OAIC submission to Department of the Prime Minister & Cabinet’s consultation on the Australian Data Strategy

15 July 2022

Introduction

1 The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to comment on the Department of Prime Minister and Cabinet’s (the Department) Australian Data Strategy (the Strategy).

2 The OAIC is an independent Commonwealth regulator, established to bring together three functions: privacy functions (protecting the privacy of individuals under the Privacy Act 1988 (Cth) (Privacy Act) and other legislation), freedom of information functions (access to information held by the Commonwealth Government in accordance with the Freedom of Information Act 1982 (Cth) (FOI Act)), and information management functions (as set out in the Information Commissioner Act 2010 (Cth)).

3 We welcome the Strategy’s focus on aligning with the range of existing legislation, strategies, policies, and reviews which regulate the use of data and the protection of personal information. The Strategy broadly intersects with the OAIC’s existing regulatory role and responsibilities under several laws and whole-of-government initiatives, including the Privacy Act (and its ongoing review), the FOI Act, the Consumer Data Right, the Data Availability and Transparency Act 2022, the Australian Cyber Security Strategy, the National Data Security Action Plan, and the Digital Identity scheme.

4 Promoting and upholding privacy, information access rights and supporting the proactive release of government-held information are key strategic priorities for the OAIC.[1] This recognises that data held by the Australian Government is a national resource which can yield significant benefits of the Australian people when handled appropriately, and in the public interest.

5 The Strategy sets out a vision for the creation of a national ecosystem of data that is accessible, reliable, relevant and easily used to power Australia’s national endeavour towards a modern data-driven society.[2] The Strategy focuses on three key themes: maximising the value of data, trust and protection, and enabling data use.

6 The Strategy acknowledges the importance of keeping data safe and secure and using and managing it in appropriate ways to earn and maintain public trust. This is particularly important in relation to data containing personal information, which is subject to specific statutory protection. Privacy issues that are not properly addressed can impact the community’s trust in an entity and undermine the success of new data initiatives. When people have confidence in how their data is handled, they are more likely to support the use of that information to provide the services and value promised by innovative data initiatives.

7 The Privacy Act provides a well-established framework to minimise the privacy risks associated with personal-information handling activities and facilitate community trust and confidence in new data initiatives. It contains 13 Australian Privacy Principles (APPs), which are technology-neutral and applicable to changing and emerging technologies and data practices. This submission focusses on the role that privacy will play in achieving the Strategy’s vision and objectives, and our views on measures that can further support the Strategy’s ambitions by strengthening the existing privacy framework through the ongoing Privacy Act Review. It is also important to acknowledge the important role the FOI Act will play as part of a comprehensive Australian Data Strategy.

Privacy as the foundation of trust

8 The OAIC’s Australian Community Attitudes to Privacy Survey 2020 (ACAPS) report shows that privacy is a major concern for the majority of Australians (around 70%), particularly as the digital environment and data practices evolve rapidly.[3] The report also showed that 84% of Australians consider privacy extremely or very important when choosing a digital service – ahead of reliability, convenience and price.

9 The survey results also demonstrated there has been a general downward trend in trust since 2007. Trust in businesses in general is down by 13%, with the social media industry being rated the most untrustworthy in how it protects personal information. Between 2007 and 2020, there was a 14% decline in trust in how the Australian Government handles personal information.

10 This survey has important findings in the context of the Strategy. It demonstrates that awareness of privacy has increased in recent years and signals the need to increase consumer trust and confidence in privacy and data handling practices across the economy. Good privacy practices that meet community expectations through compliance with the Privacy Act and the APPs will create the trust and confidence that is needed for the public to engage and make data-driven solutions and initiatives envisioned by the Strategy a success.

11 The Strategy recognises that the Privacy Act is a key legislative protection of individuals’ personal information in Australia. The 13 APPs are structured to reflect privacy obligations across the information lifecycle, as entities collect, hold, use, disclose, and destroy or de-identify personal information. The APPs are legally binding principles, which provide entities with the flexibility to take a risk-based approach to compliance, based on their particular circumstances, including size, resources and business model, while ensuring the protection of individuals’ privacy.

12 The FOI Act also plays a critical role in building and maintaining public trust by promoting and enforcing the right of the public to access information held by Australian Government ministers and Australian Government agencies both on request and proactively through the Information Publication Scheme.[4] The FOI Act recognises that the information government holds is a national resource and is managed for public purposes, and that public access to it should be prompt and at the lowest reasonable cost.

Organisational accountability

13 Organisational accountability is globally recognised as a key building block for effective privacy regulation and management. While the concept of ‘accountability’ can mean different things in different contexts, for the present purposes it can be described broadly as the different actions and controls that an entity must implement in order to comply, and demonstrate compliance, with the privacy regulatory framework.

14 The concept of accountability focuses on whether a regulated entity has translated its privacy obligations into internal privacy management processes that are commensurate with, and scalable to, the risks and threats associated with its personal information-handling activities.

15 Under the Privacy Act, accountability is at the core of APP 1, which requires entities to manage personal information in an open and transparent way. APP 1 does this by requiring entities to:

• take reasonable steps to establish and maintain internal practices, procedures and systems that ensure compliance with the APPs (APP 1.2), and
• have a clearly expressed and up to date APP privacy policy describing how they manage personal information (APP 1.3).

16 The OAIC has published a suite of guidance materials to assist entities to embed strong accountability measures and implement a ‘privacy by design’ approach. Essentially, this is an approach where privacy compliance is part of the initial design of projects, activities and initiatives dealing with personal information, and then is included throughout the information lifecycle, rather than being bolted on afterwards.[5]

17 By embedding strong accountability measures that facilitate a ‘privacy by design’ approach, entities can build a reputation for strong and effective privacy management, which is essential to realising the benefits of the Strategy, while also ensuring compliance with privacy laws and meeting community expectations.

Keeping data safe

18 The Strategy notes that, as the amount of data created, accessed and shared by Australians increases, so does the need for data to be stored in trusted and secure ways. The Strategy acknowledges the need to strike a balance between enabling broader access to data to leverage its benefits, while mitigating security and other risks.

19 It is important to note that privacy and data security are intrinsically linked, and that the protection of personal information is an essential part of data security. The Privacy Act includes well-established security requirements, particularly through APP 1 (Open and transparent management of personal information) and APP 11 (Security of personal information), and the Notifiable Data Breaches (NDB) scheme:

• Under APP 1, entities must take steps beyond technical security measures in order to protect and ensure the protection of personal information throughout the information lifecycle, including by implementing strategies in relation to governance, internal practices, processes and systems, and dealing with third party providers. This approach also ensures entities detect privacy breaches promptly and are ready to respond to potential privacy breaches in a timely and appropriate manner.
• In complying with APP 11, entities are required to take reasonable steps to protect the personal information they hold, which includes actively monitoring their risk environment for emerging threats and implementing appropriate mitigation strategies. This is a dynamic responsibility which scales proportionately to the volume and sensitivity of personal information held by an entity, the nature and size of the entity and the threat environment in which it operates.
• The NDB scheme requires the mandatory reporting of eligible data breaches to the regulator and affected individuals. This scheme provides visibility of compliance with relevant security standards and allows affected individuals to mitigate personal risk. The NDB scheme incentivises entities to improve security standards in relation to the protection of personal information.

20 In the OAIC’s view, while the Privacy Act applies specifically to the handling of personal information, in practice, strong privacy compliance is likely to uplift the data security capability of entities generally. This is because most entities collect and hold some personal information, and many are likely to have information handling processes or systems that cover all types of information that they hold.[6]

21 Relatedly, we note the Strategy contemplates the use of de-identified data in future initiatives. The Privacy Act does not apply to de-identified information, which may include data derived from personal information, as it is no longer about an identifiable individual or an individual who is reasonably identifiable. However, it can be difficult to determine whether information has been successfully de-identified. The OAIC encourages entities to seek specialist advice when de-identifying information, to ensure the most appropriate techniques are used. In addition to techniques applied to the data itself, restrictions on the data environment (for example, imposing restrictions on how and where the data may be accessed and requiring that data users sign non-disclosure agreements) may also be necessary to help ensure that no individuals are identifiable or reasonably identifiable. [7] The OAIC together with the CSIRO’s Data61 produced guidance on de-identification to assist entities de-identify their data effectively.[8].

Reforming Australia’s Privacy Act

22 As noted in the Strategy, the Attorney-General’s Department is conducting a review of the Privacy Act to consider whether its scope and enforcement mechanisms are fit-for-purpose and to ensure that its privacy settings better empower consumers, protect their data and support the digital economy.

23 We consider that the Privacy Act Review presents an opportunity to ensure that Australia’s Privacy Act remains fit for purpose in an increasingly global, digital world. We take this opportunity to highlight some of our recent recommendations to the Privacy Act Review, which have direct relevance to achieving the Strategy’s vision and the effective delivery of data and digital initiatives.

Increased accountability for regulated entities

24 Entities in the digital economy are collecting more information than ever before, and many are basing their business model around the collection, use and disclosure of personal information. Data handling is increasingly complex, making it difficult for individuals to understand and control the ways in which their personal information is being handled.

25 In an environment where there has been an exponential increase in the collection, use and disclosure of personal information as part of standard business models, and where consumer information about those practices is long, complex and difficult to navigate, it is inappropriate for businesses to rely on that asymmetry to place the full responsibility on individuals to protect themselves from harm.

26 In our submission to the Privacy Act Review, the OAIC submitted that the burden of understanding and consenting to complicated information handling practices should not fall on individuals.[9]

27 Instead, we consider that the general standard of personal information handling across the economy needs to be raised – government and businesses should be required to take proactive steps to ensure their practices are appropriate, fair and proportionate.

28 The OAIC recommended establishing a positive duty on organisations to handle personal information fairly and reasonably and to require regulated entities to take a proactive approach to meeting their obligations as the parties best equipped to understand their complex information handling flows and practices.[10]

29 The OAIC views this proposed reform as a new keystone for the Privacy Act. The introduction of a central obligation to collect, use and disclose personal information fairly and reasonably would provide a new baseline for privacy practice that meets community expectations, and helps to restore and build trust, which is essential to realising the Strategy’s vision.

30 The OAIC also suggested changes to privacy self-management mechanisms like notice and consent. In our view, by raising the standard of data handling, individuals can have greater confidence that they will be treated fairly when they choose to engage with a service. This would prevent consent being used to legitimise handling of personal information in a manner that, objectively, is unfair or unreasonable.

31 These changes will also remove the privacy burden from individuals, by providing the same assurances to people who share their personal data as those provided through well-established workplace and consumer safeguards. This will allow individuals to engage with products and services with confidence that—like a safety standard—privacy protection is a given. It also provides the flexibility needed by entities to use personal information to innovate and contribute to a thriving digital economy.

32 These measures are also supported by our recommendations to enhance the Privacy Act’s existing organisational accountability requirements including express requirements to implement a risk-based privacy management program and to undertake a ‘privacy by design’ approach. They will enable entities to effectively assess whether their activities are fair and reasonable. They will also specifically require entities to consider how their activities will impact individuals, and whether there are less privacy intrusive options for new projects, activities or initiatives.[11]

Harmonisation and global interoperability

33 The Strategy notes that, despite the clear potential benefit of cross-border data flows, countries are typically fragmented in their approach to data regulation, which can prohibit or significantly encumber the free flow of data due to varied privacy, security and data access legislation and policies. The Strategy notes that Australia seeks to be a trusted and influential partner in the international community.

34 Data increasingly flows across borders as the digital economy develops. It is important for privacy regulation to create appropriate and interoperable frameworks that enable the efficient movement of data across borders, while providing strong protections for individual’s personal information. This alignment can facilitate engagement of multinational businesses in the Australian economy by creating predictable, globally aligned privacy requirements. Interoperable frameworks will also support effective cross-border regulation.

35 Interoperability does not necessarily mean adopting other laws in totality in Australia. Instead, it is important to consider how to create consistently high privacy standards globally, and how to determine what elements may suit the Australian economy to support that objective.

36 The OAIC is at the forefront of international collaboration, including through our leadership role in the Global Privacy Assembly as a member of the Executive Committee, chair of the Strategic Direction Subcommittee, co-chair of the Digital Citizen and Consumer Working Group, and membership of its working groups on International Enforcement, Policy Strategy (Global Frameworks and Standards), Ethics and Data Protection in Artificial Intelligence, and COVID-19. Our engagement in the Global Privacy Assembly supports the OAIC International Strategy 2020–22 which seeks to protect Australians' personal information wherever it flows.[12]

37 As outlined in our submission to the Privacy Act Review, the OAIC encourages consideration of international frameworks to ensure that Australia’s framework is comparable, whilst also ensuring it reflects the unique circumstances and expectations of Australians. The OAIC referenced aspects of other legal frameworks, including the General Data Protection Regulation, which are appropriate to be adopted or adapted in the Australian context. Incorporating these elements into domestic law through the Privacy Act Review will facilitate appropriate global consistency, ensure high privacy standards and that the protections afforded in Australia follow our personal information wherever it flows.

38 Domestically, Commonwealth, State and Territory governments are also increasingly working together on national initiatives that involve sharing data across jurisdictions. In many instances, these initiatives rely on jurisdictions across Australia having privacy frameworks that are equivalent to the protections afforded by the Commonwealth Privacy Act. The need for harmonisation within Australia has also been a guiding theme with the privacy response to the COVID-19 pandemic and key element to support the Strategy’s vision and objectives.

39 One of the objects of the Privacy Act is to provide the basis for nationally consistent regulation of privacy and the handling of personal information. Alignment of rights and obligations with the Privacy Act would ensure that Australians’ personal information is subject to similar requirements whether that personal information is handled by an Australian Government agency, a state or territory government agency, or private sector organisations.

40 Consistency in regulation across domestic jurisdictions will not only reduce compliance burdens and cost but also provide clarity and simplicity for regulated entities and the community. National consistency, therefore, should be a key goal in the design of any state or territory laws that purport to address privacy issues.[13] To assist in achieving this, the OAIC has suggested that any state or territory laws that concern privacy issues should be commensurate with those under the Privacy Act.

Conclusion

41 As noted above, we consider that privacy is an integral to ensuring public trust and confidence in the way data is managed in Australia. The measures proposed as part of the ongoing Privacy Act review process will enhance the existing privacy framework, which will further support the Strategy’s vision and objectives.

42 We understand that the Strategy is the beginning of a conversation rather than its conclusion and submissions to this consultation will help inform the government’s future data activities.  The OAIC welcomes ongoing engagement with the Department as it considers submissions, and we are able to provide and advice and consult on the Privacy Act, the FOI Act and any other areas within our regulatory remit that intersect with the Strategy and the development of future data activities.