Privacy Commissioner wants more protections for individuals in Data Availability Bill
The Australian Information Commissioner and Privacy Commissioner’s office, the OAIC, has asked for the inclusion of additional privacy measures in the Bill that would allow the sharing of data held by government.
The data reforms presented in the Data Availability and Transparency Bill 2020 are touted by Minister for Government Services Stuart Robert as being an opportunity to establish a new framework that is able to proactively assist in designing better services and policies.
The Bill, as well as the Data Availability and Transparency (Consequential Amendments) Bill, were both introduced to Parliament in December, after two years of consultation.
“Proposals to share data containing personal information will necessarily carry certain privacy risks, including the loss of control by individuals and the potential for mishandling of personal information,” the OAIC said in its submission [PDF] to the Senate Finance and Public Administration Committee currently probing the two Bills.
“Privacy risks can be heightened in relation to government-held personal information, which is often collected on a compulsory basis to enable individuals to receive a service or benefit or is otherwise required by law.”
The submission raised concerns that such data is often sensitive or can become sensitive when it is linked with other government datasets.
It, therefore, has recommended the inclusion of additional privacy measures that would provide further protections for individuals and clarity for data scheme entities about their privacy obligations.
“The OAIC considers that these additional measures are necessary to ensure the proportionality of the scheme and to achieve the trust and confidence of the community, which is vital to the success of the DAT scheme,” it wrote.
In a discussion paper in September 2019, the federal government tweaked what it proposed the year prior by removing a fundamental element of privacy — consent.
The government’s position on consent has since become more nuanced, with the Bill currently stating that any sharing of personal information is to be done with the consent of the individuals, unless it is unreasonable or impracticable.
“While the OAIC acknowledges the important privacy safeguards that have been included in the DAT Bill, there are other key privacy protective measures that should be included to further mitigate the risks posed by sharing personal information,” the OAIC said.
Additionally, the OAIC is concerned about the proposed exemption of scheme data from the Freedom of Information Act, which the OAIC considers runs counter to the objects of both the FOI Act and the Data Availability and Transparency Bill.
It said this would effectively exempt any data that government agencies share with each other through the scheme.
“The OAIC is concerned that the proposal is unnecessarily broad and risks misalignment with the objects of the FOI Act to provide a fundamental legal right to access to documents,” the submission continued. “The OAIC is also concerned that this proposal reduces the information access rights of individuals, impacting on their ability to seek access to their own personal information and understand how agencies are using this information.”
As a result, the OAIC recommended that the proposed consequential amendment to the FOI Act be removed, and that data shared by agencies under the scheme remains subject to the usual FOI processes and potential exemptions under the FOI Act.
Elsewhere, the OAIC recommended that all accredited users – including Commonwealth bodies — are subject to the same accreditation processes and criteria as other entities seeking to become accredited under the Data Availability and Transparency scheme.
Further, the OAIC has asked for definitions in the Bill to be consistent with those in the Privacy Act 1988, for example, the definition of “de-identified”. It also recommended that additional protections be included in the Data Availability and Transparency Bill to ensure that the “exit mechanism” minimise the risk to individuals’ privacy and is only used in specific and confined circumstances.
Digital Rights Watch is similarly concerned that the Bill is moving ahead in parallel to the review of the Privacy Act, which the Attorney-General’s office is currently heading. In its submission [PDF] to the committee, the organisation said as the draft text stands, the Bill “threatens to further erode the limited protections enshrined in the existing Privacy Act”.
“The Bill would make it easier for government agencies to share data containing personal information with each other, allowing any government entity to access any and all the information the government holds about an individual,” it explained.
“The draft also permits the government to share data with accredited third parties and researchers. In absolute terms, the Bill almost constitutes an amendment of the Australian Privacy Principle 6 by redefining and altogether eliminating the limitations and protections the principle currently imposes on the data custodians.”
Digital Rights Watch has also asked the Bill restrict the access of accredited parties from the single-application full access system proposed; define consent in line with international standards as presented under the GDPR, as one example; and maintain liability for data breaches, ensuring also a resolution mechanism for individuals who may want to seek redress if their data and privacy is compromised through the scheme.
Also making a submission [PDF] was the Australian Privacy Foundation (APF), which considers the Bill as possessing weak legitimacy, that it erodes trust, and that it provides uncertain benefits alongside a history of underperformance.
“The foundations of the proposed regime are weak, the superstructure is weaker,” APF wrote.
“The proposed regime does not provide the necessary ‘strong privacy and security foundations’. Instead it embodies values of bureaucratic convenience that are antithetical to strong privacy protection.”