QLD Office of the Information Commissioner submission

Date: 25 February 2011

Professor John McMillan

Australian Information Commissioner
Office of the Australian Information Commissioner
GPO Box 2999
Canberra ACT 2601

Dear Professor McMillan

Thank you for your invitation to comment on the matters raised in the Office of the Australian Information Commissioner's (OAIC) November 2010 issues paper Towardsan Australian Government Information Policy (Paper). We support your efforts to ensure a consistent approach to the Commonwealth government's information management which is focused on open and reusable information.

Since 1 July 2009, Queensland has been operating under legislation which encourages an open, accountable and participatory government. Under the Queensland framework the Queensland Government Chief Information Office (QGCIO) and the State Archivist are responsible for information management. Consequently, I have drawn their attention to your Paper.

Queensland's Independent Review Panel of FOI legislation identified a whole of government strategic information policy as a pre-requisite to the successful implementation of FOI laws. The Queensland government supported the Panel's recommendation to develop one and QGCIO have carried out the recommendation. Queensland's information management framework incorporates the OECD principles and other international perspectives.

Privacy

Similarly to the OAIC, the Office of the Information Commissioner, Queensland (OIC) has the dual function of promoting access to government-held information and protection of personal information held by government.

Balancing pro-disclosure with the right to privacy

OIC frequently encounters a perception, among both government officers and the public generally, that there is an inherent conflict between right to information with a pro-disclosure bias and the privacy principles intended to protect individuals' privacy.

The right to information however is not an unfettered right; the regulatory framework also protects essential public, private and business interests. For example, while the Right to Information Act 2009 (Qld) has a pro-disclosure bias, it recognises that privacy is an important consideration in deciding whether to release information.[1] Similarly, the Information Privacy Act 2009 (Qld) acknowledges that release of information is an important part of transparent and accountable government. The Queensland model, as with others, requires a balance to be struck between the push for disclosure ofinformation and the privacy protections. Part of our role has been assisting officers of the Queensland government to understand this balance, The OAIC has recognised this balance in draft principle 5, which states that '[S]ound agency decision-making in relation to open access to public sector information can be achieved by... identifying where relevant appropriate alternatives to not publishing information, such as publishing subject to caveats or disclaimers' however OAIC also suggests 'controls to avoid personal information being published inappropriately or inadvertently in a data set.'

Anonymisation

Personal information is not limited to information in which an individual is named. The broad nature of the definition can encompass all information about an individual, as long as that individual can reasonably be identified.

Anonymisation, through means such as redacting key identifiers, utilising numerical sequences in place of names, and summarising detailed information into a more generic form are all common ways in which information is deidentified. However, recent studies have suggested that the process of anonymisation of data may be more difficult to achieve than once thought.[2] This is compounded by the widespread use of the internet as a method of communication; in particular, social media has resulted in more random details about individuals being made publically available and fully searchable. Information about individuals can be accessed far more widely and far more readily than ever before. This creates a greater risk of an average person 'joining the dots', either deliberately or inadvertently, and discovering who, exactly, a piece of deidentified data is about.

Anonymisation has a significant part to play in the move towards greater access to government held information, but its potential limitations should be taken into account.

Speed of publication

I acknowledge that, as noted in the Paper, the Government 2.0 Taskforce 'recommended that even if data requires more work to improve its quality, it should be published with appropriate disclaimers about completeness, accuracy and currency.' However, it is important to consider the implications of the inadvertent disclosure of personal information in this way. I note that in draft principle 5, OAIC has taken into account 'controls to avoid personal information being published inappropriately or inadvertently in a data set.

To assist agencies in effectively and securely managing information, we are considering the development of a grading system for different types of information based on sensitivity. For example, routine personal work information which records the personal information of public servants whilst carrying out their routine duties could be allocated a lower potential harm rating than sensitive health information. Information which is assessed as having a lower potential harm rating could be released more quickly whilst documents containing sensitive information could be reserved for more in-depth consideration.

This would accord with the OAlC's suggestion in draft principle 3: 'effective management of information throughout its life cycle can be achieved by protecting information commensurate with the risk of harm that could result from the loss, misuse, or unauthorised access to or modification of such Information.'

I thank you again for the invitation to comment on the Paper and I look forward to continuing to work with the OAIC in the future.

Yours sincerely

Julie Kinross

Information Commissioner

[1] Item 6, Part 4 of Schedule 4 of the Right to Information Act 2009 (Qld).

[2] Paul Ohm, 'Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization' (2010) 57 UCLA Law Review 1701.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au