A senate committee has urged the federal government to consider embedding further privacy protection guidance into proposed public sector data sharing laws that will make it easier for agencies to share data with third-parties.
Handing down its report [pdf] on Thursday, the government-led Finance and Public Administration Legislation Committee made three recommendations for minor changes to the Data Availability and Transparency Bill 2020.
The recommendations go to some of the security and privacy concerns raised by stakeholders during the course of the inquiry, though skirt crucial issues like de-identification by recommending that government only consider the change.
Labor senators have, meanwhile, denounced the legislation altogether, labelling the bill “deeply flawed” and suggesting the scheme will “undermine current privacy protections, most notably the Privacy Act” if passed in its current form.
The bill, which was examined alongside a complementary ‘consequential amendments’ bill, is expected to streamline how agencies share public sector data with other agencies and the private sector.
It will create an optional pathway, which overrides some 500 provisions in 175 pieces of existing legislation, for agencies to share data for three purposes: service delivery, informing policy and programs, and research and development.
In the report, the committee said that while it supported introducing a “proportionate and balanced scheme” for data sharing, it must be underpinned by robust security and privacy safeguards and protections.
“[The committee] is of the view that a proportionate and balanced data sharing scheme with appropriate privacy and security safeguards would help bring Australia into line with international best practice for data sharing,” it said.
“In particular, the committee is cognisant that a well-developed data sharing scheme has the potential to unlock benefits for the Australian community, as agreed by the majority of submitters to the inquiry.
“However, the committee is mindful that for a data sharing scheme to be successful and trusted by the community it must be underpinned by strong and effective safeguards and protections for privacy and security.”
The committee’s concerns centre on cyber security and the “covert influence of foreign actors in the university and research sector”, noting that universities are expected to be one of the core participants in the proposed scheme.
While recognising the existing safeguards in the bill, the report recommends that parliament be provided with assurances “regarding appropriate ongoing oversight by security agencies of data sharing agreements and potential security risks”.
It has also asked that the development of “any additional data codes and guidance material” take into account any relevant findings from the Parliamentary Joint Committee on Intelligence and Security inquiry into national security risks in the higher education sector.
“The committee anticipates that the Australian Government and the parliament will wish to be assured that in addition to upfront security assessment for data sharing participants… appropriate ongoing oversight is in place to manage and, wherever possible, mitigate security risks,” it said.
The committee also noted the privacy concerns raised during the inquiry, despite what it said was a “substantial effort” by the Office of the National Data Commissioner to “strike the appropriate balance”.
It has recommended that “consideration is given to whether amendments could be made to the bill, or further clarification added to the explanatory memorandum to provide additional guidance regarding privacy protections, particularly in relation to the de-identification of personal data”.
In it dissenting report, Labor senators Tim Ayres and Kimberley Kitching described the bill as “deeply flawed”, with “protections against the use of the bill for compliance purposes… weak given the broadly-framed purposes for which data can be shared”.
“While there is a clear need for an effective scheme for the management and regulation of public data, and clear public benefits from using such data, the measures outlined in the bill do not represent a proportionate means of achieving that objective,” the dissenting report said.
“If passed, the scheme outlined in the bill would undermine current privacy protections, most notably the Privacy Act 1988.”
Labor is also “concerned that the regulatory mechanism outlined by this bill is insufficient for the scope of the data matching scheme it creates”, namely that the Office of the National Data Commissioner (ONDC) is both the advocate and regulator.
“Labor Senators do not believe that the measures outlined in this bill represent a reasonable, necessary or proportionate limitation on the right to privacy.
“The scheme outlined in this bill does not deserve their confidence.
"This bill would undermine the existing privacy protections in favour of a poorly regulated system that is widely open for abuse.
"It amounts to a reckless treatment of public trust,” the dissenting report added.