Services Australia braces for ‘wholesale’ IT changes from privacy review

“Wholesale changes” to critical whole-of-government IT systems would be needed to accommodate proposed reforms to definitions of personal information under Australia’s privacy laws, Services Australia has warned.

The services agency responsible for Centrelink and Medicare made the comments in its submission [pdf] to the Privacy Act review, arguing that any legislative reform would require “significant” lead time.

As part of the ongoing review, the Attorney-General’s Department has put forward that the Privacy Act be amended to “require information to be ‘anonymous’ rather than ‘de-identified’ for the Act to no longer apply”.

The proposal reflects other proposed changes that would see the definition of personal information in the legislation altered by removing the word ‘about’ and replacing it with ‘relates to’.

In its submission, Services Australia said the proposal, along with the broadening of the personal information definition, would “likely impact on the ability to conduct research projects and customer journey analytics activities”.

Both activities are used to “inform the design of services to ensure they are accessible and customer focused”.

“This change is likely to have a significant impact on how/what data can be collected, stored, retained and referred back to as audit evidence if the information needs to be ‘anonymous’ rather than ‘de-identified", the services agency said.

“Given the conditions to meet the definition of ‘anonymous’, identifiers that can lead to an individual will need to be removed in a way that means they are not capable of being identified.

“This will require significant changes to ICT systems and controls around receiving customer information where the current requirement is for de-identified information only.

“Systems are currently built on the assumption that such identifiers are not personal information.”

Services Australia said major changes to systems would also be required if the definition of ‘collection’ under the Privacy Act was expanded to inferred and generated information.

“The proposal is to amend the definition of ‘collection’ to expressly cover information obtained from any source and by any means, including inferred and generated information,” it said.

“Expanding the definition would require extensive changes to infrastructure, systems and processes, including in relation to the administration of the whole-of-government platforms.”

The proposal may also require that information be tagged to “monitor where the data was collected from and under what circumstances (i.e. under what legislation if any) to determine for which purposes it can be used.

“This would be a significant exercise and likely not achievable for information collected to date and so should not apply retrospectively,” Services Australia said.

Services Australia has asked that if the definition of personal information is to be expanded, “clear and detailed guidance on the required connection with the information is needed”

“We recommend APP [Australian Privacy Principles] entities are provided with sufficient lead time to enable changes to systems infrastructure and processes,” it said.

“There is significant concern about the time needed and the cost to make the necessary changes required under proposal two.

“Large organisations with complex systems typically require significant lead times to implement wholesale ICT changes.”

Services Australia notes it has spent the last seven year redeveloping the Centrelink IT system to “introduce scalable online platforms that can be re-used across government”.

Other aspects of the reforms of concern to the agency is a proposal that would require entities to “take reasonable steps” to satisfy itself that information was originally collected from an individual where it sources information from third-parties.

“Personal information as defined, is not always originally collected from the individual to whom it relates; it could be created by an entity from which Services Australia collection information,” it said.

“For example, payroll and employment information which may be considered sensitive information if the definition is expanded to include financial information is collected by Services Australia from the Australian Taxation Office.

“The ATO collect such information about its customers from employers who create that information.

“This information is collected in accordance with legislation administered by the Department of Social Services.”

Services Australia sought reassurance that it could continue to access such datasets from other collecting agencies as it currently does, without having to repeat due diligence.

Updated 2:27pm