Our reference: D2018/007934
Ms Deborah Anton
Interim National Data Commissioner
Department of Prime Minister and Cabinet
One National Circuit
Barton ACT 2600
New Australian Government Data Sharing and Release Legislation – Issues paper for consultation
Dear Ms Anton,
The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to comment on the Department’s Issues Paper for consultation on the ‘New Australian Government Data Sharing and Release Legislation’ (Issues Paper).
The Issues Paper sets out a broad vision for the proposed Data Sharing and Release (DS&R) legislation, which has the potential to result in a significant change to the way the Australian Government manages the data it holds on behalf of the Australian community. It is appropriate, given this broad vision, that the Issues Paper initiates an important public discussion about the future of data governance in Australia. It is also important that opportunities for the Australian community to be informed of the intent of the proposal continue, and, as is proposed, the views of the community are considered in the development of any legislation.
Overview
The OAIC has long-recognised the inherent value and potential of government-held data. An object of the Freedom of Information Act 1982 (Cth) is to increase recognition that information held by the Government is to be managed for public purposes, and is a national resource. Government holds a great deal of data that is not derived from personal information, and the OAIC supports the greater use and sharing of such data.
However, the Australian Government also holds a vast wealth of data that is personal information about its citizens, which when linked together, can paint a rich and detailed picture of who we are as individuals.[1] As such data is usually collected on a compulsory basis (as authorised or required by law), with individuals having little choice or control over whether to provide it, the Australian Government carries a unique responsibility when making decisions about how it should be used and disclosed.
It is particularly important then, for any policy proposals which would use and disclose personal information for purposes beyond those originally intended at the time of collection, to have a strong public interest purpose and minimise any privacy impacts. Further, the social licence and level of community support for data sharing activities under a new scheme will need to be considered carefully throughout the design and implementation of the scheme. Ensuring that the privacy impacts of the scheme are minimised will help to build this social licence and trust.
By way of overall comment, the OAIC welcomes the Issues Paper’s commitment to privacy, including the commitment of the National Data Commissioner (NDC) to work with the OAIC to ensure an appropriate level of privacy protection, and the commitment to conducting a Privacy Impact Assessment (PIA) as a tool to identify privacy risks and mitigation strategies. We recommend that an iterative approach is taken to the PIA process. For example when the framework is further developed, the PIA should be subject to additional public consultation, to test whether the proposed framework is acceptable to and supported by the community.
The OAIC also acknowledges that the proposal provides an opportunity to create additional safeguards and increase the integrity of the data system. For example, the publication of data sharing agreements may assist in increasing transparency and accountability. Further, the application of a consistent approach to risk management aligns with the objective of the Australian Government Agencies Privacy Code. The use of Accredited Data Authorities and the development of a trusted user model also have the potential to enhance data governance and mitigate privacy risks.
Role of the OAIC in the development of legislation which impacts on privacy
Under the Privacy Act 1988 (Cth) (Privacy Act) one function of the Australian Information Commissioner and Privacy Commissioner (the Commissioner) is to examine proposed enactments that would require or authorise acts or practices of an entity that might otherwise be interferences with the privacy of individuals, or which may otherwise have any adverse effects on the privacy of individuals.[2] The Commissioner also has the function of ensuring that any adverse effects of a proposed enactment on the privacy of individuals are minimised.[3]
The OAIC recognises that the right to privacy is not absolute and in some circumstances, may be subject to limitations where there is a compelling public interest reason to do so. This is reflected in the objects section of the Privacy Act, which recognises the need to balance the right to privacy with the interests of entities in carrying out their functions and activities.[4] In line with this, when considering legislative initiatives that may impact on privacy, the OAIC considers that agencies should ensure that any impacts of the legislation on individual privacy are reasonable, necessary and proportionate to achieving a legitimate policy objective. In accordance with these functions, the OAIC offers the following comments on the Issues Paper.
Key recommendations – Securing informed community confidence
To ensure that the DS&R Bill represents a reasonable, necessary and proportionate approach, it should address a specific and clearly defined problem. The Issues Paper does identify the policy goals of the legislative project at a high-level, being the need to maximise the value of data, streamline data governance arrangements, overcome legislative complexity and break down the cultural reluctance to share data. However, the OAIC considers that the case for large scale legislative reform should be further supported by reference to specific evidence or case studies, which set out the specific problem or problems that the legislation aims to address.[5]
The OAIC would also caution that there are risks associated with adopting a single schema to apply to a broad range of data governance arrangements. This is particularly so where any planned data activities would use identifiable data, and have a direct impact on the lives of citizens, such as compliance or administrative action activities. These activities raise a range of complex policy issues, which often vary depending on the specific context/type of data involved and to date have warranted consideration on a case-by-case basis. The key risk is that such an approach may result in legislation which expands the ability of agencies to use and disclose information in a way which is too broad, resulting in privacy impacts that may not be reasonable, necessary and proportionate to achieving a legitimate policy objective.
In line with the above, the OAIC would recommend that:
- Data sharing should occur on a de-identified basis wherever possible, to minimise the privacy impacts of the scheme for individuals.
- The scope and purpose of the DS&R Bill should be defined as clearly and narrowly as possible in order to minimise the impact on privacy. In particular, the pre-approved ‘uses’ that data can be put to, should be restricted to those which are in the public interest, and enjoy strong community support. For example, research in the public interest, or for the purpose of informing or improving the development of Australian Government policy.
- The existing privacy protections for Commonwealth-held data should be maintained as far as possible, including the preservation of the OAIC’s regulatory remit as the national, independent privacy regulator. This will help ensure accountability, and also avoid duplication, inconsistency and regulatory burden. The standards set out in the Privacy Act should remain the baseline, and any new arrangements under the DS&R Bill should be developed in a way that ensures consistency with the existing regulatory requirements under the Privacy Act.
Some additional general observations are outlined below to assist during further development of the project.
Further general observations
Overlap with the Privacy Act and the OAIC’s role as independent regulator of the handling of personal information
The OAIC welcomes the commitment to the NDC working together with the OAIC. However, further clarity is required on how the NDC’s role will interact with that of the OAIC.
For example, the Issues Paper indicates that the Office of the National Data Commissioner will work with the OAIC on ‘a range of key topics including data management, de-identification, data security, data breaches, the general handling of personal information and information management’ (page 21). The OAIC has current guidance on all of these topics – for example, on the meaning of ‘personal information’, which is central to the operation of the Privacy Act and OAIC’s regulatory approach – and it will therefore be important to ensure a consistent approach between the DS&R Bill and Privacy Act to ensure that regulated entities are clear on their obligations, and to avoid overlap or duplication and promote regulatory certainty.
Other data sharing models may provide useful insight when designing the DS&R Bill
As acknowledged in the Issues Paper, there are a number of other legislative data sharing models operating across other Australian (and international) jurisdictions, all in the early stages of implementation.[6] The OAIC notes that these models are narrowly drafted, and generally restrict the purposes for which data may be shared to those which may inform government policy making, service planning and design.[7] They also generally provide that, unless otherwise expressly provided for, the relevant legislation does not override other relevant obligations, and in particular privacy or data protection legislation.[8] The OAIC would recommend that the Department consider the design of these schemes as part of its design and implementation of the DS&R Bill.
Existing arrangements should be carefully evaluated to ensure the right balance is struck between access to data and the impact on right to privacy
While the OAIC understands that agencies would not be compelled to use the new DS&R arrangements, the framework has the potential to allow agencies to override existing use and disclosure provisions that apply to Commonwealth-held data under Australian legislation, effectively amounting to a ‘required or authorised by law’ exception to Australian Privacy Principle (APP) 6 for Australian Government agencies.[9] In addition to the baseline standards which apply by way of the Privacy Act and APPs, additional protections apply under agency-specific legislation, for example in the form of secrecy provisions. While the current legislative landscape presents some complexity, it is important to remember that these existing safeguards have often been carefully calibrated over time to reflect the sensitivities of the type of information in question, as well as community expectations.
To ensure any adjustments to these arrangements are reasonable, necessary and proportionate, it will be important to consider the evidence of why existing arrangements are no longer appropriate and how to ensure any new arrangements contain more appropriate safeguards.
Building a social licence for greater data use and sharing
The OAIC’s Australian Community Attitudes to Privacy Survey 2017 highlighted that some in the community may be uncomfortable with secondary uses of information, but that people are more likely to support data sharing for some purposes than others. For example:
- 86% of Australians considered a secondary use of their personal information (use for a purpose other than the original purpose it was provided for) to be a misuse of their personal information.
- 87% of Australians considered that if a third party organisation obtains their personal information, but they have never dealt with that entity before, this is a misuse of their personal information.
- Only 34% of Australians were comfortable with a government agency sharing their personal information with another government agency.
- However, 46% of Australians were comfortable with government agencies using their personal details for research or policy-making purposes. 40% were not comfortable, and the remaining 14% were unsure.
These figures suggest that there is still some work for the Australian Government to do to build an informed community confidence in government’s planned secondary uses of personal information, and are supported by the findings of other organisations on related matters.[10] The OAIC would also note the recent community debate in relation to the secondary uses of data collected for the purposes of the My Health Record system. This debate demonstrated that there is some community concern about the extent to which Australian Government agencies should be able to access sensitive health data for non-medical, secondary purposes, and in particular access by third parties for purposes related to law enforcement such as the protection of the public revenue. The community also sought assurances that health information would not be used for commercial purposes.
Unlike some other secondary uses of data, such as research using de-identified information,[11] the use of data for compliance purposes can have a direct impact on individuals’ rights and obligations. Further, compliance activities also raise a number of complex matters for consideration, such as the importance of ensuring that any data used to make decisions about an individual’s rights and obligations is accurate and up to date, and broader issues of how to ensure procedural fairness when engaging in such activities. The OAIC considers that such purposes raise additional privacy issues, and therefore construing the purpose more narrowly will minimise the privacy impacts of the proposal.
The DS&R Bill and the public release of de-identified data
The Issues Paper states that data may be released publicly where appropriately de-identified. There is significant complexity and risk involved with the publication of unit record level data derived from personal information.[12] This is also acknowledged in the Australian Government’s existing policy document on the matter, Release of process for publishing sensitive unit record level public data as open data.[13]
The OAIC’s view is that open data environments are generally only appropriate for information that is either not derived from personal information, or information that has been through an extremely robust de-identification process (inevitably focussed on data treatment, rather than the use of controls and safeguards in the data access environment) that ensures – with a very high degree of confidence - that no individuals are reasonably identifiable.[14] Flowing on from this, it is important to be aware that while some personal information may be able to be sufficiently de-identified to enable public release, it is unlikely that the utility of that data would be able to be preserved for a number of high-value uses (such as research). Accordingly, the OAIC supports the Issues Paper’s consideration of an alternate release mechanism via controlled environments.
The OAIC is available to discuss any of these issues further and looks forward to working constructively with the interim National Data Commissioner’s Office.
Yours sincerely,
Angelene Falk
Australian Information Commissioner
Privacy Commissioner
23 August 2018
Footnotes
[1] For example, data is collected as part of the Census, through the management of the social security, taxation and immigration systems, and through the provision of healthcare.
[2] Section 28A (2)(a) of the Privacy Act.
[3] Section 28A (2)(c) of the Privacy Act.
[4] See s 2A (b) of the Privacy Act.
[5] Noting that the Productivity Commission’s Data Availability and Use Inquiry Report dealt with a very wide range of matters, it would be useful to identify any specific case studies or matters dealt with in that report which the DS&R Bill seeks to address.
[6] See eg the Data Sharing Act 2017 (Vic), the Data Sharing (Government Sector) Act 2015 (NSW), and the Public Sector (Data Sharing) Act 2016 (SA).
[7] See s 5 of the Data Sharing Act 2017 (Vic), ss 6 and 7 of the Data Sharing (Government Sector) Act 2015 (NSW), and s 8 of the Public Sector (Data Sharing) Act 2016 (SA).
[8] See s 24 of the Data Sharing Act 2017 (Vic), s 5 of the Data Sharing (Government Sector) Act 2015 (NSW), and s 5 of the Public Sector (Data Sharing) Act 2016 (SA).
[9] See APP 6.2(b).
[10] See eg the Consumer Policy Research Centre’s recent report, Consumer data and the digital economy – emerging issues in data collection, use and sharing (available on the CRPC’s website. See http://cprc.org.au/2018/07/15/report-consumer-data-digital-economy/), Deloitte’s Australian Privacy Index 2018 (available on Deloitte’s website, at: https://www2.deloitte.com/au/en/pages/risk/articles/deloitte-australian-privacy-index.html), and EY Sweeney’s Digital Australia: State of the Nation (2017 Edition) (available at: https://digitalaustralia.ey.com/).
[11] Evidence suggests many in the community would support this. See above figures which suggest that 46% of Australians are comfortable with secondary use of their data for research purposes.
[12] When considering whether and how to de-identify information for public release, data custodians need to be aware that if information is made publically available, control is effectively lost over the dataset at that point. In future, new and more detailed data may become available that could be matched with this data, leading to potential re-identification. Further technological advances will also be made, which could in turn increase the likelihood that information could be re-identified.
[13] Available on the PMC website: https://blog.data.gov.au/news-media/blog/publishing-sensitive-unit-record-level-public-data.
[14] Aggregated data may meet this description. For more information on this, see, for example, the OAIC and CSIRO/Data61’s De-identification decision-making framework and the OAIC’s guidance on De-identification and the Privacy Act.
