More than two years before the data breach of Clive Palmer’s Trumpet of Patriots and United Australia parties, the federal government was warned that there was a significant risk to political parties – which are exempt from many data protection obligations – holding sensitive information on voters.
The ransomware attack on Trumpet of Patriots earlier this month was the first time Australians became aware of a major data breach of any political party. It only became public information because the party decided to report it. The attack also affected the United Australia party.
Supporters were told that data obtained in the attack could include email addresses, phone numbers, identity records, banking records, employment history, and other documents, but that the party was unsure of the amount of information compromised.
It is unclear whether Palmer’s political parties were required to publicly report the breaches at all.
Under the Australian Privacy Act, political parties are exempt from reporting on data breaches and many of the obligations under the act that govern how personal information must be handled.
The United Australia party was deregistered at the time of the attack, meaning the exemption it previously held may no longer apply, but the Office of the Australian Information Commissioner could not comment on whether that was the case.
Sign up: AU Breaking News email
A 2022 attorney general’s department report on privacy law reform highlighted that the broad political party exemption was a growing risk, as political parties potentially hold vast amounts of sensitive data including profiling on people to target in the electorate.
The report found “almost all” of the submissions to its inquiry said the exemption was not justifiable and should be narrowed or removed, and the inquiry heard there was “no clear reason why parties should not be accountable for keeping personal information secure”.
The policy thinktank Reset Australia warned in its submission that malicious actors could exploit the weaknesses in party security to interfere in democratic processes.
The attorney general’s department recommended a narrowing of the exemption for political parties, including requiring parties to protect personal information, take reasonable steps to destroy personal information when no longer needed and comply with the notifiable data breach scheme to report a breach when it happens.
Tom Sulston, head of policy at Digital Rights Watch, said the Trumpet of Patriots breach was a “clear demonstration that it is no longer acceptable for political parties to enjoy an exemption from Australia’s Privacy Act”.
“Political parties not only have privileged access to the electoral roll and thereby the personal information of all voters, but also, through their memberships and organising systems, data about our political beliefs and demographics,” he said.
The information obtained by parties was very valuable, he said, and could be dangerous for those who were profiled by the parties.
“Most political parties … do take seriously their responsibilities to look after our data: the federal government regularly distributes grants to parties to help them secure their systems,” he said.
“So the good news is that removing their exemption from the Privacy Act won’t actually cause them a huge amount of effort or trouble.”
Sulston said removing the exemption would ensure people were informed if their data was lost, and those people could then seek legal or financial remedies.
“That’s much more robust than relying on parties’ goodwill or desire to avoid bad publicity.”
after newsletter promotion
When the Albanese government responded to the Privacy Act review report in 2023, it agreed with many of the other recommendations in the report, but the political exemption recommendations were merely “noted”, and the first tranche of privacy changes passed in the last parliament did not include a change to the political exemption.
The privacy commissioner, Carly Kind, said it was worth assessing whether political parties should keep the exemption. “As the Australian community reels from successive breaches of their personal information, it is worth querying whether it is appropriate that political parties enjoy an exemption from privacy law,” she said.
“The exemption is not only out of step with community expectations, it is not reflective of the nature and scope of risks to Australians’ privacy in the digital era.”
Kind said the community wanted more, not less, privacy protection.
“With each new data breach we are reminded of the need for Australian organisations and agencies to continue to uplift their privacy and cybersecurity practices.”
Sulston said the government’s response to the attorney general’s deparment’s recommendations was “profoundly inadequate”.
“Reporting of breaches is a bare minimum that we should expect of organisations that hold our data,” he said. “The government should make good use of their majority to push through the second tranche of privacy reforms, and include removing the parties’ exemptions.”
The attorney general, Michelle Rowland, told Sky News on Sunday that a second tranche would focus on privacy in relation to online platforms like Google, Facebook and Instagram, stating Australians are “sick and tired of their personal information not only being exploited for benefit by third parties, but also the way in which that information is not being protected”.
A spokesperson for Rowland would not confirm whether changes to the political party exemption would feature in the second tranche of legislation.
“The government will continue work on a further tranche of reforms, to ensure Australia’s privacy laws are fit for purpose in the digital age,” they said.
Trumpet of Patriots was contacted for comment.