In late September last year Attorney-General Brandis foreshadowed amendments to the Privacy Act 1988 (Ctht) to strengthen the protections of data published by the Australian government, given that the Government "recognises that the privacy of citizens is of paramount importance" and that "with advances of technology, methods that were sufficient to de-identify data in the past may become susceptible to re-identification in the future".
The stated intention of the Bill is to protect privacy by creating a new criminal offence of re-identifying de-identified government data, retrospective from 28 September. Brandis' second reading speech stated that publication of major datasets is an important part of the Government's Digital Transformation Agenda (so far distinctly underwhelming) and the "21st century government" vision noted here.
The Attorney-General subsequently stated
The recently identified vulnerability in the Department of Health's Medicare and Pharmaceutical Benefits Scheme dataset brought to the Government's attention the existence of a gap in privacy legislation regarding the re-identification of de-identified data. Once aware of this gap, the Government acted immediately to strengthen protections for personal information against re-identification by introducing these offences.The Bill deals with personal information that has been de-identified by an agency and generally made available. It would prohibit intentional conduct by an entity that re-identifies personal information de-identified by the responsible agency (proposed subsection 16D(1)) or discloses the re-identified personal information (proposed subsection 16E(1)).The sanction is a criminal penalty of up to two years imprisonment or 120 penalty units, or a civil penalty of 600 penalty units.
Irrespective of the re-identifying entity's intentions, where de-identified personal information has been re-identified the entity must notify the responsible agency that the information is no longer de-identified, cease any use or disclosure of the re-identified information, and comply with the directions of the agency about the handling of the information (proposed section 16F). The Bill provides for a civil penalty of up to 200 penalty units for failing to notify the responsible agency in writing, or for using or disclosing the information after it becomes aware that the information is no longer de-identified (proposed subsections 16F(3) and (4)).
The dissenting report by the ALP and Greens Senators argues that the Bill is a disproportionate response to the gap in the Privacy Act 1988, does not achieve the stated objectives and accordingly should not be passed -
The privacy of Australians is of paramount importance; however, a careful balance must be achieved between maintaining privacy, ensuring that government agencies properly de-identify datasets prior to its publication, and encouraging research into the areas of information security, cryptology and data analysis. The bill fails to provide a holistic response and neglects to consider the de-identification process and consequences for agencies for releasing datasets that have been poorly de-identified. As outlined by the NSW Office of the Privacy Commissioner:
...it places a disproportionately high onus on external recipients to be aware which released datasets are considered to have undergone a de-identification process. The proposed provisions do not appear to create corresponding obligations on the releasing entities to certify each released dataset as deriving from personal data or the treatment used to achieve the outcome of non-identifiable data.
Rather, if passed, the bill adopts a punitive approach towards information security researchers and research conducted in the public interest. In contrast, government agencies that publish poorly de-identified information do not face criminal offences and are not held responsible. While the Privacy Act does not apply to most Australian universities, as outlined by Melbourne university researchers, the implications of the bill are not clear for researchers at the Australian National University, students, and individuals acting on their own initiative who happen to be university employees. Additionally, no consideration has been given as to whether an individual who re-identifies their own information, or their dependent's or client's information, should also be subject to the bill. The bill discourages research conducted in the public interest as well as open discussion of issues which may have been identified.
Labor and Greens Senators are opposed to the retrospective application of the bill and agree with the concerns raised by the Senate Scrutiny of Bills Committee and the Law Council of Australia that retrospective provisions offend a fundamental principle in the rule of law and that this is particularly acute in the case of criminal offences.
Moreover, while the Attorney-General has claimed that the retrospective application of this bill was made clear in his announcement on 28 September 2016, the submission by the Melbourne university researchers indicates a level of ambiguity. They explain that they had interpreted a commitment that 'all legitimate research would be allowed to continue [as opposed to] some designated research should be exempt'.
Labor and Greens Senators also disagree with reversing the evidential burden of proof. As justification for reversing the burden of proof, the Explanatory Memorandum noted that it would not be difficult for the entity to demonstrate that one of the exemptions apply and that it also reflects the seriousness of the prohibited conduct. However, as outlined by the Senate Scrutiny of Bills Committee, the fact that it would be easy for an entity to provide evidence that one of the exemptions apply, or conversely, that it may be difficult for the prosecution to prove that the exemption does not apply, is not sufficient justification for reversing the burden of proof. Also, it is not apparent that it would be particularly onerous for the prosecution to prove that the exemption did not apply. As such, the justification for reversing the burden of proof is neither reasonable nor appropriate.
The bill provides a disproportionate reaction to the identified gap in the Privacy Act. It neglects the initial process of de-identification and does not hold government agencies responsible for publishing poorly de-identified datasets. Instead it penalises public interest research and discourages open investigation and discussion of potential issues relating to information security. The disproportionate response is also evidenced through the retrospective application of the bill as well as the reversal of the burden of proof.The Coalition Senators commented
The government has outlined its view that the benefits of open data outweigh the risks of re-identification. This view was shared by the Productivity Commission in its draft report Data Availability and Use. This report stated that the risks of re-identification of data and harm to an individual were real and should not be trivialised, however noted that many of these risks could be managed with the right policies and processes. The report also noted that increasing data use does not necessarily put individuals at a greater risk of harm. It concluded that Australia stands out among other developed countries where information, particularly in the area of health, is poorly used and suggested that fundamental change was needed with the introduction of new legal and policy frameworks. These frameworks would work towards four key elements:
- giving individuals more control over data held about them;
- encouraging and enabling broad access to government datasets;
- increasing the usefulness of publicly funded identifiable data among trusted users; and
- creating a culture where non-personal and non-confidential data is released as a default
The Office of the Australian Information Commissioner (OAIC) agreed that a careful balance is needed between open data and privacy protections and warned that the bill, in and of itself, would be unlikely to eliminate the privacy risks associated with the publication of de-identified datasets. OAIC outlined the need to consider whether the risk of re-identification is sufficiently low for the data to be published openly, or whether other safeguards should be applied, such as making the data available only to trusted users with contractual or technological safeguards in place