Brandis says white hats will be exempt from data law changes

By on
Brandis says white hats will be exempt from data law changes

Criminal offences won't apply to researchers.

The federal government has promised to protect those who bring data security flaws to the Commonwealth's attention after a backlash to its proposed changes to privacy law.

Attorney-General George Brandis late yesterday announced he intended to make it a criminal offence to re-identify government data that has been stripped of personal details.

The trigger for the sudden announcement is understood to have been a data breach at the Department of Health that was revealed today, which saw anonymised doctor ID numbers decrypted by academics testing the quality of the department's encryption methods.

Under the government's proposed changes to the Privacy Act, it would be an offence to "counsel, procure, facilitate, or encourage anyone" to re-identify anonymised data.

Similarly, publishing or communicating "any re-identified dataset" would be considered a criminal offence. The changes, if they are passed, will apply from September 28, 2016.

But the amendments have drawn the ire of the IT security industry and privacy advocates who say researchers legitimately reporting encryption and anonymisation shortcomings with government data could get caught in the crossfire.

The Department of Health was notified of its own data flaw by a team of researchers from the University of Melbourne, who, under the new amendments, could potentially have been considered to have broken the law.

Brandis is yet to release the text of his proposed amendments.

Following the backlash, the Attorney-General today promised the amendments would enable research to continue, without providing any further detail.

“The amendment to the Privacy Act will ensure that valuable research based on analysis of de-identified datasets published by government can continue, while also ensuring appropriate protections for the privacy of citizens," a spokesperson for Brandis told iTnews.

"The need for researchers to test the effectiveness of de-identification techniques or conduct other research into encryption or information security has been considered and will be addressed in the legislation.

"There will be provisions made for legitimate research to continue.”

The Attorney-General has been contacted for more detail, including on when the text will be released and what notification requirements researchers will be required to adhere to.

Copyright © . All rights reserved.

Most Read Articles

Log In

|  Forgot your password?