Brandis wants two-year jail sentence for re-identifying govt data

Individuals and businesses who re-identify government data that has been stripped of identifying details face up to two years jail under new laws proposed today by Attorney-General George Brandis.

Under the bill, security researchers will not automatically be exempt from new laws, in spite of a pledge from Brandis last week that they would be protected.

Under the Privacy Amendment (Re-identification Offence) Bill 2016, reversing the de-identification of published government data after September 29 this year will be a criminal offence that can incur up to two years in prison and 120 penalty units ($21,600), or a civil penalty of up to 600 penalty units ($108,000).

The laws will not apply to government agencies, government service providers, or anyone who has been contracted to provide services on an agency's behalf, if within the course of their work. 

It will also be a criminal offence to publicly disclose revelations that supposedly de-identified data is not really anonymous, with the same maxiumum penalties in effect.

Anyone who becomes aware that published de-identified government data can be reversed is required under the legislation to notify the relevant agency in writing "as soon as practicable".

A civil penalty of 200 units ($36,000) applies to those who fail to do so.

But despite a promise to protect researchers, Brandis' legislation does not automatically exempt them from the proposed criminal "deterrants".

Instead, the legislation gives Brandis the power to make a determination to exempt an entity from the laws if he considers it in the "public interest".

It states the Attorney-General could exempt those specifically involved in cryptology, information security, data analysis, or any other research purpose he deems appropriate. The AG must consult with the Australian Information Commissioner before making any determination.

Government agencies are also required to inform the Information Commissioner as soon as they become aware that data has not been properly de-identified. The legislation also gives the commissioner the power to investigate. 

"... With advances in technology, methods that were sufficient to de-identify data in the past may become susceptible to re-identification in the future," the explanatory memorandum states.

"The bill is intended to act as a deterrent against attempts to re-identify de-identified personal information in government datasets and introduces criminal and civil penalties for the prohibited conduct."

The introduction of the draft bill follows a data breach at the Department of Health in which researchers revealed anonymised doctor ID numbers could be decrypted.