Office of the Victorian Privacy Commissioner Submission to the Australian Information Commissioner on Towards an Australian Government Information Policy
GPO Box 5057
10–16 Queen Street
Melbourne Victoria 3000
Submission on Towards an Australian Government Information Policy
1. Privacy Victoria acknowledges that the Towards an Australian Government Information Policy report does address some privacy concerns, namely recognition of existing privacy protections and legislation already in place and that privacy should be taken into account when defining "public sector information". Achieving a consistent policy and coordinating the effort for an approach to open public information is a worthwhile practice; however, any approach towards a coordinated policy should take into account privacy concerns at a fundamental level, in particular when considering any data classification or de-identification of personal information.
2. The policy briefly discusses privacy generally, but does not directly address the fact that most data that government holds contains personal information. This is a significant challenge in implementing the policy. The policy does note (page 49) that 'widespread publication [of public sector information] is desirable, subject to the requirements of privacy, security and intellectual property' and Draft Principle 5 (page 56) states that sound agency decision-making can be achieved by, among other things, 'imposing controls to avoid personal information being published inappropriately or inadvertently in a data set.' These explanations, however, do not place privacy controls first and foremost at the beginning of the process, including when data is collected.
3. The difficulties of making data "open" should not be underestimated. Given the increasing sophistication of data mashing, data matching and the risk of subsequent re-identification, de-identification of government data requires a monumental amount of work and resources on the part of public sector agencies. These two factors could contribute to the task being done in a less than uniform or less than effective way, which would constitute a significant threat to personal privacy. The difficulties in achieving de-identification should be addressed. Aggregating data has fewer risks but, depending on the methods to achieve aggregation, still could raise concerns about revealing personal information.
4. Draft Principle 1 (page 54–55) suggests that a presumption of openness should beapplied when deciding whether and how to publish public sector information. In practice, this will mean implementing a uniform, consistent data classification scheme to determine whether or not information should be released and how it is released. No document containing personal information should be presumed to be openly accessible to the public. This requires careful examination and understanding of the types of information held and a classification system that is properly understood and utilised across the Commonwealth public sector. If this is not the case, the danger is that the default position will be that information is deemed "unclassified". This increases the risk of accidental disclosure of personal information contrary to the Privacy Act 1988 (Citi).
5. It should be noted that a granular classification process already operates at the Commonwealth level, requiring all documents containing personal information to be classified. However, in my experience, this is routinely ignored or subverted, with documents sent as "unclassified", even where they clearly contain personal information.
6. For some government agencies, the presumption of openness should not apply given the type of information the agency deals with. There are concerns whether such a consistent scheme can be introduced that protects the privacy of individuals as well as promoting openness and transparency.
7. These issues are not insuperable but do require careful consideration in achieving a whole of government approach to information management.
Victorian Privacy Commissioner
Was this page helpful?
If you would like to provide more feedback, please email us at email@example.com