In 2019, we wrote about the Data Sharing and Release Legislative Reforms, which were part of the Government’s plan to ‘modernise’ and ‘streamline’ the way that it shares data between agencies. After releasing the Data Availability and Transparency Bill 2020 last year, the Government has released to the public submissions from concerned organisations about the potential of unfettered access to data for Government agencies and data users. In this article, we outline key concepts and issues that you should know, as well as the responses from significant interest groups who oppose the Bill as it stands.
What does the Data Availability and Transparency Bill 2020 (Bill) do?
The Bill establishes a scheme for the sharing of ‘public sector data’ by ‘data custodians’ to ‘accredited users’. The sharing of the public sector data must be done in accordance with the controls established by the Bill.
The Bill uses a principles-based approach and will be supported by secondary legislative instruments such as regulations, rules and data codes. There will also be guidance to provide details on the use of the scheme.
Who are the key players in the scheme?
There are several key players in the scheme:
- Data custodians – Commonwealth bodies who control public sector data and have the right to deal with the relevant data. There are a number of excluded entities from the data custodian definition, including ASIO, the Australian Signals Directorate and the National Audit Office, among others;
- Accredited users – entities who have been accredited by the National Data Commissioner to receive public sector data from data custodians;
- Accredited Data Service Providers (ADSPs) – intermediaries who assist data custodians to prepare and share data appropriately; and
- National Data Commissioner – an independent regulator whose role is to provide advice and guidance on data related issues, as well as regulatory and advocacy functions in relation to the Bill. The National Data Commissioner also provides qualified entities with accreditation so that they can receive public sector data as ‘accredited users’.
How will data be shared?
‘Public sector data’ is defined as data lawfully created, collected or held by or on behalf of Commonwealth bodies, or ‘data custodians’. These data custodians may share such data to ‘accredited users’ either directly or indirectly through an ADSP. Accredited users do not necessarily need to be Commonwealth bodies. An accredited user can be any entity that satisfies the accreditation criteria and that has applied and has been approved by the National Data Commissioner.
There are several criteria for accreditation of both accredited users and ADSPs. These include, among others, the ability to manage data accountably and responsibly, apply the data sharing principles, minimise risk of unauthorised access, sharing or loss of data, commit to continuous improvement to ensure privacy and security of the data and comply with obligations under the scheme. Further, the Minister has the power to provide additional criteria they consider appropriate. It is important to note that certain Commonwealth bodies automatically gain accreditation upon application to become an accredited user, rather than having to satisfy the criteria.
There are some circumstances where accredited users may further on-share data that is the result or product of use of the public sector data it has received from data custodians with third parties, if permitted by data sharing agreements and not prevented by any other law.
What are the controls established by the scheme?
- Data sharing purposes: Public sector data may only be shared for ‘permitted data sharing purposes’, which include for the delivery of government services, to inform government policy and programs and for research and development. These permitted purposes are intentionally broad. There are specific precluded purposes, and these include enforcement-related and national security purposes and where sharing of public sector data would infringe certain rights such as copyright, intellectual property rights, contractual rights of data custodians, common law duty or privilege, Governmental immunity or privilege or where the sharing would be a breach of confidence of commercial information.
- Data sharing principles: The five data sharing principles act as one of the key layers of safeguards. The principles are:
- Project principle – data is shared for an appropriate project or program of work;
- People principle – data is made available only to appropriate persons;
- Setting principle – data is shared in an appropriately controlled environment;
- Data principle – appropriate protections are applied to data; and
- Outputs principle – outputs are as agreed.
These principles guide how risks should be assessed and managed. The principles are relatively broad and would permit a degree of discretion when determining whether the sharing of public sector data is permitted under the Bill.
- Data sharing agreements: Data sharing will be formalised through data sharing agreements that detail what safeguards are in place. Data sharing agreements must include the minimum mandatory terms set out in the Bill. The mandatory terms are not prescriptive, but again, are principles-based. For example, a mandatory term includes the requirement to specify how the data covered by the agreement will be dealt with when the agreement ends. The National Data Commissioner will publish specific details of agreements to promote transparency and accountability.
How does the Bill interplay with other laws, particularly the Privacy Act?
Section 23 of the Bill provides that the authorisation for data custodians to share data overrides other laws that would otherwise be contravened by the sharing, with some exceptions. That is, the data sharing scheme will take precedence over other laws and regulations. One exception is where a provision of a law prescribed by the regulations prohibits the sharing. However, as the regulations do not yet exist, we will have to wait and see what laws will form part of this exclusion. A mandatory term for a data sharing agreement includes the requirement to specify any law that the sharing of data would contravene, but for section 23 of the Bill.
In terms of privacy, the data sharing principles state that any sharing of personal information should be done with the consent of the individual unless it is unreasonable or impracticable to seek their consent. It should also be noted that the principles state that the sharing of personal information should be minimised as far as possible without compromising the data sharing purpose. These principles seem to conflict to some extent with the express provision in the Bill which states that nothing in the legislation will affect the operation of the Privacy Act 1998 (Cth) (Privacy Act) where a relevant entity in the data sharing scheme is an APP entity.
The interplay between the data sharing scheme and the Privacy Act will likely be an evolving issue that should be closely monitored. It is interesting to note that the Office of the National Data Commissioner has also clarified that Australian Privacy Principle 7 - Direct Marketing and competition and consumer laws will continue to apply. It did not, however, address how the remainder of the Privacy Act, particularly Australian Privacy Principle 6 – Use or disclosure of personal information, will operate alongside the data sharing scheme.
How has the Bill been received?
There has been considerable debate about the Bill, in particular, whether it erodes individuals’ rights in the Privacy Act. Throughout March, the Senate Standing Committee on Finance and Public Administration received submissions on the Bill as it stands, after amendments to the Bill were made late last year. While there has been some support for the Bill, particularly from research organisations and others that benefit from the Bill, significant opposition has emerged from a variety of groups. These include the Office of the Australian Information Commissioner and the Law Council of Australia, as well as a bipartisan group of senators questioning the lack of detail and absence of privacy safeguards.
The main concern resulting from the Bill is its apparent overriding of APP 6. The Bill appears to contradict the principles in APP 6, specifically that information may only be used or disclosed for the purpose for which it was collected, or if an exception applies. Although enactment of the Bill would provide an exception to APP 6, the provision of public sector data for a myriad of purposes is inconsistent with the framework of the APPs and an individual’s likely expectations of how their personal information will be used.
Another key concern arising from the submissions is that there are no minimum privacy protections. Data custodians are permitted to determine the level of privacy measures taken when sharing data with accredited users. The vagueness of the Bill and lack of oversight on how data custodians share public sector data is likely to cause issues relating to lawful use and disclosure of data and to affect the public’s trust in the Government’s protection of their personal information.
Further issues raised by interest groups include the lack of an “opt out” for individuals who do not wish to disclose their personal information under the scheme and the inherent subjectivity of the “principles-based” approach, where data custodians may theoretically use data on a discretionary basis.
Those who provided submissions also detailed sector specific concerns over the Bill. These include:
- The risk of health data being shared with private health insurers (Australian Medical Association);
- The medical records of people in detention not being provided the same privacy protections as others (Public Interest Advocacy Centre); and
- Lack of protections for Indigenous public sector data which may affect the cultural safety of Indigenous data and undermine and further exclude ATSI people from decisions relating to their data (Indigenous Data Network and National Aboriginal Community Controlled Health Organisation).
Key recommendations from interest groups
Many submissions also provided recommendations to improve the operation of the Bill. The most frequently occurring recommendations include:
- Introduction of minimum privacy provisions and carve-out for APP 6 to ensure protection of shared data;
- Explicit requirements for the de-identification of personal information before disclosure where possible;
- Test to assess whether the disclosure of information is within the public interest;
- Definition of “unreasonable or impracticable” to better clarify circumstances where consent cannot be obtained;
- Disposal of the automatic accreditation for Government agencies, who will instead have to be accredited through the same process as private entities; and
- Better mechanisms for decisions on data sharing to be subject to merits review by the AAT.
The Data Availability and Transparency Bill 2020 marks an interesting shift in the privacy, control over, and sharing of, public sector data. At a time when the community is becoming more concerned about the safety and protection of personal information, this Bill seems at odds with expectations of how the Government manages, uses and discloses data. We will continue to monitor the progress of the Bill and provide updates as they arise.
Authors: Catherine Gamble, India Monaghan and Melissa Fai