Who gets to use public sector data, for what purposes, and under what conditions? Whose data is it anyway?
That is the debate at the heart of a proposal now being put forward by the Australian Government, in its exposure draft of the Data Availability and Transparency (DAT) Bill.
If it becomes law, the DAT Bill will dramatically overturn more than 30 years of privacy jurisprudence, which currently limits when personal information about you or me can be disclosed by Australian Government agencies. The past few decades of privacy law and policy was all kicked off in the 1980’s with immense public opposition to the Australia Card proposal, which would have facilitated – you guessed it – loads more data-sharing by and between government agencies.
So why the change? And why now, when community concern about privacy, and levels of discomfort about data-sharing in particular, are rising?
This blog will unpack the DAT Bill proposal for you and explain some of the privacy impacts as we see them. (Oh, and along the way we will encourage you to make a submission if you’re not happy about the idea.)
Where has the DAT Bill come from?
The DAT Bill is the latest stage in a process which began with a 2016 Productivity Commission public inquiry and report on Data Availability and Use, which had the lofty aim to “unlock the full potential of public sector data in Australia”. (You can read about the experience of our Principal, Anna Johnston, appearing before the Productivity Commission here.)
The Productivity Commission suggested that Australia is missing out on unknown opportunities due to the untapped potential of data. At the centre of the recommendations was the creation of the then-called Data Sharing and Release Act, as well as a National Data Commissioner to oversee the new scheme.
In 2018 we saw the first iteration of proposed legislation in an Issues Paper on the proposed ‘Data Sharing and Release’ Bill. You can read the submission Salinger Privacy provided along with other privacy professionals here, but suffice to say – we were not happy.
The 2020 DAT Bill is the most recent version of the proposal. Gone is the tech-bro fantasy of unlocking the value of big data, and in its place is a more prosaic aim to “deliver better, more seamless services to the public” and “planning for the future based on the best available information.”
What does the proposed data sharing scheme look like?
The first thing to understand about the DAT Bill, is that the entire data sharing scheme it would implement is a carve out from Australian Privacy Principle 6 (APP 6), which governs how personal information can be used and disclosed. In doing so, the DAT Bill represents a fundamental and significant change to the way information privacy is understood and implemented in Australia.
In the current landscape, if an organisation is covered by the Privacy Act 1988, and it wishes to share the personal information it holds with another organisation, APP 6 allows disclosure on only a few grounds. One ground is for a directly related secondary purpose, another is with consent, and another is if another law specifically authorises it. Otherwise, you need to find a suitable exemption, such as for ethically approved research in the public interest. So for Australian Government agencies which hold our personal information, there are ways to share it – but subject to some limitations and protections. They can’t just go ahead and give it to another organisation because it seems like a good idea.
Enter: the DAT Bill.
The proposed data sharing scheme would enable broad disclosures of public sector data, including personal information, by providing an overarching “alternative authority” to share. This side steps APP 6, and overrides most of the secrecy provisions and non-disclosure prohibitions that have been established over decades of law-making.
This also disregards community expectations around privacy. Don’t just take our word for it: research conducted for the Office of the Australian Information Commissioner found that 9 out of 10 Australians want more control over their personal information, not less. And 70% of Australians expressed discomfort with the idea of their personal information, held by government agencies, being shared with the private sector.
The nuts and bolts of the scheme
Under the proposed data sharing scheme, the public sector agencies which hold the information (‘data custodians’) are able to disclose public sector data, provided that the recipient of the data is an ‘accredited user’. Organisations only need to seek accreditation once in order to access data many times, from many data custodians. The Accreditation Framework is important as it is the entry point into the scheme and determines who gets access to public sector data.
In this sense, the DAT Bill proposes a loosely controlled environment for sharing: you have to be in the club before you get the benefits. The scheme, at this stage, does not include release of public sector data to the public at large, aka ‘open data’.
In order to become accredited by the National Data Commissioner, an entity needs to demonstrate capacity in three broad areas: governance and administrative frameworks, security and privacy of data, and technical skills and capacity.
Once you’re in the scheme, public sector data, including personal information, can be shared for “permitted purposes”, which are:
- Delivery of government services
- To inform government policy and programs, and
- Research and development
There are also “precluded purposes” which are not authorised by the Bill, such as law enforcement, compliance, assurance and national security purposes.
But let’s face it: the three permitted purposes are already broad enough to drive a truck through.
There seems a certain kind of naivety involved in this formula: if the law says that data-sharing can only be used for the ‘good’ purposes, then it will only be used for good, right? This wishful thinking reminds me of the tech-bro protagonists of The Social Dilemma, who line up to wash their hands of their own moral responsibility for the various ills wrought by Big Tech with ‘we weren’t expecting any of the bad stuff, who could have predicted that?’ (The answer, of course, was a diverse array of privacy advocates, ethicists, historians and philosophers who did predict it, but were ignored in the ‘move fast and break things’ rush for growth and profits.)
The safeguards
Once in the scheme, in order to share data there are five data sharing principles to consider. These have been adapted from the Five Safes Framework and are:
- Project: data is shared for an appropriate project/program that includes consideration of the public interest, ethics, and privacy
- People: data is made available only to appropriate persons who have the right training and skills
- Setting: data is shared in an appropriately controlled environment
- Data: appropriate protections are applied to the data – including data minimisation principle
- Outputs: are as agreed, and appropriate for future use
But that’s about it for safeguards, folks. There is no requirement that personal information be de-identified first. (De-identification is mentioned as a privacy-enhancing measure, but we know it’s not infallible as a privacy risk control.) And there is no requirement for independent ethical review which might otherwise be required to attest that no privacy harm (or other downstream impacts, especially for vulnerable populations) will arise from sharing the data. No requirement that the results of the data-sharing must benefit the public overall, rather than private interests.
And the scheme is not limited to government agencies only sharing with other government agencies. ‘Accredited users’ can be other government agencies at all levels, as well as industry, research bodies and the private sector more broadly. The proposed scheme also plays with the idea that entities could potentially pay a fee in order to become accredited and enter the scheme.
By our reading, this means a private sector company could buy a ticket into the data club, jump through a couple of hoops, and then turn a profit off research they conduct using the personal information of Australians collected by the government. If your ethical alarm bells aren’t ringing yet, they should be, because this starts to look alarmingly like the ability for companies to pay for access to public sector data, which would be an egregious breach of community trust.
What does this mean for privacy?
When we as individuals share our personal information with government, it’s generally because we have to. Government agencies typically collect our personal information because they can compel us by law (e.g. we must file our tax returns), or because we want or need to access some kind of government service (e.g. get a passport, or claim social security benefits, childcare rebates, or NDIS assistance). This means that there aren’t many opportunities for us as citizens to opt-out of public sector data collection and use. Also, the nature of personal information we need to provide to government, in order to receive services, can be quite intrusive into our private lives.
We shouldn’t even think about this as ‘public sector data’. It is personal information about us, held by government agencies, in order to run government programs and services for our benefit. They are merely custodians of our data.
The default position should be – and has been, until now – that any disclosure of our personal information should only occur in very limited circumstances. Right now, APP 6 offers a balancing act between protecting the privacy of individuals, and allowing for other activities in the public interest. The DAT Bill will overturn that delicate balance.
The DAT Bill takes a framework that was designed to control for one very particular type of privacy risk – namely re-identification risk from the release of de-identified datasets, such as when the ABS releases data built from Census forms – and elevates it as the primary means by which to judge whether a disclosure should occur in the first place. That is not what the Five Safes Framework was designed for. Determining whether a disclosure should occur in the first place requires a delicate balancing of competing public interests – which, by the way, the Privacy Act, and secrecy provisions built into various pieces of legislation, have been doing for more than 30 years.
And if you are harmed as a result of the disclosure of your personal information under this new scheme? Too bad. While in theory your right to complain to the OAIC will still exist, in practice you will have no legal ground about which to complain, because the disclosure will have been authorised under APP 6 by this new law.
Contrary to community expectations – and the Government themselves?
As mentioned earlier, the proposed scheme flies in the face of the expectations of majority of Australians. Since the Productivity Commission’s initial recommendations were made in 2016, we have seen the tide turn against data-sharing, and in favour of more privacy protections rather than less. There has been an undeniable shift in public consciousness and care about privacy. The Cambridge Analytica revelations and on-going Facebook scandals, the ACCC’s Digital Platforms Inquiry, CensusFail, RoboDebt, re-identification attacks and data breaches too numerous to mention have all added up to public demands for better privacy protections from government.
In recognition of this, the Australian Government has recently committed to a review of the Privacy Act, and to bringing forward amendments in 2021 to strengthen the Privacy Act and bring it into line with community expectations and global best practice.
Yet this DAT Bill, to undercut the existing level of protection in the Privacy Act, is being proposed by the same government, at the very same time. You have to wonder if perhaps the left hand doesn’t know what the right hand is doing.
So how to resolve the data-sharing dilemma?
The prospect of enabling widespread disclosure of our personal information by government, without much more than the Five Safes Framework as a protection, rings huge alarm bells. Overriding existing legal protections is a naïve, blunt and reckless approach to improving the mechanics of data-sharing.
In our view, a better approach would be to reform and strengthen the Privacy Act to meet community expectations and technological advances, while also better enabling ethically approved research in the public interest. (The research exemptions at sections 95 and 95A in particular need dragging into the 21st century.) This should be done before trying to implement the DAT Bill, or else personal information should be removed from the DAT Bill’s scope altogether.
UPDATED NOVEMBER 2020:
The National Data Commissioner is accepting submissions until November 6.
Salinger Privacy worked with colleagues in the privacy profession on a submission, which is now available here.
Photograph © Shutterstock