Federal government agencies will need to seek consent before releasing personal information to other governments and the private sector if it feasible to do so under proposed public sector data sharing laws.
An exposure draft of the Data Availability and Transparency Bill, published this week, reveals a change to the Office of National Data Commissioner (ONDC) policy position that embeds consent within one of five data sharing principles.
The ONDC, which falls under the Department of Prime Minister and Cabinet, had previously said that consent should only be encouraged, as a consent-based model for data sharing “could create biases in data”.
It had instead proposed placing the onus on agencies and accredited users of the data by suggesting that “consent may be built into the application of the data sharing principles ... if it is practical and feasible”.
But following further consultation over the past 10 months, the ONDC said "the consent requirement has been elevated into the bill", rather than "only having the requirement in guidance on the application of the data sharing principles".
“Under the project principle, any sharing of personal information is done with the consent of the individuals, unless it is unreasonable or impracticable to seek their consent,” it said in the bill's consolation paper [pdf].
Where it is not feasible to seek consent - as defined by the Privacy Act - agencies will be able to dial up other privacy-enhancing measures in the data sharing principles.
This could include “using de-identified data where possible and undertaking a privacy impact assessment” (PIA).
Controlled data access scheme
Aside from additional consent controls, the proposed data sharing reforms are largely the same as what was presented by the ONDC in a discussion paper last November.
The bill sets out a controlled access scheme that will allow agencies to more freely share data with accredited entities across all levels of government, as well as industry, research and other private sectors.
The scheme, which will also consist of data codes and regulations developed by the ONDC, includes numerous safeguards such as the five data sharing principles to “manage risks and streamline processes”.
“The bill takes a principles-based approach to data sharing, providing parties with flexibility to tailor sharing arrangements, and ensuring the scheme can respond to evolving technologies and community expectations,” the bill’s explanatory memorandum [pdf] states.
“Modernising the approach to sharing public sector data will empower government to deliver effective services and better-informed policy, and support research and development.”
However, data will only be released if it is related to three purposes: service delivery, informing policy and programs and research and development.
The government has already ruled out using the proposed laws for compliance and assurance purposes to avoid another robodebt, which it has now built into the legislation.
“The bill precludes sharing public sector data for certain purposes, such as compliance and assurance activities, and other enforcement-related purposes,” it said.
The legislation similarly does not authorise the sharing of national security data, My Health Record data or any “especially sensitive data handled under other legislation or data that infringes intellectual property rights.
The bill will create an “alternate pathway” for agencies to share government data that overrides some 500 data secrecy and confidentiality provisions in 175 pieces of existing legislation, while allowing those pathways and mechanisms to continue unaffected.
Government agencies (data custodians) will only share public sector data with accredited users and accredited data service providers (ADSPs), which - as their names suggest - will be accredited by the national data commissioner.
ADSPs will perform data services such as integration on behalf of government agencies and accredited users to allow them to “share and use data safely”.
As part of accreditation, the national data commissioner will assess “prospective recipients of data and their capability to keep [data] safe”, as well as revoke or amend accreditation.
However, this process will “not guarantee data will be shared with a user for a particular project”, as the bill does not “compel” agencies to share data.
“Data custodians are responsible for assessing each sharing request, and deciding whether to share their data if satisfied the risks can be managed,” the explanatory memorandum states.
Government agencies will also have to enter “data sharing agreements” with accredited users and ADSPs that will be publicly available in an online register.
“These registers will provide insight into what data is being shared and why, who is accessing data, and how it is being safely shared,” the explanatory memorandum states.
Data custodians or users could face fines or jail for failing to comply with the data sharing requirements such as accreditation.
Alongside the draft bill, the ONDC has released the second independent PIA, which, while making several recommendations, is largely satisfied with the “high-level directions”.
The PIA, conducted by Information Integrity Solutions (IIS), assessed the privacy risks in the proposed data sharing scheme as “potentially high”, with large datasets to be shared widely.
“Data sharing of the sort that the draft would authorise, where it involves personal information, carries high inherent privacy risks,” the PIA states.
“It could involve large volumes of data used in a new context, removed from the settings in which the information was originally collected.
But IIS has concluded that “the draft... framework is strong”, acknowledging the “considerable work that has gone into designing privacy within the draft [bill]”.
“Its layers of defence have the potential to work together to identify and carefully manage privacy risks associated with any data sharing project,” the PIA states.
IIS noted a number of concerns around the “high-level principles-based approach”, which it said “provides clear signposts but not, by any means, roadmaps”.
“The fact that many of its key terms and concepts are not defined or detailed in the Bill was worrying to the stakeholders IIS consulted for the PIA,” it said, adding that it “shares many of these concerns”.
“However, it is also satisfied that provided the high-level directions in the draft are supported by clear, detailed and consistent rules, standards and guidance, the privacy impact of the draft ... should be reasonable and proportionate.”
The ONDC has agreed or agreed in principle to implement 10 of the recommendations to emerge from the PIA, including to develop guidance that articulates the permitted purposes of data sharing.
Consultation on the exposure draft will run until November 6.