14 November 2019

Executive Summary

1 The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to comment on the Western Australian (WA) Government's Discussion Paper on ‘Privacy and Responsible Information Sharing for the Western Australian public sector’ (the Discussion Paper).

2 The OAIC appreciates the consultative approach taken to developing this framework. The Discussion Paper sets out a broad vision for establishing a whole-of-government approach to protecting privacy and enabling responsible information sharing within the WA public sector and with authorised parties. The approach has the potential to result in a significant change to the way that the WA Government manages the data it holds on behalf of the WA community.

3 The OAIC is an independent national regulator, established to bring together three functions: privacy functions (protecting the privacy of individuals under the Privacy Act 1988 (Cth) (Privacy Act)), freedom of information functions (access to information held by the Commonwealth Government in accordance with the Freedom of Information Act 1982 (Cth) (FOI Act)), and information management functions (as set out in the Information Commissioner Act 2010 (Cth)).

4 Overseeing these three interrelated functions enables the OAIC to strike the right balance between confidentiality and transparency — between the right to privacy, and the right to access government information, which is a key national resource.

5 Drawing on these functions, the OAIC has worked collaboratively with the Department of Prime Minister and Cabinet and the interim National Data Commissioner throughout the development of the proposed national data sharing and release framework.

6 It is with this experience that the OAIC makes recommendations to the WA Government in this submission on:

  1. aligning its framework to national privacy and information sharing frameworks to further national consistency, and
  2. the key privacy issues to consider when developing its new information sharing framework, including:
    1. building trust and ensuring that the project has community support for the proposed uses of data
    2. clearly and narrowly defining the scope and purpose of WA’s information sharing framework to minimise the impact on privacy and ensure that pre-approved ‘uses’ that data can be put to are restricted to those which are in the public interest
    3. requiring data sharing to occur on a de-identified basis where possible, and, where not possible, considering whether it is reasonable and appropriate to seek consent, particularly in relation to information sharing for government service delivery purposes
    4. undertaking and publishing a privacy impact assessment for the project.

7 The OAIC is supportive of the WA Government’s proposal to adopt the Five Safes Framework as part of its information sharing framework, and to implement a permissive framework that agencies can use to meet community needs, rather than a mandatory one compelling the sharing of information.

Ensuring alignment with national frameworks

8 The OAIC supports efforts to harmonise privacy and information sharing legislation across the various Australian jurisdictions, and recognises that this is one of the goals of the WA Government when introducing its new framework.

9 Commonwealth, State and Territory governments are increasingly working together on national initiatives that involve sharing information across jurisdictions.[1] In many instances, these initiatives rely on jurisdictions across Australia having privacy frameworks that are equivalent to the protections afforded by the Commonwealth Privacy Act, including commensurate protections for personal information, access to redress mechanisms, monitoring and oversight by an appropriate regulator and data breach notification requirements. In establishing its new privacy and information sharing framework, the WA Government has a unique opportunity to put in place measures that achieve equivalency from the start, in order to realise the opportunities for data sharing supported by personal information protection across jurisdictions.

10 Consistency in regulation across jurisdictions will also reduce compliance burdens and cost, and provide clarity and simplicity for regulated entities and the community. National consistency, therefore, is a key goal of privacy and information sharing regulation.[2]

11 The OAIC supports the Discussion Paper’s commitment to privacy, including the development of comprehensive privacy legislation to regulate the way that the WA public sector collects, uses, discloses and handles personal information; and the appointment of an independent body and WA Privacy Commissioner to receive and resolve privacy complaints from the public.

12 The OAIC recommends that data safeguards and protections introduced by the WA Government should be commensurate with those under the Commonwealth Privacy Act, which provides the basis for nationally consistent regulation of privacy and the handling of personal information.[3] The Privacy Act contains important rights, obligations and enforcement mechanisms to protect the personal information provided to Commonwealth agencies and private sector organisations that are subject to its jurisdiction.

13 To that end, the OAIC supports the WA Government’s proposal to model its new privacy framework on the Australian Privacy Principles (APPs), in Schedule 1 of the Privacy Act. The APPs are the cornerstone of the privacy protection framework in the Privacy Act,[4] governing standards, rights and obligations around the handling, integrity and correction of personal information, the rights of individuals to access their personal information, and an entity’s governance and accountability.

14 The APPs promote national consistency of regulation by providing a minimum set of standards that are applicable to both Australian Government agencies and private sector organisations covered by the Act. As the APPs are principles-based and technologically neutral, they give entities flexibility to tailor their personal information handling practices to their business models and the diverse needs of individuals. Consideration could also be had to introducing a Code making power, which under the Commonwealth Privacy Act, allows for additional legal particularity through a legislative instrument where required. The Privacy (Australian Government Agencies – Governance) APP Code 2017 is an example.

15 The OAIC also recommends that the WA Government further strengthens its new privacy framework by introducing a data breach notification scheme that aligns with the Commonwealth Notifiable Data Breach (NDB) scheme. Under the NDB scheme, any organisation or agency covered by the Privacy Act must notify affected individuals and the OAIC when it has experienced a data breach that is likely to result in serious harm to an individual whose personal information is involved.

16 The NDB scheme formalised a long-standing community expectation for transparency when a serious data breach occurs.[5] The transparency provided by the NDB scheme reinforces the accountability of Australian Government agencies and businesses for personal information protection, and encourages a proactive approach to security.

17 The WA Government could also seek alignment with the design and implementation of its data sharing framework with that of the proposed Data Sharing and Release framework being developed by the Australian Government.[6] As acknowledged in the Discussion Paper, there are a number of legislative data sharing models operating across other Australian (and international) jurisdictions.[7] Issues to consider in establishing a new information sharing framework

18 The OAIC has long-recognised the inherent value and potential of government-held data. An object of the FOI Act is to increase recognition that information held by the Government is to be managed for public purposes, and is a national resource.[8] Data held by governments can yield significant benefits for the Australian people when handled appropriately, and in the public interest. Governments hold a great deal of data that is not derived from personal information, and the OAIC supports the greater use and sharing of such data.

19 However, governments also hold a vast wealth of data about their citizens that is personal information, much of it collected on a compulsory basis to enable individuals to receive a service or benefit. Some of this data is sensitive – or can become sensitive when linked or matched with other data sets.

20 Governments therefore have unique responsibilities when making decisions about how that data should be used or disclosed. It is important to ensure that there is a strong public interest case for policy proposals that authorise the use and disclosure of personal information for purposes beyond those originally intended at the time of collection. Laws that authorise acts or practices that may otherwise breach privacy laws must be reasonable, necessary and proportionate to achieving a legitimate policy objective.

21 Further, the level of community support for data sharing activities under a new information sharing framework will need to be considered carefully throughout the design and implementation of the framework. The OAIC’s Australian Community Attitudes to Privacy Survey 2017 highlighted that some in the community may be uncomfortable with secondary uses of information (use for a purpose other than the original purpose it was provided for). Almost universally, individuals consider transparency to be extremely important in the handling of their personal information, with 97% of participants unhappy about their personal information being used for a secondary purpose.[9] However some people are more likely to support data sharing for secondary purposes than others. For example:

  1. Only 34% of Australians were comfortable with a government agency sharing their personal information with another government agency.
  2. However, 46% of Australians were comfortable with government agencies using their personal details for research or policy-making purposes. 40% were not comfortable, and the remaining 14% were unsure.

22 When there is transparency in the way personal information is handled, it gives individuals choice and confidence that their privacy rights will be respected. Most people expect government agencies to use their information where it is necessary to provide them with the services they want, or to improve on those services. However, people also want to know how their information is being used, who has access to it, and what impact this will have on their lives. When people have confidence about how their information is managed, and understand the purposes it will be used for, they are more likely to support those uses of information.

23 Ensuring that individuals are adequately informed and consulted about the WA Government’s proposed information sharing framework, and that the privacy impacts of the framework are minimised, will help to build community trust in the project.

24 The OAIC has made a number of submissions about the privacy issues involved in government data sharing activities, including a submission to the Productivity Commission’s Draft Report on Data Availability and Use,[10] and submissions to the Department of Prime Minister and Cabinet’s Issues Paper[11] and Discussion Paper on the proposed New Australian Government Data Sharing and Release Legislation.[12] There are a number of recommendations in these submissions that the WA Government may wish to consider as it develops its new information sharing framework. In particular:

  1. The scope and purpose of any new information sharing framework should be defined as clearly and narrowly as possible in order to minimise the impact on privacy. In particular, the pre-approved ‘uses’ that data can be put to, should be restricted to those that are in the public interest, and enjoy strong community support. For example, research in the public interest, or for the purpose of informing or improving the development of policy. A constrained purpose test will assist in ensuring that any subsequent impacts on individual privacy are reasonable, necessary and proportionate to achieving a legitimate policy objective with a strong public interest purpose. The OAIC recognises the WA Government’s efforts to align the permitted purposes under its new information sharing framework with the data sharing models across other Australian jurisdictions, which generally restrict the purposes for which data may be shared to those which may inform government policy making, service planning and design.[13]

  2. The OAIC supports the WA Government’s proposal to adopt the Five Safes Framework as the basis of its data sharing framework. As highlighted in the Discussion Paper, the Five Safes Framework is an internationally recognised risk management model, that has been adopted in Australia and underpins the Australian Government’s proposed Data Sharing and Release framework. Therefore, the WA Government’s intention to adopt this framework is an important step towards building national consistency across data sharing legislation.

  3. The Five Safes Framework highlights important considerations around the de-identification of personal information. The OAIC holds the view that data sharing should occur on a de-identified basis where possible, to minimise the privacy impacts of the framework for individuals.[14] Where it is not possible to use de-identified information, consideration should be given to whether it is reasonable and appropriate to seek consent. In particular, the OAIC notes the Discussion Paper’s focus on the potential benefits that an information sharing framework could bring to government service delivery. While acknowledging those potential benefits, OAIC considers that a consent-based model is appropriate for any data sharing that will be used to inform or enable the delivery of government services, provided the individual does have a meaningful choice. This would be in line with the objective of providing individuals with greater control over the handling of their personal information. We also encourage the WA Government to ensure that the new legislation clearly specifies when consent would be appropriate in relation to data sharing for any other purposes under the framework, and how it should be sought.

  4. The OAIC supports the WA Government’s proposal to implement a permissive framework that agencies can use to meet community needs, rather than a mandatory one compelling the sharing of information. This aligns with the direction that the Australian Government is taking with the development of the Data Sharing and Release legislation. The ‘Data Sharing and Release Legislative Reforms Discussion Paper’, released in September 2019, noted that the new legislation will not compel sharing. Government agencies will be responsible for deciding whether to use the legislation, only if they are satisfied data can be shared safely. The National Data Commissioner will not be able to compel or overturn decisions to share or not to share, instead focusing on ensuring that when data is shared, it is done safely. The OAIC is supportive of this model for data sharing.

  5. The OAIC recommends that the WA Government consider additional safeguards that are currently being proposed as part of the national Data Sharing and Release Bill. Examples include plans for the National Data Commissioner to publish registers of Data Sharing Agreements as a proposed requirement for data sharing under the bill. Publication of data sharing agreements should assist in increasing transparency about what information is being shared, the reason for it being shared and how it is being shared safely.

25 Finally, it is not clear from the Discussion Paper whether the WA Government has undertaken a privacy impact assessment (PIA) for its proposed new information sharing framework. The OAIC encourages entities to conduct PIAs as a matter of course for projects that involve personal information, and to share their findings publicly. Under the Australian Government Agencies Privacy Code, Australian Government agencies are required to undertake PIAs for high privacy risk projects, which are projects that involve any new or changed ways of handling personal information that are likely to have a significant impact on the privacy of individuals.[15]

26 To be effective, a PIA should be an integral part of the project planning process. Making a PIA an integral part of a project from the beginning means that any privacy risks can be identified early in the project and alternative, less privacy-intrusive practices considered during development, instead of retrospectively. Undertaking a PIA is a process that does not end with the publication of the PIA report. A PIA should be revisited and updated when changes to the project are considered.

27 The OAIC has published a ‘Guide to undertaking privacy impact assessments’, which describes the process for undertaking a PIA and provides additional resources.[16] This may be of assistance in undertaking a PIA for this project.

28 The OAIC is available to discuss any of these issues further and welcomes continued engagement in developing a whole-of-government approach to privacy and information sharing in Western Australia. Sarah Croxall (Director – Regulation & Strategy) of the OAIC, is available to discuss these matters on [contact details removed].

Footnotes

[1] See, for example, under the My Health Records Act 2012 (Cth), Identity-matching Services Bill 2019, and the Commonwealth Government’s proposed data sharing and release legislation.

[2] See section 3.13 of the Australian Law Reform Commission’s report For Your Information: Australian Privacy Law and Practice (ALRC Report 108), May 2008.

[3] Section 2A (c) of the Privacy Act 1988 (Cth).

[4] See p 52 of the Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012.

[5] For example, according to the OAIC’s 2017 Australian Community Attitudes to Privacy Survey, 94 per cent of Australians believe they should be told when personal information is lost by a business. Further information is available on the OAIC website.

[6] Further information is available on the Office of the National Data Commissioner’s website

[7] For example, see the Data Sharing Act 2017 (Vic), the Data Sharing (Government Sector) Act 2015 (NSW), and the Public Sector (Data Sharing) Act 2016 (SA).

[8] See s 3 of the Freedom of Information Act 1982 (Cth).

[9] Available on the OAIC website at Australian Community Attitudes to Privacy Survey 2017 Report

[10] Available on the OAIC website at Data Availability and Use — submission to Productivity Commission Draft Report

[11] Available on the OAIC website at New Australian Government Data Sharing and Release Legislation — submission to Department of Prime Minister and Cabinet

[12] Available on the OAIC website at Data Sharing and Release legislative reforms discussion paper — submission to Prime Minister and Cabinet

[13] See s 5 of the Data Sharing Act 2017 (Vic), ss 6 and 7 of the Data Sharing (Government Sector) Act 2015 (NSW), and s 8 of the Public Sector (Data Sharing) Act 2016 (SA).

[14] The OAIC encourages the WA Government to refer to the De-identification Decision-Making Framework. The Framework was developed by the OAIC and CSIRO’s Data61 to assist organisations to de-identify their data effectively. The De-identification Decision-Making Framework is a practical and accessible guide for Australian entities that handle personal information and are considering sharing or releasing it to meet their ethical responsibilities and legal obligations, such as those under the Privacy Act.

[15] See s 12 of the Privacy (Australian Government Agencies — Governance) APP Code 2017

[16] Available on the OAIC website at Guide to undertaking privacy impact assessments

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia