OAIC tells govt to fix its privacy before criminalising data re-identification

The government should focus on making sure it is properly protecting people's privacy before it attempts to criminalise researchers who point out that supposedly anonymous government data can be re-identified, according to Privacy Commissioner Timothy Pilgrim.

Pilgrim made the comments in a submission to a senate committee investigating the government' s Privacy Amendment (Re-identification Offence) Bill 2016. 

In October Attorney-General George Brandis revealed the government wanted to amend the Privacy Act to make it a criminal offence - with penalties of up to two years' jail - to reverse the de-identification of published government data after September 29 this year.

The bill also makes it a criminal offence to disclose that purportedly de-identified data is not really anonymous, and those who become aware that data can be re-identified are required to notify the relevant government agency as soon as practicable.

The laws would not automatically exempt researchers - like those who notified the Department of Health in September that anonymised doctor ID numbers could be decrypted, the impetus for this bill - from the offence.

Instead, Brandis would have the power to exempt an entity on a case by case basis if he considers it to be "in the public interest".

However, Pilgrim told a senate committee that the bill as it stands would not achieve its aim of protecting an individual's privacy.

"I recognise that the bill has the potential to be a privacy-enhancing tool by providing a deterrent against the intentional re-identification of certain datasets," he said.

"However ... I believe that the introduction of new criminal offences and civil penalties, in and of itself, is unlikely to eliminate the privacy risks associated with the publication of de-identified datasets. Rather, additional measures will be required for the policy objective of the bill to be supported."

He said it was agencies' responsibility to ensure they comply with the Privacy Act by making sure that personal information cannot be disclosed through open publication.

"I believe that the existing privacy capability of APS agencies to manage privacy risks may need to be strengthened," he said.

He suggested the government could improve its privacy stance by implementing an APS-wide privacy code that would make specific their obligations to privacy and encourage them to "move beyond a compliance approach and aim for best practice".

A code could require agencies to have a privacy management plan' dedicated privacy contact officers and privacy champions (senior government officials); to undertake and keep a register of privacy impact assessments; and to conduct regular training and audits of personal information-handling, Pilgrim said.

He also said it wasn't clear how the government planned to prove that information published by an agency was done so on the basis that it was de-identified.

Pilgrim suggested the government develop a central register hosted on data.gov.au that lists all the de-identified datasets agencies have published.

We're not trying to protect bad privacy practices: AGD

The Attorney-General's Department argued the laws were not an attempt to protect agencies who failed to properly anonymise data.

It claimed that agencies would be subject to the Privacy Act - which does not apply to de-identified information - in cases where data had been so poorly anonymised that it would not meet the Act's definition of de-identified.

It said the public service had worked to strengthen agency privacy by introducing a new "process for publishing sensitive unit record level public data as open data" document.

"This includes requiring the responsible agency to use a data privacy expert to develop a methodology to de-identify the dataset and a different data privacy expert to test the effectiveness of that methodology prior to releasing the dataset," the AGD said.

It also noted that the new bill would give the Information Commissioner the power to assess agency de-identification practices to "identify problems before they emerge".

Despite arguing that legitimate research would not be blocked under the proposed legislation, the department admitted that the public interest test the Attorney-General would undertake when deciding whether to grant someone an exemption to the law would be difficult to satisfy.

"... re-identification actively infringes the privacy expectations of individuals whose information has only been disclosed following a de-identification process," it said.

"As protecting an individual’s privacy is of upmost importance, research would generally only be in the public interest if it contributed in some way to enhancing protections for personal information (for example, testing for vulnerabilities in existing de-identification techniques or developing stronger techniques)."

Damage done

The AGD also admitted that once data had been publicly re-identified - despite any criminalisation - the damage would already be done.

"The release of personal information can have significant consequences for individuals which cannot be easily remedied," it said.

"In particular, once personal information is made available online it is very difficult—in many cases impossible—to fully retract that information or prevent further access."

The senate committee is due to present its report on the bill by February 7 next year.