Push to scrap Australia privacy exemptions for political parties due to risk of data breaches
The Albanese government is being urged to scrap “concerning” exemptions given to political parties to use voter data, as part of a review of the federal election.
In the wake of last month’s massive Optus privacy breach, Digital Rights Watch Australia has warned that voter information kept by political parties – which is exempted from the Privacy Act – is at risk of a future damaging data breach.
The consumer group made the comments ina submission to a parliamentary inquiry into the 2022 election. They also warned that exempting political parties from the Spam Act and Do Not Call Register Act could facilitate “intrusive and sometimes harmful spam” during an election campaign and fuel “insidious” misinformation online that risks undermining democracy.
“Digital Rights Watch recognises the legitimate need for political parties to communicate and engage with voters, as well as the importance of freedom of political communication,” the submission states.
“It is reasonable and expected for political parties to collect and use personal information of voters for this purpose … however, these practices should be subject to the limitations and protections contained in those Acts to ensure that they are lawful, transparent and respectful.”
Political parties are able to access the electoral roll – which includes the name, address, date of birth and gender of each voter – and use this, along with any other personal information they may have collected, to send postal vote applications and political messaging.
Sign up to receive an email with the top stories from Guardian Australia every morning
The Digital Rights Watch submission said the use of technology to collect voter data increases “the scale and scope by which harm can be caused to everyday Australians through inappropriate or invasive collection, use and disclosure of their personal information”.
“These harms include invasions of privacy, voter manipulation, and misinformation and disinformation,” it states.
“This stands to weaken our democratic processes and undermine public trust. Without appropriate safeguards in place, unregulated access and use of Australians’ personal information creates a concerning gap in Australia’s approach to cybersecurity, putting not just individuals at risk, but also our digital security more broadly.”
The submission pointed to cyber-attacks on major political parties in 2019 which it said narrowly avoided a data breach that would have caused “unimaginable damage”.
It argues that by extending the Privacy Act to cover political parties, they would need to meet the requirements of the Australian privacy principles, which would reduce the possible consequence of any future data breach.
The principles would require political parties to do due diligence to ensure they are only collecting necessary personal information, as well as handling it in accordance with the protections offered by the act.
Principle 11 of the act requires entities to take active measures to ensure the security of personal information it holds and to actively consider whether it is permitted to retain personal information.
“Little has been done to address why and how political parties gather, retain and process data, including personal information,” the submission states.
“Without adequate digital security protections, political parties represent a weak spot in Australia’s cybersecurity ecosystem.”
The joint standing committee on electoral matters is examining all aspects of the conduct of the 2022 federal election. The government has said it intends to legislate spending caps and truth in political advertising laws after the inquiry has concluded.
The special minister of state, Don Farrell, will also take carriage of new laws to lower the political donation disclosure threshold to $1,000 and introduce real-time disclosures.
Australia’s privacy laws are also subject to a long-running review, with the attorney general, Mark Dreyfus, flagging the potential for reform before the end of the year following the Optus hack.
“We need to bring the privacy laws Australia has up to date to make them fit for purpose in the digital age,” Dreyfus said last month.