Australia’s privacy watchdog has urged the government to introduce additional safeguards in proposed public sector data sharing laws that would require agencies to share only de-identified data if feasible.
The Office of the Australian Information Commissioner (OAIC) made the comments in its submission [pdf] to the senate review into the Data and Availability and Transparency Bill, which is currently before parliament.
The bill aims to make it easier for the public sector to share data within government and across the private sector for the purposes of delivering government services and supporting research and development.
If passed, agencies will be able to share personal information and sensitive data they collect, as long as it isn’t “especially sensitive data handled under other legislation such as My Health Record data, COVIDSafe app data and national security data."
Under the proposed law, agencies are required to seek consent before releasing personal information unless it is unreasonable or impractical to do so – a requirement that was missing from an earlier version.
Where it is not feasible to seek consent, agencies will be able to dial up other privacy-enhancing measures – as defined by the Privacy Act – in the data sharing principles, such as the used of de-identified data.
But the OAIC believes agencies should be required to share data “on a de-identified basis where possible, to minimise the privacy impacts of the scheme for individuals”, a position it has taken through the development of the legislation.
“The OAIC recommends that the bill include a requirement that data custodians must not share personal information where the data sharing purpose can reasonably be met by sharing de-identified information,” the submission states.
Similar concerns around there being “no requirements for sharing only de-identified data in the principles or elsewhere in the bill” were also raised by a senate committee in its initial scrutiny of the bill earlier this year.
Noting the “important privacy safeguards” that have already been embedded in the legislation, the watchdog has also called for a number of other key measures to “mitigate the risks posed by sharing personal information”.
“The OAIC considers that these additional measures are necessary to ensure the proportionality of the scheme and to achieve the trust and confidence of the community, which is vital to the success of the Data Availability and Transparency scheme,” it said.
For instance, it has recommended that the government amend the legislation to ensure all government agencies are subjected to the same data user accreditation requirements as the private sector.
As the bill stands, the National Data Commissioner is required to “automatically accredit” government agencies if they apply for accreditation, which OAIC said was a “significant” change to the scheme since consultation.
“The OAIC notes that this is a significant change to the accreditation framework for the scheme, which has not been previously consulted on,” the submission states.
“Accreditation plays an important role in ensuring that entities have appropriate processes, systems and procedures in place to support safe personal information handling practices.”
“The effectiveness of an accreditation framework rests on the accreditation criteria being set at an appropriate level and accreditation standards and processes being applied consistently across the scheme.
“A light touch or inconsistent approach to accreditation risks undermining the level of assurance that the framework is designed to provide. A robust accreditation process would provide a strong trust mark for the scheme.
OAIC said an “upfront assessment” of each entity wishing to be accredited under the scheme was important, and that such an assessment should be “undertaken consistently in relation to all potential accredited entities”.
It pointed to the operation of the consumer data right’s accreditation process, which required an assessment of entities that wish to receive consumer data.
OAIC also used the submission to raise concerns about the separate Data Availability and Transparency (Consequential Amendments) Bill 2020, which proposes exempting the data released under the scheme from the Freedom of Information Act.
“The OAIC notes that this proposed amendment would effectively exempt any data that government agencies shared with each other through the scheme,” it said, adding it is “concerned the proposal is unnecessarily broad”.
“The OAIC recommends that consideration is given to this proposed consequential amendment to the FOI Act being removed, and that data that is shared by agencies under the scheme remains subject to the usual FOI processes.”