Give consumers more power over their data: Productivity Commission

Australian consumers would have far greater control over how their personal data is collected and handled under reforms proposed by the Productivity Commission.

The commission today released its draft report on the country's approach to data usage [pdf] following a six-month inquiry, recommending sweeping reform to overhaul Australia's lagging efforts in data availability and use.

It found that a "lack of trust and numerous barriers" to sharing and releasing data were hindering effective use of the country's data, pulling it behind international counterparts.

The commission said individuals should be given greater control over data that is collected on them through a new "comprehensive right" that would give them power to view, access and request edits on their data.

The right would include the ability to order service providers to transfer a copy of their data, safely, to another private sector operator - for example, medical records to a life insurance company.

Individuals would also have the right to be advised of disclosure of their data to third parties, and be given greater choice to opt out of data collection.

"In the private sector, opting out of data collection may well mean that a particular product or service is no longer available or no longer free to that consumer. But consumers must, in the ever-expanding world of data opportunities, be able to make that call for themselves," the Productivity Commission said [pdf].

The ACCC should be tasked with overseeing the new consumer right framework, it said.

In government, agencies should be required to provide "broad access" to datasets deemed to be of national interest, the commission said.

It recommended the introduction of a Data Sharing and Release Act that would apply across Australia to all digital data.

The act would govern use provisions of national interest datasets, streamlining access and potentially allowing for cross-dataset linkage.

The commission highlighted business registries and public expenditure datasets as examples of those that could be classified as national interest and therefore publicly released.

"Apart from giving entities ‘permission’ to publicly release data while managing risks, it forms the basis for a new lens through which to view data availability and use: the lens of a valuable asset being created, not merely a risk or an overhead," the Productivity Commission said.

The commission also recommended the introduction of a new statutory officer role - a national data custodian - and associated office to operate as a parallel of the Information Commissioner for data access and use.

The NDC would have oversight of the national data framework and be involved in deciding which datasets are of national interest.

The individual would also have the power to appoint new "accredited release authorities" (ARAs) proposed by the Productivity Commission.

These authorities would be ultimately responsible - working on advice from the NDC - for deciding whether to release a dataset to the public, or limit it to trusted users. They would also manage the sharing of datasets that contain identifiable data between trusted users in the public sector.

The commission suggested the ARAs would mostly be existing public sector agencies that have a "long track record of trusted data management", but which would receive extra funding under their new status. It specifically suggested the Australian Institute of Health and Welfare as an example of a potential ARA. 

The Productivity Commission criticised the government for a poor record of understanding the demand for data and in making de-identified datasets publicly available.

"There needs to be a shift in emphasis from only releasing data on request for particular projects, toward actively pushing data out in a coordinated way," it said.

"In principle, all datasets in fields where there are burgeoning opportunities and capability would be opened up and released, as resources and sectoral demand allow."

The commission said while there were undoubtedly risks involved with releasing and sharing more data, these were manageable with the right policies and processes.

"Systems and processes can and should be developed to identify, assess, manage and mitigate risks related not just to data release and sharing, but also data collection and storage," it said.

"Where it is not possible to reduce risks to an acceptable level, the approach being advocated by the commission would not support release of the data."

It said "marginal" changes to existing legislation and approaches for data usage would not be enough.

The Productivity Commission taking submissions on its draft report until December 12. It plans to release its final report on March 21 next year.