'The value of public sector information', Australian Government Solicitor FOI and Privacy Forum 2016

4 May 2016
Tags: privacy Open Government National Action Plan IC reviews Australian Privacy Principles information access de-identification FOI Timothy Pilgrim Australian Government Solicitor FOI and Privacy Forum

Presentation by Australian Information Commissioner and Privacy Commissioner, Timothy Pilgrim, at the Australian Government Solicitor FOI and Privacy Forum 2016 in Canberra

Good morning. I wish to acknowledge the Ngunnawal people as the traditional owners and custodians of land on which we meet today.

This morning I want to talk about the value of public sector information, but I am sure I do not have to make any threshold arguments to this audience.

This is, after all, a topic that is being reflected throughout government, as the Government’s open data agenda calls agencies to recognise and work to harness the immense societal value of public sector information.

My office has long recognised the significant economic and social benefits that can be achieved from open access to government information.

However, before going further I want to acknowledge upfront what you would have seen in last night’s budget announcement – that is, the Government’s decision not to proceed with the legislation to disband the OAIC, and to provide ongoing funding for the OAIC to fulfil its privacy and FOI functions.

I of course welcome this decision.

Those of you who have worked with us over the last two years since the May 2014 budget will appreciate that this news gives both my Office, and you, certainty that we will continue in both our key regulatory roles.

The freedom of information jurisdiction and the responsibilities that go with that have been restored in full to the OAIC although the funding provides for a leaner, more efficient approach to those responsibilities. I will cover this in more detail shortly.

Our functions under the Australian Information Commissioner Act 2010, the Privacy Act 1988 and the Freedom of Information Act 1982, clearly place our Office in a unique position to contribute to the discussion on optimising the use of public sector information.

In fact, the FOI Act highlights the importance of government held data in one of the objects to that Act, which states that government held information is to be managed for public purposes, and is a national resource.

Accordingly, over the last 6 years the OAIC has done a great deal of work to encourage an ‘open access by default’ approach to government information.

An example of this includes the earlier development of our Principles on open public sector information; which encourages default open access as the first principle, followed by the need to engage the community.

We have encouraged agencies to embed these principles into their internal policies and procedures on information management — to help build a culture of proactive information disclosure and community engagement.

And I am pleased that the issue of enhancing access to government held information has gained new momentum, with the establishment of the Public Data Branch in the Department of Prime Minister and Cabinet to enhance coordination and cohesion of this important Government priority.

I am also pleased that this Branch has looked to the earlier work of the OAIC, such as the principles I just mentioned, to help inform and further the direction of this important policy area.

Intrinsic to that priority is realising both the value of accessible data from Government, and also across government.

Our office recognises that this value is best maximised when information can be shared, reused and built upon.

In this context the wide variety of personal information that is held by government agencies can also be an immensely valuable data resource for policy, planning, research and innovation — ultimately providing better services to Australian businesses and communities.

But if this personal information is to be accessed and used for such important social reasons then it must be done respectfully and sensitively.

The personal information that government agencies collect is through an individual’s dealings with government, for example, to receive a social security benefit or service, for health care or through paying taxes.

In nearly all cases individuals must provide their personal information, a requirement often supported by legislation.

This limitation on individual choices around providing this information, reinforces the importance of government agencies being careful about how they handle the personal information they have been entrusted with.

If I was to put a positive light on it, to a degree it may have been this recognition of the need to handle personal information with sensitivity that may have led to a reluctance on the part of agencies to use or make this information available.

An unfortunate by-product of this approach is the perception that the Privacy Act is a barrier to effective information sharing.

That is not the case. So I want to make a few observations on what privacy — a word that means a great many things in a great many contexts — means in this context; and how privacy and open access can, do, and will, work together.

Simply put, successfully data-driven innovation – in policy or service delivery – needs a strong foundation in personal data protection; and personal data protection is the aspect of privacy that we really mean in this context.

This is because when this is built in – when people understand how their data will be used, and feel they have choices about it – organisations obtain the consumer trust they will need to successfully innovate from that data.

And the potential for that consumer trust is clear.

People do want their personal information to work for them, provided that they know it is working for them.

When there is transparency in how personal information is used, it gives individuals choice and confidence that their privacy rights are being respected. 

Accordingly, good privacy management and great innovation go hand in hand.

Because when people have confidence about how their information is managed, they are more likely to support the use of that information to provide better services.

Most people do expect organisations to use their information where it’s necessary to provide them with the services they want or to improve on those services.

They do expect law enforcement agencies to use information resources to stop crime and to keep people safe.

However, people also want to know how their information is being used, who has access to it, and what that means for them in term of their personal identity.

Accordingly, the Privacy Act – often misunderstood to be about secrecy, is really about transparency and accountability.

By ensuring organisations are transparent and responsible when handling personal information, good privacy management strengthens public trust.

And this trust is key to our data innovation challenges.

Recently, the Chairman of the Productivity Commission has said ‘the significant evolution in data collection and analysis seen in recent times suggests that the culture, standards and policy structures that have been applied to big data analytics may need to move out of the back room and into the showroom if community confidence and wide opportunity for innovation are to be maximised.’

I agree.

And getting the trust equation right is no barrier to open access initiatives.

Nor is the Privacy Act.

As a principles-based law, it is flexible enough to support the use of data for open government initiatives, provided that an integrated approach to privacy management is taken up front.

Which leads naturally to the broader issue of privacy governance.

In the last year I have been talking a lot about privacy governance, leadership in privacy, and our Privacy management framework, which is a tool to help organisations integrate privacy into all aspects of business process.

This year, with data analytics set to expand as a key policy and service development tool, we are developing and updating resources on information sharing, big data, and de-identification, to name just a few.

The release of our draft guidance on big data and deidentification shortly will, I think, attract a lot of interest from this audience.

Because it will be the start of a significant consultation that we want to have with both public and private sectors to get our privacy response to big data well agreed and practically applied.

While data analytics presents immense potential to service and policy improvement, we know from our own longitudinal survey data that 97 percent of Australians don’t like their personal information to be used for a secondary purpose.

Secondary uses are of course critical to data innovation.

So we have a clear dissonance between our known and understandable desire that our personal information works for us and for the purposes we explicitly provided it for – vs the demonstrable innovative power of that data to improve our services and lives.

Addressing this dissonance will require a multi-pronged approach.

Part of it will lie in making the case as to how, through secondary uses, our personal information is still clearly working for our benefit, either directly or communally – and numerous research fields point to the potential to make this case.

Part of it will lie in greater security and protection of the personal information – and a determined approach to counter would-be disrupters of our national data resource – as the Government’s new Cyber Security Strategy reveals.

But part of the solution, and potentially a significant part I suggest, lies in getting deidentification right, and right such that government agencies, regulators, businesses and technology professionals have a common understanding as to what “getting it right” means.

When done correctly, deidentified information is no longer personal information and is therefore outside the scope of the Privacy Act.

But what does “done correctly” entail?

De-identified means de-identified in whose hands?

And in what use?

These are all pertinent questions, and ones that need to be resolved in conjunction with lead agencies in this space, while also drawing on private sector, technological and academic expertise.

And, as per the Productivity Commission’s point, we also need to move this knowledge out of the backroom and in to the showroom in order to build public confidence in this potential privacy solution. So common and clear language to describe this technology to the public is also important.

We therefore see the release of our draft Big Data Guidance as the starting point of a conversation.

It will be followed by a series of seminars and workshops, with both public and private sector focus, promoted through our new Privacy Professionals Network; and I hope you will all participate.

I stress that de-identification, while a focus for us this year, is not the only approach available to manage the privacy dimensions of big data.

When we’re talking in terms of privacy governance, the requirements of APP 1 are broader than just privacy policies — APP 1 requires organisations to take reasonable steps to establish and maintain internal practices, procedures and systems that ensure compliance with the APPs.

When we’re talking about government data and open access, the implementation of governance mechanisms and processes, practices and systems means privacy by design, and it means privacy impact assessments.

And it’s for that reason that we’re also developing a template for developing a privacy management plan. This will accompany our existing Privacy management framework, as a companion tool to help you meet your APP 1 obligations, implement privacy by design, and improve your privacy governance.

Privacy impact assessments should also be considered for any new program that involves changes to personal information handling, or which may include personal information.

If you’re working on a project to make information publically available, a privacy impact assessment may be required, even if the project doesn’t in fact include any personal information, so that you can be certain of this.  Also be aware that if you haven’t done a PIA, I have the power under the Privacy Act to direct agencies to do so.

The other critical aspect of how the OAIC reflects and protects the value of public information is through our FOI functions, which as I mentioned above will now be restored to the OAIC from 1 July.

This is welcomed by the OAIC.  FOI is an important component of the government information management framework which underpins both open data, and the opportunities to maximise the value of publically held information.

As we all seek to improve services and develop new processes for the benefit of the public, and in the interests of efficiency, we all need to remember that FOI, and access to information, is an important part of that equation.

In a similar vein to the personal data dimensions of data analytics, it is a waste of time for any of us to question what use or value an individual may find in particular public information.

The value of any particular piece of information may be unknown to us, but that doesn’t mean that it is unknowable. And in any case, it isn’t a relevant consideration under the FOI Act.

What is a relevant consideration is that transparent and proactive engagement with the FOI Act is an important component of building public support for open data innovation.

As I said, the Privacy Act is not about secrecy but about transparency, and the public confidence this promotes. The nexus with the FOI Act is, I think, clear; and this is supported by housing both regulatory functions in one agency.

The community has a right to access government information and while the FOI Act is only one means by which they do that, the starting point should remain proactive disclosure.

In the same way the privacy act is not a barrier to appropriate use of personal information, the FOI act should not be a barrier to making government information available.

No doubt we have all seen the Utopia episode where the OAIC’s FOI guidance is used to develop excuse after excuse for non-release – but I want to remind you it is a fictional satire. 

The FOI Act is about how we make information available where we can, where that is appropriate.

As you are all well aware, one of the key functions of the OAIC is to conduct reviews of FOI decisions made by agencies.

Over the last two years we have streamlined the IC review process and have significantly reduced the allocation timeframes and improved the average turn-around time for IC reviews from approximately 10 months to three months.

This is a significant achievement by the OAIC team and one that I believe is reflected in Government’s confidence, as expressed through last night’s budget announcement.   

Between July 2015 through to March 2016, we received 380 IC reviews and closed 345. Of that number, 62 were closed by an IC review decision, with the remainder being resolved or finalised following carefully considered recommendations provided by the case officers, or through agreement or negotiation.  

We have implemented changes to ensure we provide an efficient, timely and responsive service. We have engaged with agencies to develop good working relationships and ensure there is a constructive and cooperative approach to the review process.

We have also demonstrated that we will use the regulatory powers provided by the Act to ensure an efficient and timely process and that we will move quickly and be decisive if we are unable to resolve matters informally.

At a practical level I recognise that we handle a small proportion of the large number of FOI decisions you make in your day to day work.

I encourage agencies to remember that IC review is a merits review process, and to therefore make their best decision at the first instance.

Release as much information as you can at the first instance, and if exemptions need to be relied on, then communicate these in a way that an applicant, with little knowledge of the nuances of the FOI Act, understands.

I can confirm for you this morning that other key FOI functions will be restored to the OAIC from 1 July.

So we will soon commence work on updating the FOI guidelines.

We will start to handle FOI related complaints which have been handled by the Ombudsman for the last 18 months.

We will take over management of the FOI statistics database and FOI reporting once our colleagues in AGD have completed the process for the 2015/16 annual report.

We also have some work to do to update our website and other material to reflect these changes.

I note however that we are a much leaner version of the OAIC than existed in 2014 and so there will also be changes in how we approach these functions in this new iteration of the office.  

However, returning to my main theme, improving access and sharing of information both from Government and across Government clearly offers immense potential to improve our services to Australian communities; provided of course, that we support and protect the existing rights of those same communities as we go.

Promoting open access to government-held information is a core premise of the OAIC, as is protecting the privacy rights of individuals from whom the information first derived.

These goals are not mutually exclusive.

They are mutually supportive.

And our organisation is uniquely placed to assist all agencies as they support the Government’s innovation agenda.

So I look forward to assisting agencies to meet their obligations under the Privacy and FOI Acts, as we seek to utilise the value of public sector information to provide and improve on services for the Australian public.

Thank you.