was funded in the 2018-19 Budget, with interim commissioner Deborah Anton appointed in August 2018 to oversee consultations on a new legislative regime. In December 2021 she was replaced by Gayle Miles.
While the revised legislation has not yet been circulated, Intermedium understands that it will establish a legislative framework to share government and university data across jurisdictions, creating significant new demands for associated technologies related to protecting, transferring, storing and analysing data and related services.
The proposed legislation was initially the responsibility of Minister Michael Keenan, who outlined efforts “to introduce data sharing and release legislation to provide a simpler, more efficient framework to govern data” at the inaugural meeting of the Australian Digital Council (ADC) in September 2018, which in turn became the Australian Data and Digital Council (ADDC) and is now the Data and Digital Ministers Meeting – a sub group of the National Cabinet
Minister Robert, who was by then the Chair of the ADDC, introduced the Data Availability and Transparency (Consequential Amendments) Bill 2020, to implement a scheme to authorise and regulate access to government data.
In an unusual move, some provisions of the bill were referred to the Senate Committee on Finance and Public Affairs (FPA) in February 2021, for a short inquiry. The FPA recommended further work be done to allay concerns related to “de-identifying of personal data that may be provided under the bill’s data-sharing scheme.”
Labor senators issued a ‘dissenting report,’ outlining their concern that bill will undermine current privacy protections in the Privacy Act 1988. They were particularly concerned that while the sharing of personal information would be done with the consent of the individuals concerned, there was a provision that said consent would not be obtained if it is ‘unreasonable or impracticable’ to do so.”
The data sharing bill was not mentioned in Minister Robert’s end of year speech to the AIIA.
The bill has not yet been debated in either the House of Representatives or the Senate, but is listed on the draft legislation program for debate in the autumn sittings.
If all parties continue to negotiate in good faith, this bill may well pass before the election.
Note that a similar draft data sharing bill was also introduced to the New Zealand parliament in October 2021, after a consultation timeline that largely mirrors (2018-21) the Australian efforts.
Security of Critical Infrastructure
The Security of Critical Infrastructure Act (known as SOCI) was passed in 2018, creating a register of ‘critical assets’ in specific sectors, including in defence, data storage, space technology, and food security.
In December 2020, then-Home Affairs Minister, Peter Dutton, attempted to introduce amendments to SOCI (Security Legislation Amendment (Critical Infrastructure) Bill 2020), the SLACIP bill. These amendments would expand the reach of SOCI to include cloud technologies (and other sectors) and create mandatory reporting obligations in the event of a cyber security breach.
In September 2021, the bipartisan Parliamentary Joint Committee on Intelligence and Security (PJCIS) recommended splitting the bill in two. It suggested proceeding with only the most urgent elements, while leaving other matters for further consultations with affected sectors. The provisions requiring entities to notify the government of a “critical cyber incident” within 84 hours were passed on 22 November and received Royal Assent on 2 December 2021.
The current Minister for Home Affairs, Karen Andrews, announced a round of consultations on the remaining SLACIP provisions, from 15 December 2021 to 1 February 2022, which were supported by a revised Exposure Draft.
More than 700 people attended Home Affairs online ‘town hall’ meeting on 4 February 2022 as part of the consultative process, indicating an extraordinary level of interest in SLACIP.
The department confirmed it had received 66 submissions on the revised bill, and that the new version of the bill may have return to the PJCIS before being debated by the senate.
It is unlikely that a draft bill will be introduced before parliament is suspended. There appears to be little chance that significant industry objections will be overcome before the election.
The Labor Opposition has introduced draft legislation to create mandatory reporting obligations for ransomware payments. It introduced two separate, but virtually identical, draft bills into the parliament to put pressure the on government take action on ransomware.
There is no prospect of either bill passing the government-controlled House of Representatives.