17 October 2019

Our reference: D2019/010579

Ms Deborah Anton
Interim National Data Commissioner
Department of Prime Minister and Cabinet
One National Circuit
Barton ACT 2600

Data Sharing and Release – Legislative Reforms Discussion Paper

Dear Ms Anton

The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to comment on the Office of the National Data Commissioner’s (ONDC) ‘Data Sharing and Release Legislative Reforms’ Discussion Paper (the Discussion Paper).

The Discussion Paper continues an important conversation around the future of data sharing in Australia, commenced in 2016 by the Productivity Commission’s report into Data Availability and Use,[1] and furthered by the ‘New Australian Government Data Sharing and Release Legislation’ Issues Paper in 2018[2] and the release of the Best Practice Guide to Applying Data Sharing Principles (the Data Sharing Principles Guide)in early 2019.[3]

The Discussion Paper is a further step in the development of proposed Data Sharing and Release (DS&R) legislation, which has the potential to significantly change the way the Australian Government manages the data it holds on behalf of the Australian community. Since 2018, the ONDC has refined the core policy positions, which has resulted in a more detailed data sharing framework.

The OAIC appreciates the broad and consultative approach the ONDC has taken in developing this proposal. This has included acknowledgement of, and response to, a number of the privacy concerns of stakeholders. The privacy safeguards in the DS&R framework, and clarification in the Discussion Paper about how the proposed DS&R legislation will interact with the existing privacy framework, are important inclusions.

Data held by the Australian Government is a valuable national resource that can yield significant benefits for the Australian people when handled appropriately, and in the public interest. The Government holds a large volume of data that is not derived from personal information, and the OAIC generally supports greater use and sharing of such data.[4]

However, the Australian Government also holds a vast quantity of data about its citizens that is ‘personal information’,[5] much of it collected on a compulsory basis to enable individuals to receive a service or benefit. Some of this data is sensitive – or can become sensitive when linked or matched with other data sets.

The Australian Government therefore has unique responsibilities when making decisions about how that data should be used or disclosed. It is important to ensure that there is a strong public interest case for a policy proposal that authorises the use and disclosure of personal information for purposes beyond those originally intended at the time of collection. Laws that authorise acts or practices that may otherwise breach privacy laws must be necessary, reasonable and proportionate to achieving a legitimate policy objective.

While the OAIC understands that agencies would not be compelled to use the proposed new DS&R arrangements, the framework has the potential to allow agencies to override existing use and disclosure provisions of the Privacy Act 1988 (Cth) (the Privacy Act) that apply to Commonwealth-held data, invoking the ‘required or authorised by law’ exception to Australian Privacy Principle (APP) 6 for Australian Government agencies. In addition to the baseline standards which apply by way of the Privacy Act and APPs, additional protections apply under agency-specific legislation, such as in the form of secrecy provisions.

The OAIC has previously submitted that in order to ensure any adjustments to these arrangements are reasonable, necessary and proportionate, it will be important to consider the evidence of why existing arrangements are no longer appropriate and how to ensure any new arrangements contain more appropriate privacy safeguards.[6] The OAIC notes that some examples have been provided on the potential benefits of data-sharing including: IP NOVA, Bureau of Meteorology real-time forecasts, and work conducted by the Victorian Agency for Health Information into cardiac outcomes.

In relation to privacy safeguards, the OAIC understands that the DS&R framework will comprise primary legislation (the DS&R legislation, including the Data Sharing Principles), subordinate legislation (including the Sensitive Data Code and Accreditation Rules), contractual and administrative arrangements (including Data Sharing Agreements), and other guidance and advice as issued from time-to-time by the ONDC. It will be important to ensure that these important privacy safeguards are consistent, clear and enforceable.

In this submission, the OAIC focuses on a number of key privacy safeguards that we recommend the ONDC consider further as it develops the proposed DS&R legislation and supporting framework.[7]

A clearly and narrowly defined purpose test

A key safeguard to minimise privacy impacts of the proposal will be to ensure that the scope and purpose of the authorising legislation is clearly and narrowly defined. The OAIC recognises the ONDC’s commitment to refine the purposes of data sharing to narrow the scope of the legislation taking community expectations about acceptable uses of government-held information into account.[8]

The Discussion Paper indicates that ‘the sharing must be reasonably necessary to inform government policy, programs or service delivery, or be in support of research and development’. Data Custodians will be required to apply this test as a gateway into the data sharing system. As such, the OAIC recommends that these three ‘purposes’ are clearly and narrowly defined in any DS&R legislation. A constrained purpose test will assist in ensuring that any subsequent impacts on individual privacy are reasonable, necessary and proportionate to achieving a legitimate policy objective with a strong public interest purpose. Additional consideration could be given to the purpose test through the Explanatory Memorandum, to clearly set out the rationale of the test, any operational limitations and provide examples as appropriate.

The OAIC also notes that the ONDC is still considering the use of public sector data for commercial purposes, which the ONDC acknowledges is a concern for stakeholders. The use of government held personal information for commercial purposes raises additional privacy impacts that would warrant a cautious and thorough consideration through a separate PIA and further public consultation, to ensure that community trust in the system is maintained.

The Privacy Act 1988 (Cth) standards

The Privacy Act contains important rights, obligations and enforcement mechanisms to protect the personal information provided to the Commonwealth agencies and private sector organisations that are subject to its jurisdiction. The OAIC considers that data safeguards and protections introduced by the DS&R legislation should at least be commensurate with those under the Privacy Act, which provides the basis for nationally consistent regulation of privacy and the handling of personal information.[9]

We note the ONDC’s proposed approach is to require that all entities handling personal information under the DS&R system are subject to the Privacy Act, or other laws that provide equivalent protections. In the Discussion Paper the ONDC noted that equivalent privacy protections would include: protections for personal information, access to redress mechanisms, monitoring and oversight by an appropriate regulator and data breach notification requirements.[10]

The OAIC welcomes further discussion with the ONDC about how these important objectives will be achieved through the DS&R legislation in order to ensure that the acts and practices of entities undertaken in connection with the data sharing system are subject to appropriate and consistent privacy protections under the DS&R framework.

The OAIC also suggests that new data handling requirements and obligations are aligned with the Privacy Act to the greatest extent possible. For example, if the DS&R framework creates a new data breach notification scheme for data that is not personal information, the OAIC recommends that the new scheme align as closely as possible to the Notifiable Data Breach scheme under the Privacy Act. Similarly, the OAIC supports additional clarity and alignment in relation to enforcement, cooperation and investigations where the ONDC, Commonwealth, State and Territory privacy frameworks have the potential to intersect.

In relation to the Discussion Paper’s proposed approach to accreditation, the OAIC supports embedding further privacy safeguards in the system through the accreditation mechanism. The OAIC supports the role that accreditation can play in ensuring that entities build privacy-by-design into their information handling practices at the outset of a project. The OAIC has experience of accreditation schemes that embed privacy protections through our work implementing the Consumer Data Right. Under that scheme, data recipients must be accredited by the ACCC and meet security requirements which have been developed in consultation with the OAIC. Australia has also committed to implementing APEC’s Cross Border Privacy Rules system, which is an enforceable certification scheme to facilitate the flow of personal information across borders. The EU’s General Data Protection Regulation also makes provision for certification.

The OAIC suggests that the ONDC considers other such privacy related accreditation schemes to ensure consistency and avoid fragmentation. To assist in meeting this objective, the OAIC recommends that the legislation include a requirement for the Minister to consult with the Australian Information Commissioner when making legislative rules about the privacy standards to be included in accreditation criteria.[11]

The OAIC suggests that these measures will assist to ensure consistency between the Privacy Act and DS&R framework, and will also provide clarity and simplicity for both the regulated community and regulators.

Further safeguards

The OAIC notes further important privacy safeguards – consent, data minimisation and de-identification – form part of the ‘Data Principle’ set out in the Data Sharing Principles Guide. The OAIC reiterates the view that data sharing should occur on a de-identified basis where possible, to minimise the privacy impacts of the scheme for individuals. Where it is not possible to use de-identified information, consideration should be given to whether it is reasonable and appropriate to seek consent.[12]

We note that the Discussion Paper says that consent will not be required in all instances of data sharing. We would welcome further clarity in the DS&R legislation about when consent will be required.

One focus of the Discussion Paper centres on the potential benefits that the introduction of the DS&R framework could bring to government service delivery. While acknowledging those potential benefits, the OAIC suggests that a consent-based model may be appropriate in relation to the proposed service delivery purpose. This would be in line with the objective of providing individuals with greater control over the handling of their personal information. We also encourage the ONDC to produce guidance on when consent would be appropriate in relation to the other purposes under the scheme, and how it should be sought.

The OAIC welcomes the opportunity to continue to work with the ONDC in relation to the matters raised in this submission.

Yours sincerely,

Angelene Falk

Australian Information Commissioner
Privacy Commissioner

23 October 2019

Footnotes

[1] Productivity Commission 2017, Data Availability and Use, Report No. 82, Canberra.

[2] Department of Prime Minister and Cabinet 2018, New Australian Government Data Sharing and Release Legislation: Issues Paper for Consultation, DPMC, Canberra.

[3] Office of the National Data Commissioner (Department of Prime Minister and Cabinet) 2019, Best Practice Guide to Applying Data Sharing Principles, DPMC, Canberra

[4] This is supported by s 3(3) of the Freedom of Information Act 1982 (Cth), which provides that an object of the Act is ‘to increase recognition that information held by the Government is to be managed for public purposes, and is a national resource.’

[5] ‘Personal information’ is defined by s 6 of the Privacy Act 1988 (Cth).

[6] Office of the Australian Information Commissioner 2018, New Australian Government Data Sharing and Release Legislation – Submission to the Department of Prime Minister and Cabinet, OAIC, Sydney.

[7] Under the Privacy Act, one function of the Australian Information Commissioner and Privacy Commissioner (the Commissioner) is to examine proposed enactments that would require or authorise acts or practices of an entity that might otherwise be interferences with the privacy of individuals, or which may otherwise have any adverse effects on the privacy of individuals (s28A(2)(a) of the Privacy Act). The Commissioner also has the function of ensuring that any adverse effects of a proposed enactment on the privacy of individuals are minimised (s 28A(2)(c) of the Privacy Act).

[8] See, for example, the OAIC’s Australian Community Attitudes to Privacy Survey 2017, which indicated that 86% of Australians considered a secondary use of their personal information (use for a purpose other than the original purpose it was provided for) to be a misuse of their personal information, but 46% of Australians were comfortable with government agencies using their personal details for research or policy-making purposes.

[9] Section 2A (c) of the Privacy Act 1988 (Cth).

[10] Department of the Prime Minister and Cabinet 2019, Data Sharing and Release: Legislative Reforms Discussion Paper, p 31.

[11] Examples of such a requirement can be found in legislation or proposed legislation such as s 53 of the Office of the National Intelligence Act 2018 (Cth), clause 7(5) of the Identity Matching Services Bill 2019, and clause 355-72 of the Treasury Laws Amendment (2019 Tax Integrity and Other Measures No. 1) Bill 2019, a proposed amendment to the Taxation Administration Act 1953 (Cth).

[12] Office of the Australian Information Commissioner 2018, New Australian Government Data Sharing and Release Legislation – Submission to the Department of Prime Minister and Cabinet, OAIC, Sydney.