Govt data access should be gated, privacy assessment finds

A privacy impact assessment of the federal government’s planned public sector data sharing scheme has called for agencies to be subject to the same accreditation requirements as the private sector.

The independent PIA [pdf], released last week, is the third assessment of the reforms, which are bookended as the Data Availability and Transparency Bill (DATB) currently before parliament.

If passed, the bill will allow accredited users and data service providers (ADSPs) to access data for three purposes: service delivery, informing policy and programs and research and development.

Under the legislation, the National Data Commissioner (NDC) will be responsible for accrediting data users and ADSPs, with organisations wishing to access data required to undergo assessment and provide information to support their claim.

But as it currently stands, government agencies will not be subject to the same accrediation scheme and will automatically receive the tick of approval if they apply, with no avenue available to the NDC to refuse accreditation.

The bill instead assumes agencies “meet the accreditation criteria” as they are already “subject to relevant Australian Government policies and frameworks like the Privacy Act and the protected security policy framework.

“These measures ensure non-corporate Commonwealth bodies protect, manage and use public sector data appropriately,” the bill’s explanatory memorandum (EM) states.

Agencies are, however, still required to meet other protections under the bill, including formalising a data sharing agreement.

In the third PIA, Information Integrity Solutions (IIS) – which also conducted the second PIA – said that while such mechanisms were important, they would be “most effective in concert with accreditation”.

“Accreditation is fundamentally a preventative measure but, as currently formulated, risks operating as a reactive one (where something must go wrong before the [framework] is activated – for example, by suspending accreditation),” it said.

“It plays a different role to the data sharing principles and data sharing agreement but an important one and will be critical to ensuring that all entities are up-to-the mark… with their data handling.”

IIS said the inability for agencies to fail accreditation was “counter to the idea of accreditation as an independent assessment process” and would ultimately undermine its application as a “trust mark”.

Under this existing approach, for instance, the PIA said there is no way of knowing if an agency has recently suffered a serious data breach and whether the issues that led to it have been rectified.

IIS has urged that the bill be amended to allow the NDC to seek evidence from agencies to support their application for accreditation and refuse accreditation “where there are sufficient grounds”.

A similar recommendation has been made by the Office of the Australian Information Commissioner (OAIC) in its submission to the senate review of the bill.

The OAIC noted that it was a “significant change” to the framework that had “not been previously consulted on”.

“While it may be reasonable to streamline the accreditation process for non-corporate Commonwealth bodies, there must still be a process for assessing those bodies’ data handling practices and arrangements against the accreditation criteria,” IIS said.

“If the NDC cannot seek evidence to support an accreditation or refuse an accreditation application, the whole framework is weakened.”

In response to the recommendation, the Office of the NDC said that there was no need to amend the bill as the NDC has the power to impose a condition on the accreditation of a government agency.

“Under the provisions of the [bill], as introduced, in appropriate cases the commissioner may impose a condition on the user accreditation of a non-corporate Commonwealth entity,” it said.

“The imposition of a condition of accreditation could, to a significant degree, manage the risk this recommendation seeks to address, so the [commissioner's office] does not consider that amendments to the [bill] are required.

The PIA also reveals that only three of the 13 recommendations from a previous PIA have been addressed in the version of the bill introduced to parliament.

One of these is drafting the bill to “effectively exclude sharing for compliance and assurance purposes”, which was not previously clear.

“The [bill] now provides a list of enforcement-related purposes that are precluded purposes,” the PIA states.

“The explanatory memorandum notes that the enforcement-related purposes include a range of detection, investigation and law enforcement activities that would be best carried out under dedicated laws.”

Despite many of the previous recommendation yet to be addressed, and the “potential high” privacy risks as a result of the scheme, IIS “considers that the [bill] framework is strong”

“Its layers of defence have the potential to work together to identity and carefully manage privacy risks associated with any data sharing project,” IIS said.

But it added that the framework alone “will not be sufficient to protect privacy; whether it stands up to the task will critically depend on its implementation and assurance”.

“Some of the [bill's] strengths come with corresponding weaknesses. The [bill] takes a high-level principles-based approach. It provides clear signposts but not, by any means, roadmaps,” IIS said.

At a senate committee hearing into the bill on Tuesday, interim National Data Commissioner Deborah Anton said that she believed the government had “got the balance right”.

“I think there’s both increased benefits and increased risk and… I think this is really about have we struck the balance right, in terms of designing [the] control framework,” she said.