Chapter 5 Consumer protection, regulation and enforcement

Introduction

5.1                   The Australian Government has recognised that digital technologies are now so embedded in daily life of Australians that they must be considered as a normal part of the activities of every community sector:[1]

The internet has changed the world—there is no way to go back. A digital revolution is transforming every part of the economy and individuals, businesses and governments have no choice but to adapt or be left behind.[2]

5.2                   Given the centrality of online interactions to the future prosperity of the Australian community and its economy, the Government is instigating legislative reform and developing new strategies to build community confidence in the online environment. Some of these measures specifically target senior Australians; others are aimed at fostering the broader health of the cyber environment.

5.3                   This chapter outlines the responsibilities of the various government agencies in Australia’s cybersafety consumer protection framework before reviewing recent relevant legislative changes and evidence related to them.  

5.4                   The chapter also covers concerns raised in relation to the protection of personal information under eHealth, in particular the Personally Controlled Electronic Health Record (PCEHR), before canvassing some measures to improve seniors’ awareness of cybersafety and help target government programs to protect consumers and contain cyber threats.

Australia’s cybersafety framework

5.5                   Australia’s cybersafety framework is supported by key agencies responsible for developing, administering and enforcing our consumer protection framework. The fundamentals of this engagement were set out in May 2008, when the Australian Government committed $125.8 million over four years to a comprehensive Cybersafety Plan.[3]

5.6                   A whole-of-government initiative, the Cybersafety Plan aims to combat online risks and raise community awareness to those risks.[4] The Plan is a continuation of the former Government’s ‘Protecting Australian Families Online’ initiative implemented over 2007‑08.[5]

5.7                   A range of federal departments and agencies develop the policy and the regulatory architecture in support of the Cybersafety Plan. Others monitor and implement enforcement actions against cybercriminals. These agencies work with State and Territory partners to promote the cybersafety agenda. 

 Federal agencies

5.8                   Key federal agencies involved in the delivery of Australia’s cybersafety framework, with a brief description of their functions, are set out in alphabetical order below.

Attorney–General’s Department

5.9                   The Attorney–General’s (A-G’s) Department was formerly co-ordinator of the Government’s whole-of-government cyber security policy. Responsibility for this moved to the Department of the Prime Minister and Cabinet (PM&C) from 14 December 2011.[6]

5.10               The Department now works to address cyber threats and vulnerabilities to Australia’s telecommunication infrastructure through DBCDE, and with the NBN Co. on national security issues in the design and operation of the National Broadband Network (NBN).[7]

5.11               The Australian National Computer Emergency Response Team
(CERT Australia) operates under the auspices of the A-G’s Department. CERT Australia’s primary responsibility is to inform the private sector about cyber security threats and vulnerabilities and to assist domestic and international CERT partners during cyber security incidents.[8]

Australian Competition and Consumer Commission

5.12               The Australian Competition and Consumer Commission (ACCC) is an independent Commonwealth statutory authority formed in 1995 to administer the Trade Practices Act 1974. Since 1 January 2011, the ACCC also administers the national Australian Consumer Law (ACL) under the Competition and Consumer Act 2010.[9]

5.13               The ACCC’s primary responsibility is to administer the Commonwealth’s competition, fair trading and consumer protection laws. It also promotes and safeguards competition and fair trade policy and regulates national infrastructure industries. As part of this brief, the ACCC’s SCAMwatch website provides advice and registers consumer fraud complaints for both online and offline fraud. In February 2012 the ACCC issued its Best Practice Guidelines for Online Dating to provide guidance to the convenors of romance and dating websites and to their clients.[10]

5.14               The ACCC also works with State and Territory fair trading agencies and other government agencies to promote general awareness in the community about scams. In 2005 the ACCC and these other agencies formed the Australasian Consumer Fraud Taskforce (ACFT) to co-ordinate this work.

Australian Communications and Media Authority

5.15               The Australian Communications and Media Authority (ACMA) is the federal agency responsible for the regulation of broadcasting, the internet, radio communications and telecommunications.[11]

5.16               ACMA researches cyber issues and delivers cyber-related education programs under the remit of the Online Content Scheme (OCS), established under the Broadcasting Services Act 1992, as well as reporting on matters affecting consumers or proposed consumers of carriage services under the ACMA Act 2005.[12] Under the OSC, the ACMA also receives and investigates complaints about prohibited online content and facilitates a co-regulatory approach with the internet industry by developing and enforcing industry codes of practice.[13]

5.17               The Authority’s educational services include the Cybersmart website, the interactive shared learning schools programs offered at schools, Internet Safety Awareness presentations, DVDs and brochures. ACMA’s research into online services use led to the Digital Media Literacy Research program.[14]

Australian Federal Police

5.18               The Australian Federal Police (AFP) has a commitment to preventing online crime, considering that: ‘Cyber-safety requires a multi-faceted approach; law enforcement; policy and legislation; education and some level of user vigilance’.[15]

5.19               The AFP works in partnership with the A-G’s Department and other agencies to ‘evolve effective law, policy and practices to address cybercrime threats to Australia’s domestic and national security’. Its High Tech Crime Operations unit identifies emerging technology challenges for law enforcement and works to address these with domestic and foreign law enforcement agencies, governments, industry and academic partners.

5.20               The AFP has a strategic alliance with the Australian and New Zealand Policy Advisory Agency, works globally through the International Liaison Officer Network and also partners with State and Territory counterparts to combat cybercrime.

5.21               The AFP regards consumer education as important to prevent online crime. It has partnered with the Australian Seniors Computer Clubs Association (ASCCA) to deliver sessions to seniors on how they can protect their personal and financial information, secure online banking and wireless connections.[16]

Australian Securities and Investments Commission

5.22               The Australian Securities and Investments Commission (ASIC) has a statutory mandate to promote the confident and informed participation of investors and consumers in the financial system.[17]

5.23               As such, ASIC has a consumer protection role at a Federal level in relation to financial products and services. ASIC’s regulatory role covers financial services, disclosure requirements on financial products, enforcement on misleading or deceptive conduct cases, as well as the licensing and monitoring of licensed financial services providers.

5.24               ASIC also advances the National Financial Literacy Strategy and on its MoneySmart Consumer website. Senior Australians are represented on its Consumer Advisory Panel which informs and directs ASIC’s consumer research and education projects.

5.25               The Commission is a member of the ACFT and also participates in Taskforce Galilee, the multi-agency, multi-jurisdiction taskforce, which works to address serious and organised investment frauds (SOIF).[18]

Australian Taxation Office

5.26               As Australia’s collector of tax revenue, the Australian Taxation Office (ATO) has extensive interaction with the community which, for the most part, readily complies with ATO requests. This level of compliance attracts cyber criminals who exploit the tax office brand to legitimate a range of scam activities such as ‘phishing’ scams.[19]

5.27               The ATO provides a 24 hour/seven day a week Security Incident Response (SIR) service with reporting, response and monitoring capability. The Security Analysis Toolkit (SAT), which manages and processes information and data, assists the SIR to identify anomalous activity, such as bogus websites purporting to be the ATO.

5.28               The ATO’s Vulnerability Management and Research (VMR) team refers advice to CERT Australia to initiate take-downs of scam sites. In incidents of identity theft, such as compromised use of a tax file number, the ATO follows up by contacting individuals, or a tax agent intermediary. Future abuse is prevented by reissuing a new tax file number and transferring all data.[20]

5.29               The ATO also maintains a developed community awareness and education campaign to alert people to evolving risks using media releases, website, TV interviews and seminars. Consumer awareness material is also translated into multiple languages.[21]

Commonwealth Director of Public Prosecutions

5.30               The Commonwealth Director of Public Prosecutions (CDPP) was established as an independent prosecuting agency under the Director of Public Prosecutions Act 1983 (DPP Act) and began operations in 1984.[22]

5.31               The CDPP is responsible for prosecution of criminal offences against the laws of the Commonwealth, and conducts confiscation of the proceeds of crimes committed against the Commonwealth. The CDPP is within the portfolio of the Commonwealth A-G, but operates independently. State and Territory Directors of Public Prosecutions are responsible for the prosecution of alleged offences against State and Territory laws.[23]

Department of Broadband, Communications and the Digital Economy

5.32               As discussed in Chapter 4, the Department of Broadband, Communications and the Digital Economy (DBCDE) has charge of the consumer education and awareness programs for the Government’s Cybersafety plan. The Department’s mandate is to improve awareness of cybersafety and cyber security risks among individuals and small and medium businesses in support of the Government’ National Digital Economy strategy, as facilitated by the NBN at Digital Hubs.[24]

5.33               Another key mechanism carried by the DBCDE to improve the level of cybersafety awareness in the community is the cybersafety Stay Smart Online website which has links to the Cybersafety Help Button and the ACCC’s SCAMwatch site.[25]

5.34               In October 2012, DBCDE also took over joint responsibility for a rebranded Cyber White Paper with the Department of Prime Minister and Cabinet.[26]

Department of Families, Community Service, Housing and Indigenous Affairs

5.35               The Department of Families, Community Service, Housing and Indigenous Affairs (FaHCSIA) hosts the Broadband for Seniors initiative, the Government’s main computer support program for senior Australians. The initiative provides free access to computers and the internet, as well as training in basic computing skills.[27]

5.36               The Australian Government committed $25.4 million to Broadband for Seniors over seven years to 2015, which involves establishing 2 000 internet kiosks in community centres, libraries, retirement villages and clubs. The initiative is delivered by NEC Australia Pty Ltd in partnership with Adult Learning Australia, the Australian Senior Computer Clubs Association (ASCCA) and University of the Third Age Online.[28] Further details are in Chapter 4.

Department of Prime Minister and Cabinet

5.37               As already mentioned, responsibility for whole-of-government cyber security policy co‑ordination was transferred from the A-G’s Department to the Department of PM&C in late 2011.

5.38               Responsibility for the strategic leadership and co-ordination of cyber policy, including cyber security policy within PM&C is carried by the National Security and International Policy Group (NSIPC) and led by the Cyber Policy Co-ordinator.

5.39               In June 2011, the Government announced that the NSIPC would prepare the Cyber White Paper, a whole-of-government cyber security strategy. The strategy would build on the Government’s 2008 Cybersafety Plan and its 2009 Cyber Security Strategy, and the establishment of the Cyber Security Operations Centre (CSOC), CERT Australia, and the Digital Economy Strategy.[29]

5.40               A discussion paper Connecting with Confidence: Optimising Australia’s Digital Future was launched for public comment in the second half of 2011, with the expectation that the Cyber White Paper would be released by mid‑2012.[30] However, in October 2012, the Prime Minister suggested that the Cyber White paper should focus on the digital economy to cover the opportunities of cloud technology.[31]

5.41               The PM&C later advised that the new Digital Economy White Paper will be written by an inter-departmental taskforce, comprising staff from the PM&C and the DBCDE, with DBCDE as the lead agency. The taskforce would also draw on relevant expertise from other agencies.[32]

State and Territory consumer protection activities

5.42               As noted above, on 1 January 2011 the commencement of the Commonwealth Competition and Consumer Act 2010 introduced a single national Australian Consumer Law (ACL). The ACL replaced provisions set out in 20 existing national, State and Territory laws with a single national consumer law, creating a national enforcement regime with consistent enforcement powers for Australia’s consumer protection agencies.[33]

5.43               State and Territory consumer protection agencies jointly regulate the law with the ACCC and ASIC.[34] At hearings, Directors of the Centre for Internet Safety (CIS) identified the Western Australia (WA) Government and Queensland Police Service’s Fraud and Corporate Crime Group as national leaders in consumer awareness and protection activities.[35]

5.44               The CIS referred for example to the WA Department of Commerce’s promotion on Youtube of actual victim accounts of being scammed by mortgage schemes.[36] This work fits within the WA Government’s work on reducing the ‘shame’ of being a victim to promote awareness and reporting.[37]

5.45               Dr Cassandra Cross, Lecturer at Law at the Queensland University of Technology, detailed her extensive research sponsored by the Queensland Police and under a Churchill Fellowship in the United Kingdom (UK), Canada and the United States (US). This work informed the work of the Queensland Police leading to a web‑based training package for seniors, implemented in Australia and New Zealand, and recommendations for review of national cybercrime awareness campaigns to target high risk behaviours online.[38]

5.46               The Committee also heard from the South Australian Government which outlined initiatives undertaken by the Consumer and Business Division of the State’s A-G’s Department. These included the Department’s ‘Scam Alert’ page, somewhat similar to the ACCC’s SCAMwatch, and the Savvy Seniors guide which provides consumer rights advice and practical cybersafety tips in an easy to read format.[39]

Updating the law

5.47               Regulation of cybercrime in Australia is largely the preserve of the State and Territory jurisdictions, which carry substantive criminal offences for many forms of computer crime. Commonwealth law also contains a growing body of legislation relating to computer technology, in particular, telecommunications systems. These laws operate along with general criminal laws which affect cybercrime, including those for intellectual property rights, classification of publications, terrorism and national security.[40]

5.48               In addition to the introduction of national consumer protection law, recent amendments to the Crimes Act 1914 have given specific powers to the Commonwealth for the examination and seizure of computers. Cybercrime may also be investigated under the Commonwealth Telecommunications (Interception and Access) Act 1979, and controlled by undercover operations under the Crimes Act 1914.[41]

5.49               In late 2012, the Parliament enacted a number of important new amendments to national legislation to better co-ordinate international efforts to regulate and enforce against cybercrime and to protect personal data. These include:

• the Cybercrime Legislation Amendment Act 2012, to implement laws for Australia’s accession to the Council of Europe’s Convention on Cybercrime;
  
  
• the Privacy Amendment (Financing Privacy Protection) Act 2012, to provide for a new set of Australia Privacy Principles (AAPs) applying to both the public and private sector; and
  
  
• the Crimes Legislation Amendment (Serious Drugs, Identity Crime and Other Measures) Act 2012 which, among other things, imposes new penalties for identity theft using a mobile phone and the internet for criminal purposes.

International co-operation and law enforcement

5.50               The Cybercrime Legislation Amendment Bill 2011 amended the Mutual Assistance in Criminal Matters Act 1987, the Criminal Code Act 1995 and telecommunications law to implement the Council of Europe’s Convention on Cybercrime. The Bill passed into law on 12 September 2012 as the Cybercrime Legislation Amendment Act 2012.[42]

5.51               The Council of Europe’s Convention on Cybercrime is the first international treaty seeking to address cybercrime by harmonising national laws, improving investigative techniques and increasing co-operation among nations. It contains procedures to make investigations more efficient and provides systems to facilitate international co-operation, including by:

• helping authorities from one country to collect data in another country
  
  
• empowering authorities to request the disclosure of specific computer data
  
  
• allowing authorities to collect or record traffic data in real-time
  
  
• establishing a 24/7 network to provide immediate help to investigators
  
  
• facilitating extradition and the exchange of information.[43]
  
  

5.52               The Convention also contains a series of powers and procedures relating to accessing important evidence of cybercrimes, including by way of mutual assistance.[44]

5.53               Reforms to telecommunications legislation in support of the Convention have been controversial, in particular in relation to the accessing and retention of personal data.[45] These concerns were foreshadowed in the Committee’s Review of the Cybercrime Legislation Bill 2011, tabled in August 2011.[46]

Protection of personal information

5.54               The Privacy Amendment (Enhancing Privacy Protection) Act 2012 amends the Privacy Act 1988 to implement the Government’s first stage response to the Australian Law Reform Commission’s (ALRC) 2008 report For Your Information: Australian Privacy Law and Practice.[47] The legislation was made into law on 12 December 2012 and will be fully implemented by14 March 2014.[48]

5.55               The new amendments introduce major modifications to the Privacy Act to regulate how both public and private sector organisations collect, use and disclose personal information, including to:

• create the Australian Privacy Principles (APPs), a single set of privacy principles applying to both Commonwealth agencies and private sector organisations
  
  
• re-write the credit reporting provisions and introduce more comprehensive credit reporting
  
  
• introduce new provisions on privacy codes and the credit reporting code and
  
  
• clarify and strengthen the functions and powers of the Privacy Commissioner.[49]

5.56               The APPs, which deal with the collection, storage, security, use, disclosure access and collection of personal information, will put in place stricter rules about transferal of such data overseas. These encourage Australian companies to require overseas recipients not to breach the principles. The APPs will also require a higher standard of protection for sensitive information such as health data.[50]

5.57               As noted the Bill is the first part of the Government’s response to the ALRC’s report, which contained 295 recommendations to improve privacy protection in Australia. One of these recommended the introduction of a data breach notification scheme, which was not addressed in the bill.[51]

5.58               Amendments introduced under the Crimes Legislation Amendment
(Serious Drugs, Identity Crime and Other Measures) Act 2012 propose to close various gaps in the operation of specific Commonwealth offences under the Criminal Code Act 1995 (Criminal Code).[52]  

5.59               Under identity crime reforms, the Act expands the scope of existing identity crime offences as well as enacting new offences for the use of a carriage service, such as mobile phone or by the internet, with the purpose of obtaining personal information to commit another offence. The legislation also criminalises the use of identity information with intent to commit a foreign offence. The Act provides for a penalty of five years imprisonment.[53]

5.60               This legislation responds to the Government’s National Identity Security Strategy (NISS), an agreement between Australian governments ratified in 2007. The NISS was reviewed in 2012, to ensure the Commonwealth can better respond to the impact of digital transactions using a mobile or the internet for identity documentation between the public and private sector.[54] The Act passed into law on 28 November 2012.[55]

Support for enhanced protections

5.61               Consumer awareness is important for the cybersafety of individuals and businesses. There was also recognition that more must be done to ensure cybercrime activities are disrupted. The ACC advised:

The overarching solution for attacking cybercrime needs a framework that is similar to that of the public health care system, as it is a complex issue requiring a co-ordinated multi-dimensional approach.[56]

5.62               This includes having a flexible but robust framework of law which encourages compliance with cyber security requirements, and promotes sharing of information between government agencies on a national and on a global basis.

Cross-jurisdictional collaboration

5.63               Cybercrime crosses multiple jurisdictions and imposes challenges for regulators and enforcers which have been investigated in great depth in other reports.[57] In the context of this inquiry, the Committee has noted that Australia’s move to ratify the Convention on Cybercrime has highlighted some weakness in current protections for cybercrime victims, and hence senior Australians who are disproportionally affected.

5.64               Commenting on the regulatory amendments to support Australia’s accession to the Cybercrime Convention, the AFP and CIS commended changes to the Mutual Assistance in Criminal Matters Act 1987 (MACMA), which will support information sharing between Australian and foreign law enforcement agencies. Both organisations remarked the cumbersome nature of former arrangements, which were not suited to the online environment.[58]

5.65               The Committee also heard that the ‘borderless’ nature of crimes facilitated by the internet creates significant challenges for regulators and enforcers.

5.66               The ACC observed that cybercrime organisations may not commit crimes in their location country, even while having heavy impacts in other jurisdictions. Even where Australian law enforcers work successfully with partners offshore, victims of these crimes have no tangible redress. In illustration of this, the ACC advised that no funds sent overseas to scammers have been recovered, despite the enormous losses recorded.[59]

5.67               The AIC explained that small value high volume frauds are harder for law enforcers to investigate, with smaller proceeds easier to launder across a number of jurisdictions.[60] The CIS, however, argued that the Government should deploy Australia’s strong extraterritorial powers in terms of search warrants for cybercrime, as used for international drug transactions.[61]

5.68               The Directors of CIS referred, by example, to successes over the last ten years in closing down Pacific ‘safe havens’, and identified a need to undertake cyber security capacity building in developing IT hot spots, such as the Pacific Islands and South East Asia.[62]

5.69               Asked about this at hearings, AFP representatives advised that the AFP currently delivers enforcer awareness training in the Pacific region under its Cyber Safety Pacifica program. The AFP also has an extensive International Liaison Officer network, operating in over 30 countries, with 100 officers active offshore.[63] Commander Glen McEwen reported in particular on the recent successes of Operation Lino, where the AFP, international, and State and Territory law enforcers disrupted a major foreign data theft network targeting Australia from Romania.[64]

5.70               Another suggestion was that government should be more proactive in strengthening regulations and enforcing existing domestic laws and requirements to protect consumers. For example, foreign-based companies providing online services in Australia should be obliged to comply with domestic obligations, and ISPs, banks and money transfer agencies could monitor for scamming and other activities.[65]

5.71               Dr Cross referred to a further impediment for cybercrime victims in Australia, the limited opportunity for legal or financial restitution offered for frauds under domestic laws:[66]

Victims of online fraud are excluded from all current victim initiatives within the criminal justice system, based solely on the type of offence which has been perpetrated against them. This directly contravenes many of the fundamental principles of justice which are argued to exist for victims of crime in Queensland.[67]

5.72               The AIC confirmed that, at a federal level, there is only voluntary reporting to the Privacy Commissioner or Ombudsman of fraud cases, and no requirement to report criminal offences except in some specific cases. As a consequence, reporting on fraud, including cyber-based fraud, is relatively low.[68] 

5.73               The AFP, however, reported positively on recent reforms to the Commonwealth Criminal Code, which afforded extensive powers to enforcers to address cybercrime.[69]

Mandatory reporting of data breaches

5.74               An area of strong agreement among cybercrime experts was the need for domestic legislation to require organisations to report and contain data breaches. There was, however, also recognition that this proposal raises questions about the market sensitivity of information, and related practical enforcement issues.

5.75               One of the recommendations made by the Australian Law Reform Commission’s review of the operation of the Privacy Act 1988 was for the introduction of a mandatory data breach notification scheme, to impose a legal requirement on entities to notify a victim and the relevant regulator about any breaches of personal information. In October 2012 the Government released a discussion paper on the proposal for privacy breach notification for public commentary by 23 November 2012.[70]

5.76               Submitters referred to data indicating the disparity between the very high level of losses and the low reportage of data breaches. Abacus-Australian Mutuals, for example, cited 2008 AIC research indicating that Australian small and medium businesses (SMEs) had estimated the cost of computer security incidents to their business at around $600 million, but only eight per cent of affected businesses had reported these breaches.[71] Other research indicated that 73 per cent of SMEs had experienced at least one data breach in 2010.[72]

5.77               The AIC confirmed that there are no current requirements for data breaches to be reported, being voluntary as for other crime reportage. The AIC representatives referred to the massive financial impacts on business of data theft and also the effects of accidental data loss on victims. Given the scale of current losses, and the potential market disincentives to report them, the AIC recommended a mandatory scheme.[73]

5.78               The CIS agreed that market disincentives to reportage require corrective action, advocating a ‘carrot-and-stick’ approach incorporating mandatory data breach notification:[74]

Our economy would be healthier if consumer confidence was based on a more transparent knowledge of the threat environment and of the security incidents that occur.[75]

5.79               Industry respondents maintained that market forces do compel attention to data protection but also acknowledged that the level of compliance is patchy. The eBay and PayPal supported mandatory measures but emphasised they must not be a ‘one size fits all’ module, which may stifle small business, noting:

…the delivery of breach notifications must be consistent with the way each organisation regularly communicates, and notification needs to be actionable.[76]

5.80               The Australian Information Security Association (AISA), a peak body for information security professionals, reported that security of information is currently a low budget priority in most industries and asked for regulations like those for the Paycard industry in the US. AISA also recommended that ‘any data breach notification scheme be part of a broader and “more responsive” regulatory approach supporting information security’..[77]

5.81               The Committee discusses other obligations and supports for industry’s increased security awareness in Chapter 6.

Secure government information systems — PCEHR

5.82               The anticipated release of the Government’s PCEHR system in July 2012 brought into focus fears about personal privacy and information security posed by centralised government databases. National Seniors Australia (NSA) told the Committee:

Privacy and security are ‘make or break’ issues for older Australians in relation to PCEHR. [It] will only be able to deliver the anticipated benefits for patients, healthcare providers and the healthcare system if all parties have a high level of trust and confidence in the entire system.[78]

5.83               Protections provided under the PCEHR legislation and amendments to the Privacy Act to support the system include:

• the ability for a consumer to control which healthcare provider organisations can access their information;
  
  
• closely defined limits on the reasons that information can be accessed outside of those controls;
  
  
• the ability to view an audit trail of all access to a consumer's PCEHR;
  
  
• penalties and other sanctions for unauthorised viewing of and access to records; and
  
  
• requirements to report data breaches.[79]
  
  

5.84               The Department of Health and Ageing (DoHA) manages cyber risks under the PCEHR, along with Government funded tele-health initiatives including those under the NBN.[80] The National E-Health Transition Authority (NEHTA) is DoHA’s managing agent for the design and contract management for the PCEHR.[81]

Concerns about personal privacy—the audit trail

5.85               DoHA’s submission advised that ‘the design of the PCEHR system, and the legal framework provided by the proposed legislation, enables security and privacy breaches to be detected and prosecuted.’[82]

5.86               However, during the inquiry concerns were expressed about the privacy and security of senior Australians, given their relatively limited computer skills, and possible health or mental incapacity. In particular:

• Seniors, although a priority client group, maybe exposed to online risks due to unduly complex interfaces and have private data hacked.[83]
   
• A robust and independent complaints mechanism is required and an independent review function, such as by the Office of the Australian Information Commissioner (OAIC), should be funded.[84]
  
  
• The audit trail for PCEHR records should provide consumers with genuine privacy controls, information on all individual health practitioners who have accessed their records and notification of all PCEHR system breaches affecting their record.[85]
  
  
• There is potential for abuse under ‘nominated authority’ arrangements, but there is also the need to ensure access by carers, and to allow for the risk a client will pass away without sharing security passwords with spouses or family.[86]
  
  

5.87               Departmental responses resolved a number of concerns about review mechanisms, and the internal probity and security of the PCEHR interface, which, NEHTA told the Committee, had attracted international interest for its innovative personal control features.[87]

5.88               However, at hearings in September 2012, the Consumers Health Forum of Australia (CHF) expressed concerns that the system as introduced did not address privacy requirements, particularly in the sharing of data between agencies and on individual access:

Some of the examples that we were given were things like people did not want their sexual history being accessible by their physiotherapist or their mental health history being accessible by their dentist, for instance. So the controls need to be very specific around which practitioners you are giving access to particular parts of your records to.[88]

5.89               The Committee notes that the introduction of the new AAPs under amendments to the Privacy Act could require more secure handling of sensitive health information and may impact on current arrangements.

Data security for health service providers

5.90               Another concern related to the security of PCEHR records at medical practices and health services providers. City Clinic reported on the impact of information theft on a Sydney medical practice, and noted the lack of formal recourse for charging someone for information theft in Australia. This compares poorly with the US and UK which provide victim compensation and penalty of imprisonment for information theft.[89]

5.91               The NEHTA advised that the National Health and Security Access Framework will provide guidance to health care providers on information security, and the National Authentication Service for Health will ensure that e-Health transactions are private, traceable and conducted by known entities.[90]

5.92               DoHA explained that to participate in the NBN pilot program, service provider applicants will also be required to provide plans for emergency procedures, security, safety and confidentiality. Suitable patients for the trial must also be identified.[91]

5.93               The SA Government observed that all jurisdictions will need to ensure protections for the privacy and the security of personal information conveyed by the NBN. The submission also referred to the need for subsidised training for seniors to use the NBN safely and securely.[92]

5.94               The CHF welcomed proposals for data breach notification to improve protections for consumers.[93] The Committee has discussed legislative developments on the protection of personal information and data breaches for SMEs above.

Consumer awareness measures

5.95               As discussed in Chapter 3, it was recommended to the Committee that the Government’s consumer awareness campaigns for cybersafety should target risky behaviours that result in victimisation, rather than focus on the daunting number and range of risks. The Committee was told that for many seniors:

…a lack of knowledge creates a fear of the unknown and an awareness of the risks posed by online fraud tends to exaggerate this fear.[94]

5.96               Accordingly, submitters advocated for a combination of computer education and strong practical messages to inform seniors. Dr Cross’s research suggested that simple messages (such as ‘no one should send you an email asking for personal details’ and ‘you should be very wary if someone asks you to send money’) help consumers take control of the situation, and think through their online behaviour and its consequences.[95]

5.97               There was strong agreement that messages like these, succinct and clear, should headline any cybersafety advertising. There was also some support for a dedicated campaign targeting seniors.

5.98               The SA Government, for example, expressed concern that the Australian Government’s focus on cybersafety for the young and their parents, on the ACMA website and elsewhere, has left the needs of older people unaddressed.[96] The ACMA in its submission maintained that seniors are included as part of this extended family focus.[97]

5.99               DBCDE advised that it views cybersafety as a matter of behaviour rather than age, noting research has found that seniors, once skilled, are not more at-risk than other community sectors. Seniors’ internet access was, however, lower than other groups and hence the Department has new initiatives to help seniors go online.[98]

5.100           Life Activities Clubs Victoria Inc. (LACVI) agreed with this view of seniors but considered that a dedicated cybersafety awareness platform for older Australians is necessary to overturn negative associations and fears. This should be promulgated by online and traditional media, with advice about the benefits of going online safety and the key safety messages featured.[99]

5.101           While others agreed that a traditional media campaign is important to reach offline seniors, there was nevertheless scepticism about relying too much on glossy booklets and publications. The NSA recommended circulating alerts, like those issued by the ACCC’s SCAMwatch, with key messages such as the: ’higher the return, the higher the risk’.[100]

5.102           Mrs Joyce Hocking (formerly Sheasby) recommended these messages be conveyed as 60 second advertisements on television ‘soapies’ and cookery shows, to reach the many seniors who are unskilled and isolated.[101] Legacy Australia supported the use of television, radio, and the print media to reach seniors.[102]

5.103           Stakeholders also wanted a more co-ordinated and streamlined approach to promote cybersafety awareness. The CIS, for example, recommended a universal and centrally managed national education and outreach program, considering the current approach to be ‘piecemeal’.[103]

5.104           The Communications Law Centre (CLC) emphasised that, in promotion of any campaign, ‘real world links’ are essential.[104] The Australian Library and Information Association (AISA) recommended taking a ‘lifelong learning approach’ to cybersafety and funding libraries to provide more services to seniors. There was strong support for this from other stakeholders with older clients.[105] The Committee has recommended in Chapter 4 for funding to libraries for seniors’ IT training and cyber education.

5.105           Evidence also suggests that cybersafety campaigns for seniors should be delivered with brevity, with alerts clearly headlined. It is also important to preserve a positive message in the promulgation of cybersafety warnings: as Mrs Hocking told the Committee a little ‘fun’ in a campaign will retain seniors’ interest.[106] The barrage of information currently available is evidently confusing to seniors, and is acting as a deterrent to their adaptation to online activities.

5.106           The Committee has made recommendations in this report for a single clearinghouse or site for scam news, reporting and education, with telephone advice. One benefit of this will be to bring all cybersafety information —the plethora of scam alerts issued on the ACCC’s SCAMwatch, CERT Australia, ATO and Stay Smart Online websites
—to a single accessible point.[107]

Recommendation 10
	That Australian Government’s cyber awareness campaigns should headline clear and practical messages for cybersafety on the central reporting and awareness portal, and appear up front of all published cyber awareness material for the general community.

Central collection and analysis of data

5.107           During the inquiry, the Committee was referred to advances made in the UK, the US and Canada which have centralised internet fraud reporting with support services offered to senior victims.[108]

5.108           The Committee heard that a centralised reporting arrangement provides two major advantages: it is less confusing and bureaucratic so increases the rate of reportage; and it allows for collation of more reliable data about the actual impacts of cybercrime on different community segments.

5.109           The lack of reliable data on cybercrime was widely cited by stakeholders as an obstacle to the disruption of cybercrime and effective policy development for that purpose. Dr Cross advised on motivations for central reportage overseas:

…There was a shared belief amongst the UK, USA and Canadian agencies that the ultimate form of fraud prevention lies in the disruption of fraud activity, and it is this belief that should drive further work in this area.[109]

5.110           The ASIC confirmed that the low rate of self-reportage by Australians on cybercrime means that the Commission ‘has relatively limited information about the impact of online fraud effecting Australians and an older Australians specifically’.[110] The Australian Institute of Crime (AIC) advised that the reportage of cybercrimes to different agencies makes it ’difficult to assess impact and where it falls’.[111]

5.111           The AIC’s Dr Rick Brown explained that the consequence of disparate collection is a lack of consistency in studies being conducted by various agencies. He described the process as one of trying to compare ‘apples and pears’:

Part of the problem is the multiple points by which reports can be made…we have recently been looking at one area, identity misuse, and finding that there are wide differences just among federal agencies in the definitions that are used, the way that data is stored and so on. It makes it very difficult to get a handle on that as an area. It means we really have no monitoring basis for understanding how trends are changing, apart from the large-scale surveys that the ABS, for example, do on a sporadic basis.[112]

5.112           To rectify this, the CIS recommended that the reporting tab on the central cybercrime reporting portal should designed both for user facility and for efficient automated data matching. Mr MacGibbon suggested this could be achieved by tabulating no more than 20 or 30 questions specifically for each type of reported offence, under the basic formula of ‘the who, what, where, when, why and how of that particular type of offence’.[113]  

5.113           The CIS and the CLC also emphasised that the definition of cybercrime for crime reportage must be broad, and not limited to malicious code, if the measure is to be effective.[114] The ACFT, which prepares annual surveys of computer use and the impact of cybercrime on consumers, observed:  

With a more extensive understanding of who is victimised and why, more effective scam prevention measures can be enacted.[115]

5.114           The AIC advocated establishing a National Cyber Security Monitoring Program for this task, which the AIC would be well positioned to lead. This program would also conduct annual surveys to identify the extent and impact of cyber security incidents on individuals, businesses, organisations of national interest and government.[116]

5.115           The ACMA and DBCDE recognised the importance of having such data to inform their work. The ACMA stated that:

…limited availability of specific, credible and detailed research into online risks and threats unique to older Australians [inhibits] consideration of the best methods to manage these risks and the most appropriate channels to inform, educate and empower senior Australians’.[117]

5.116           The AFP observed:

Cyber-safety prevention and awareness raising campaigns need to be underpinned by sound research and longitudinal research however such research can take years. That is one of the challenges associated with requiring an evidence based approach to cyber‑safety that the AFP would like addressed.[118]

Recommendation 11
	That the cybercrime reporting tab on the central reporting and awareness portal be designed for ease of access to users and to facilitate data collation and assessment. The system should be supported by simple online instructions and accessible to the visually and aurally impaired, and for print in hard copy.

Concluding comments

5.117           The Committee’s inquiry proceeds at a time of review and reform of Australia’s laws to meet an enormous growth in the use of electronic communications and information storage by governments and businesses. The commensurate crime developments impose new obligations on regulators to provide a framework of laws that are robust but flexible.

5.118           The Committee’s review in this chapter covers some key aspects of reform recently implemented, and providing platforms for others to be made in the future. The Committee did not receive submissions to this inquiry from key policy agencies managing these reforms—the Department of PM&C or the Attorney-General’s Department, nor from the ACCC which manages SCAMwatch the reportage site for fraud.

5.119           The task of this inquiry was to review the risks and threats to senior Australians, and many submitters made comment on what they saw as too incremental and piecemeal an approach to consumer protection.

5.120           The Committee also heard concerns about privacy under the PCEHR, and about the protection of data in private practices. These matters will warrant continual monitoring in the first phases of eHealth implementation. There may also be implications for review under the new AAPs and potential data breach legislation.

5.121           The Committee has made recommendations based on the evidence it has received and on the available statistical data which, in the Committee’s opinion, compels government to focus on the protections owing vulnerable Australians. This means progressive review of relevant laws, as well as the communication of key cybersafety messages in a campaign targeting seniors, many of whom are new to the internet as are the young.

5.122           The Committee believes that the compilation of accurate data to quantify and understand the actual threats and risks to which Australians aged  55 plus are exposed will be fundamental to any effective senior targeted or community-wide campaign. The next chapter considers what role industry might take with government in this regard.